Resolved Spam sent to domain by domain

[Xavier12]

Hi guys,

Having an issue where we are getting constant spam on several domains within the same domain with a non-existent email. For example, info@domain.com exists, but we are receiving emails to info@domain.com by tickets@domain.com or a random email (ie: randomname@domain.com)

The spam is non-stop. Also, checked the header and it matches with @domain.com. In the header will show in message id: <8ED2E42D0a-376A5011C-8eD3-E836-Fa9ef1@domain.com>. It seems like its coming as a legit header.

How can we narrow down the source or solve this? Not sure if they are also spoofing emails to other email addresses outside of our domain.

Specs below. Please advise, thanks guys.

cloudlinux 6.8
email: postfix and dovecot
Latest Plesk 12.5

 

[UFHH01]

Hi Xavier12,

actually, you are a regulary user of this forum... you should know, that missing facts only lead to guessings... nothing more. Consider to post the depending log - file entries from you maillog, as well as the complete header for investigations, pls.
In addition, you know, that configuration files help as well to investigate issues/failures/problems with your mail - server.

 

[Xavier12]

Sorry guys, below is a mail log file of a specific mail. Not sure where exactly to start the copy and paste:

Aug 30 12:04:05 host postfix/smtpd[552606]: connect from unknown[UKNOWNIP]
Aug 30 12:04:10 host postfix/smtpd[552606]: 9CFE5540286: client=unknown[UNKNOWNIP]
Aug 30 12:04:11 host postfix/cleanup[553506]: 9CFE5540286: message-id=<2016083027106726.9521672117500@relay.MYDOMAIN.com>
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: SKIP
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: SKIP during call 'limit-out' handler
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: SKIP
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: SKIP during call 'check-quota' handler
Aug 30 12:04:11 host spf filter[553827]: Starting spf filter...
Aug 30 12:04:12 host spf filter[553827]: SPF result: softfail
Aug 30 12:04:12 host spf filter[553827]: SPF status: PASS
Aug 30 12:04:12 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: PASS
Aug 30 12:04:12 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: PASS during call 'spf' handler
Aug 30 12:04:12 host postfix/qmgr[736122]: 9CFE5540286: from=<Tricia1@MYDOMAIN.com>, size=12489, nrcpt=1 (queue active)
Aug 30 12:04:12 host postfix-local[553828]: postfix-local: from=Tricia1@universalenvision.com, to=info@MYDOMAIN.com, dirname=/var/qmail/mailnames
Aug 30 12:04:12 host dovecot: service=lda, user=info@MYDOMAIN.com, ip=[]. msgid=<2016083027106726.9521672117500@relay.MYDOMAIN.com>: saved mail to INBOX
Aug 30 12:04:12 host postfix/pipe[553788]: 9CFE5540286: to=<info@MYDOMAIN.com>, relay=plesk_virtual, delay=6.8, delays=6.7/0/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Aug 30 12:04:12 host postfix/qmgr[736122]: 9CFE5540286: removed
Aug 30 12:04:12 host postfix/smtpd[552606]: disconnect from unknown[UNKNOWNIP]
Aug 30 12:04:21 host dovecot: imap-login: Login: user=<info@MYDOMAIN.com>, method=PLAIN, rip=MYIP, lip=SERVERIP, mpid=553833, TLS, session=<12g4Ikw75gBDVS0z>
Aug 30 12:04:22 host dovecot: service=imap, user=info@MYDOMAIN.com, ip=[MYIP]. Connection closed rcvd=502, sent=15287
Aug 30 12:04:22 host dovecot: imap-login: Login: user=<info@MYDOMAIN.com>, method=PLAIN, rip=MYIP, lip=SERVERIP, mpid=553836, TLS, session=<Q99IIkw7wwBDVS0z>
Aug 30 12:04:22 host dovecot: service=imap, user=info@MYDOMAIN.com, ip=[MYIP]. Connection closed rcvd=67, sent=757

info@MYDOMAIN.com is my actual domain name.. tricia1@MYDOMAIN.com does not exist but successfully sends to my info@MYDOMAIN.com. MYIP is my actual ip address where thunderbird retrieves my email on my computer. SERVERIP is the actual server IP. UNKNOWNIP is the ip address that seems like the offending IP address.


Here is the email header:

FROM: Tricia1@MYDOMAIN.com
Subject: PHOTOS
TO: info@MYDOMAIN.com
Tue, 30 Aug 2016 11:04:03 -0500
MESSAGE ID: <2016083027106726.9521672117500@relay.MYDOMAIN.com>
RETURN-PATH: <Tricia1@MYDOMAIN.com>
X-ORIGINAL-TO: info@MYDOMAIN.com

Also note, we are using SENDGRID as mail service connected with Postfix

 

[Xavier12]

Postfix main.cf

http://snippi.com/s/l3xk3eh

Note: "Myserverdomain" is different from the MYDOMAIN.com. MYDOMAIN.com is a domain hosted on the plesk server for Myserverdomain.com. Not sure if you need dovecot configuration, its default with a custom SSL modification.

Sorry for the long post. Looking forward to hearing back.

 

[UFHH01]

Hi Xavier12,

first, some suggestions for your main.cf:

Pls. use:

smtp_sasl_security_options=noanonymous
smtp_sasl_tls_security_options=noanonymous​

and

smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=noanonymous
​

instead of only "smtp_sasl_security_options = noanonymous"​

Is there a reason, why you left out

1. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
2. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch
3. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
   
4. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender

( red marked configurations are all missing )​

Next, some thoughts to your provided depending - log - entries and header informations:

Sorry, but with your complete "anonymization", these informations just lead to the fact, that you are missing domainkeys/DKIM - checks. If you want some help here, consider to provide informations, which can be investigated.

tricia1@MYDOMAIN.com does not exist but successfully sends to my info@MYDOMAIN.com.

Well, you don't restrict very good in your postfix configuration, as already suggested above. In addition, I would use "reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org" instead of only "reject_rbl_client zen.spamhaus.org".

 

[Xavier12]

Hi UFHH01

Thanks for the update. Set these settings so far, but now I am receiving email errors when sending emails to certain email address, mostly gmail. Here is the email:


This is the mail system at host host.MYDOMAIN.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<info@receipientsemail.com>: unknown mail transport error
Reporting-MTA: dns; host.MYDOMAIN.com
X-Postfix-Queue-ID: 25FEA540EBD
X-Postfix-Sender: rfc822; info@SENDERSEMAIL.com
Arrival-Date: Thu, 1 Sep 2016 16:13:43 -0400 (EDT)

Final-Recipient: rfc822; info@receipientsemail.com
Original-Recipient: rfc822;info@receipientsemail.com
Action: failed
Status: 4.3.0
Diagnostic-Code: X-Postfix; unknown mail transport error

 

[UFHH01]

Hi Xavier12,

Set these settings so far, but now I am receiving email errors when sending emails to certain email address, mostly gmail.

Did you consider to REMOVE suggested additions ( one-by-one ), to see, which suggested restriction might be incompatible to your complete ( main AND master.cf ) postfix - configuration?

 

[G J Piper]

Have you considered that these spam emails that seem to be coming from your own server are actually spoofed and not actually coming from your server at all?

You could examine the source of one of these emails and examine the first header beginning with"Received: from" and note the IP address listed.
If it isn't one of your server's IP addresses, then these emails are most likely spoofed, which means they didn't originate from your server and there is nothing you can do to prevent them except attempt to spam-filter them out when they come in.

Just something to check.

 

[Xavier12]

Hi Xavier12,


Did you consider to REMOVE suggested additions ( one-by-one ), to see, which suggested restriction might be incompatible to your complete ( main AND master.cf ) postfix - configuration?

Will test this and reach back with results.

 

[Xavier12]

Have you considered that these spam emails that seem to be coming from your own server are actually spoofed and not actually coming from your server at all?

You could examine the source of one of these emails and examine the first header beginning with"Received: from" and note the IP address listed.
If it isn't one of your server's IP addresses, then these emails are most likely spoofed, which means they didn't originate from your server and there is nothing you can do to prevent them except attempt to spam-filter them out when they come in.

Just something to check.

Hi, thanks for chiming in! Yes, it shows a different IP address other than the server, which means that they are spoofing. But, the weird thing is that the message header still shows @mydomain.com. So I am confuse as to how they are able to spoof it from another server but still have a valid message header. Normally the message header email would be different if they are simply spoofing it by making it display as a "reply to" email. Not sure if they are somehow making their way by entering via an open relay.

Please advise, thanks guys