I've been getting these types of email lately too. They're spoofing the
from header from to make it look like it comes from my domain, but the
full email headers show the real source:
Received: from mail.promiks.com (unknown [95.130.173.217])
Received: from ([80.38.233.163])
by mail.promiks.com (Promiks Mail Server V3.4.1) with ASMTP (SSL) id
201903240032330905
Most were getting marked as spam by spamassasin, but a few were getting
through. I have opendkim and opendmarc running, so I added these rules
to my spamassasin local.cf:
#dmarc fail
header CUST_DMARC_FAIL Authentication-Results =~ /mydomain\.com;
dmarc=fail/
score CUST_DMARC_FAIL 4.0
#dmarc pass
header CUST_DMARC_PASS Authentication-Results =~ /mydomain\.com;
dmarc=pass/
score CUST_DMARC_PASS -1.0
This requires you to have a dmarc record for your domain, but the policy
can be "none" if you want since this rule is only looking for the
"dmarc=fail" result from opendmarc. I got these rules from
https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
On 2019-03-22 6:19 pm, Christian Schmitz wrote:
Hi everyone:
I have a small mail server with fewer emails account, The server is:
Opensuse/Postfix/apache
Today i receive a pishing email Words more or less say that i was
hacked, that
he know my passwords blah blah blah and i must pay on bit_coins. The
email
content is 100% pishing and no real hacking because sevral reasons:
list@XXX was only created for mailing lists and no other usage
I have not webcam
The hacker not used SASL to get real use of my account.
For forums/website registrations i use mailinator.com
The curious is that email seem at first time writed from me to myself.
If my
email is list@xxx the emails say to be list@xxx
So i start a little investigation on LOG file, and all seem that the
"hacker"
do not know the passwords. Because the emailer has no SASL
autenticated, so
the "hacker"simply spoof the FROM field:
1)First question: how i can filter the spoofed emails. In other words,
if the
sender is not authorized to send list@xxx because this emai is managed
by ME
2)Seccond question :how i can adjust the sender policy to block soft
fail SPF?
Thanks you all.
Best Regards.
Christian Schmitz
Info extra 1: LOG: /var/log/mail
connect from mmu.ac.ug[62.75.235.12]
Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]:
TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
: SPF softfail (Mechanism '~all' matched): Envelope-from: [email protected]
: handler sender_policy_framework: is decisive.
: Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is
not
authorized by default to use '[email protected]' in 'mfrom' identity,
however
domain is not currently prepared for false failures (mechanism '~all'
matched)) receiver=schweb; identity=mailfrom;
envelope-from="[email protected]";
helo=xray144.theg7.com; client-ip=62.75.235.12
client=mmu.ac.ug[62.75.235.12]
message-id=<[email protected]>
from=<[email protected]>, size=228789, nrcpt=1 (queue active)
disconnect from mmu.ac.ug[62.75.235.12]
to=<list@XXX>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0,
status=sent (delivered to maildir)
removed
Info extra 2: when i send a email i get the log of sasl autentication:
client=unknown[192.168.XX.XX], sasl_method=LOGIN, sasl_username=YYY@XXX
Info extra 3: received email header
Return-Path: <[email protected]>
X-Original-To: list@XXX
Delivered-To: list@XXX
Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default
to
use '[email protected]' in 'mfrom' identity, however domain is not
currently
prepared for false failures (mechanism '~all' matched))
receiver=schweb;
identity=mailfrom; envelope-from="[email protected]";
helo=xray144.theg7.com;
client-ip=62.75.235.12
Received: from xray144.theg7.com (mmu.ac.ug [62.75.235.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by schweb.com.ar (schweb.com.ar) with ESMTPS id 9EE12450F4
for <[email protected]>; Fri, 22 Mar 2019 07:41:58 -0300 (ART)
Received: from localhost (localhost [127.0.0.1])
by xray144.theg7.com (Postfix) with ESMTP id 50A1C11A0A4A
for <[email protected]>; Fri, 22 Mar 2019 09:58:35 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at xray144.theg7.com
Received: from xray144.theg7.com ([127.0.0.1])
by localhost (xray144.theg7.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id pFCoeEV4cz8Y for <[email protected]>;
Fri, 22 Mar 2019 09:58:34 +0000 (UTC)
Received: from [IP-45-237-216-17.acesstelecom.com] (unknown
[168.196.195.30])
(Authenticated sender: [email protected])
by xray144.theg7.com (Postfix) with ESMTPSA id 9097B11A042A
for <[email protected]>; Fri, 22 Mar 2019 09:58:20 +0000 (UTC)
Message-ID: <[email protected]>
X-Sender-Info: <[email protected]>
X-Abuse-Reports-To: <[email protected]>
X-Mailer: ZetaMail50
Content-Type: multipart/related;
boundary="7737CA265D6"
MIME-Version: 1.0
Errors-To: [email protected]
To: [email protected]
Subject: list
From: <[email protected]>
Date: Fri, 22 Mar 2019 11:41:41 +0100
Organization: Tdmearjjqvslxt
List-ID: <93206451344121874219.mmu.ac.ug>
Status: R
X-Status: NT
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
This is a multi-part message in MIME format
--7737CA265D6
Content-Type: multipart/alternative;
boundary="C596CBF6D5"
--C596CBF6D5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
--C596CBF6D5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
PGh0bWw+PGJvZHk+PGltZyBzcmM9ImNpZDphdHRfaW1nXzgyNzA1MCI+PC9ib2R5PjwvaHRtbD4N
Cg==
--C596CBF6D5--
--7737CA265D6
