• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Question Email Domain abuse with forwarding

Erwin Fiten

Erwin Fiten

Basic Pleskian
I noticed some strange behaviour lately.

This is the email delivery log for one of those mails :
Sep 11 11:10:50 6B8711803EE: client=xn--h1ard.046.xn--p1acf[77.87.212.94]
Sep 11 11:10:50 6B8711803EE: from=<eftefxr@fastaresi.de> to=<info@testdomain.be>
Sep 11 11:10:50 6B8711803EE: message-id=<53635064L32532587C16766416V13521010C@id.eftefxr.fastaresi.de>
Sep 11 11:10:50 6B8711803EE: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Sep 11 11:10:50 6B8711803EE: py-limit-out: stderr: SKIP
Sep 11 11:10:50 6B8711803EE: check-quota: stderr: SKIP
Sep 11 11:10:50 6B8711803EE: spf: stderr: PASS
Sep 11 11:10:50 6B8711803EE: from=<eftefxr@fastaresi.de>, size=92908, nrcpt=1 (queue active)
Sep 11 11:10:50 6B8711803EE: from=<eftefxr@fastaresi.de>, to=<info@testdomain.be>, dirname=/var/qmail/mailnames
Sep 11 11:10:50 6B8711803EE: DKIM Feed: No signature
Sep 11 11:10:50 6B8711803EE: dk_check: stderr: PASS
Sep 11 11:10:50 6B8711803EE: dmarc: stderr: PASS
Sep 11 11:10:50 6B8711803EE: send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=eftefxr@testdomain.be> to=<email@telenet.be>
Sep 11 11:10:51 6B8711803EE: to=<info@testdomain.be>, relay=plesk_virtual, delay=0.68, delays=0.4/0/0/0.28, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Sep 11 11:10:51 6B8711803EE: removed
Click to expand...

This line worries me : "send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=eftefxr@testdomain.be> to=<email@telenet.be>"
My domain is in this example : "testdomain.be"

And something is using SRS to fake an address in my domain and tries to send mails to "email@telenet.be"

How can I avoind this. Asking AI( clause) this is the SRS service that needs to be disabled, but thuis looks like it's used by PLESK ?

Erwin
 
Erwin Fiten said:
How can I avoind this.
Click to expand...
Short answer: Disable mail forwarding on your mailbox.

Long answer: SRS (sender rewrite scheme) is used when emails are automatically forwarded to make sure the message still passes SPF validation. It's nothing to be alarmed about and It's also not something you can enable or disabled (at least not easily).

In your case your mail log shows that your mailbox first received the email from fastaresi.de and then forwards it to email@telenet.be.
Erwin Fiten said:
Sep 11 11:10:50 6B8711803EE: from=<eftefxr@fastaresi.de>, to=<info@testdomain.be>, dirname=/var/qmail/mailnames
[...]
Sep 11 11:10:50 6B8711803EE: send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=eftefxr@testdomain.be> to=<email@telenet.be>
Click to expand...

So I assume you've setup mail forwarding for the mailto:info@testdomain.be mailbox, either in Plesk or as some sort of filter rule in webmail. If you don't like mails to be forwarded to email@telenet.be simply remove/disable the forward.
 
You must log in or register to reply here.

Similar threads

I
Question mails that get lost
Replies
7
Views
6K
Inma
I
Erwin Fiten
Question Spam sent from my server by other hosts ???
Replies
4
Views
2K
Bitpalast
Bitpalast
M
Issue Postfix - warning: connect to transport private/plesk-domain.org.uk-123.145.167.189-: Connection refused
Replies
8
Views
2K
MHC_1
M
S
Issue Outgoing emails get rejected - User not allowed to send Emails
Replies
6
Views
3K
Stephan.FediCom
S
mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
2K
mapodec
mapodec
Back
Top