Email Spam

Discussion in 'ISPConfig 3 Priority Support' started by Tom John, May 25, 2021.

  1. Tom John

    Tom John Member HowtoForge Supporter

    Hi guys,
    i am using ubuntu 20.04 and ISPConfig 3.2
    I have the domain cl-soft.com setup in ISPConfig but without setting up an email account and i get spam emails from
    mail.cl-soft.com to my private email account.
    there is no mail account setup for mail.cl-soft.com
    How is it possible they can spam email from that account.
    Is there an option to avoid this?
    thanks for your kind help
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Could you share the message headers?
     
  3. Tom John

    Tom John Member HowtoForge Supporter

    Return-path: <[email protected]>
    Original-recipient: rfc822;[email protected]
    Received: from mr28p00im-smtpin032.me.com by p101-mailgateway-79dcdc9478-wpsn2 (mailgateway 2108B195)
    with SMTP id 47fa877d-002c-4741-a289-f6d7e6fe8f1c
    for <[email protected]>; Tue, 25 May 2021 01:33:45 GMT
    X-Apple-MoveToFolder: INBOX
    X-Apple-Action: MOVE_TO_FOLDER/INBOX
    X-Apple-UUID: 47fa877d-002c-4741-a289-f6d7e6fe8f1c
    Received: from server2.cl-i.net (server2.cl-i.net [167.86.74.26])
    by mr28p00im-smtpin032.me.com (Postfix) with ESMTPS id 643FB2659D0
    for <[email protected]>; Tue, 25 May 2021 01:33:41 +0000 (UTC)
    X-ICL-SCORE: 3.2220332300
    X-ICL-INFO: GAtbVUseBFBHSVVESgMGUldZCh4MXUMRSFsIVVhDQ19XFwkZHRIWBxFERAAdUlsDBg0DBThTWk8G
    FgADVlNZD1dZABNFElUOWAoJEQweVQ0YW0YEEUALQERPUVlABhhVQVdUQVoQXgcZFltVC1VEFBAL
    VFkbXBsLWxcDA1oQRhYHREQEHUJABwdLSBQUHV9MGxwSVVhUUl9XDAgcFl9BDFdZCx4cDRRePgEv
    IDsDABUnEgVFL2BTBDE/PgJKRX00GkgvHh4DfywRARw8AmlHJhY5BRtVQ1kEAVcFGBUOFEIHGltV
    DF9bBhM5CxJWU1kPVw==
    Authentication-Results: dmarc.icloud.com; dmarc=none header.from=cl-soft.com
    x-dmarc-info: pass=none; dmarc-policy=(nopolicy); s=u0; d=u0
    x-dmarc-policy: none
    Authentication-Results: dkim-verifier.icloud.com; dkim=none
    Authentication-Results: spf.icloud.com; spf=none (spf.icloud.com: [email protected] does not designate permitted sender hosts) [email protected]
    Received-SPF: none (spf.icloud.com: [email protected] does not designate permitted sender hosts) receiver=p00-spfmilter-7dd5d8fc4-v7n8z; client-ip=167.86.74.26; helo=server2.cl-i.net; [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by server2.cl-i.net (Postfix) with ESMTP id 0B2695C178A
    for <[email protected]>; Tue, 25 May 2021 03:33:40 +0200 (CEST)
    X-Virus-Scanned: Debian amavisd-new at server2.cl-i.net
    Received: from server2.cl-i.net ([127.0.0.1])
    by localhost (server2.cl-i.net [127.0.0.1]) (amavisd-new, port 10024)
    with LMTP id 0E7WBDUiI0eA for <[email protected]>;
    Tue, 25 May 2021 03:33:39 +0200 (CEST)
    Received: by server2.cl-i.net (Postfix, from userid 5014)
    id D877C5C1799; Tue, 25 May 2021 03:33:38 +0200 (CEST)
    To: [email protected]
    Subject: New Message From cl-Soft
    Date: Tue, 25 May 2021 01:33:38 +0000
    From: Eric Jones <[email protected]>
    Message-ID: <[email protected]>
    X-Mailer: PHPMailer 6.4.1 (https://github.com/PHPMailer/PHPMailer)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    X-MANTSH: 1TEIXR1geHVoaGkNHB1tfQEQaEhoTGBsaGBEKTEMXGxoEGxsYBBIcBB8fEBseGh8
    aEQpMWRcbHhoRCllEF25EbG9nT29kGUxMEQpZTRdkRURPEQpZSRcfcRsGGxp3BhkfBhoGGgYbG
    hoGGnEaEBp3BhoGGgYaBhoGGgYacRoQGncGGhEKWV4XY2N5EQpDThdnEx4TfUlzfnhbelIHfFh
    ST2FkZU1CR2llR0JpE30ZXxEKWFwXGQQaBB4eBx8TSBweGx4ZBRsdBBsbGgQdGgQbGRgQGx4aH
    xoRCl5ZF3IeTEN4EQpNXBcYGh8RCkxaF2htTWtrEQpNThdoaxEKQ1oXGxwdBBIcBB0eBBgcEQp
    CXhcbEQpCRRdie3pITh1YWxp4RBEKQk4XYRlNBRMFAX1jUlARCkJMF2hQZnJMbF1eaWNGEQpCb
    BdsUEhpGn5fb2weRhEKQkAXbFxta0sFRRhDXVsRCkJYF2JhBWJ/RkZlTHtGEQpCeBd6YltFaGZ
    ZfG19chEKTV4XBxsRClpYFxkRCnBoF2F7HFt4fH5JeB9GEAcbEhEKcGgXZWwSel0BUFJcfFkQB
    xsSEQpwaBdhU2FubX1AcnlkTRAHGx4RCnBoF2VDYkxpZnpMTX5FEAcbEhEKcGgXb1BvT0dYaW1
    leFMQBxkaEQpwfRdmckleS3lSHkRDQRAHHAQYEQpwfRd6YF1fY3N5QWN4UhAHGRoRCnB/F2ZyS
    V5LeVIeRENBEAccBBgRCnB/F2JZYHp9fRJgUwUbEAccBBgRCnBfF21GEkZtZVpFeHBjEAccBBg
    RCnBsF2tkE2ceHmN7HmR9EAcbEhEKbX4XBxsRClhNF0sR
    X-CLX-Shades: None
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, so it seems like the website is sending as "[email protected]" posing as "[email protected]" from the server server2.cl-i.net to your mailaddress. There is no SPF policy to designate IP's allowed to send, so it is not blocked.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Does mail for cl-soft.com live in an external server, or should not exist anywhere?
     
  6. Tom John

    Tom John Member HowtoForge Supporter

    Hi there,
    thanks a lot for your answer.
    in ISPConfig there is no setup for any mail account for this domain.
    should i setup SPF on the server or is there another solution?
    thanks a lot for your help
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Two options come to mind, either add that domain (cl-soft.com) in the postfix blacklist (type sender), or add cl-soft.com as a mail domain (you don't have to create any mailboxes) and ensure you have the 'reject sender login mismatch' setting enabled.
     
  8. Tom John

    Tom John Member HowtoForge Supporter

    Hi
    thanks for your answer.
    there is no option for reject sender login mismatch when i create cl-soft.com as a mail domain
    Can you help me where to find this option?
    thanks a lot Screenshot from 2021-05-28 17-58-41.png
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This happens when the domain exists on your server. No need to enable anything else.
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The setting is under server config.
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Lol, I misread this. My bad ;)
     
  12. Tom John

    Tom John Member HowtoForge Supporter

    HI guys,
    i still have the same problem with another domain on this server:
    Code:
    Return-path: <[email protected]>
    Original-recipient: rfc822;[email protected]
    Received: from st11p00im-smtpin006.me.com by p101-mailgateway-79cf87b6dc-jt7r6 (mailgateway 2108B198)
       with SMTP id 31a30a8c-0315-4196-80eb-92a0d5cdee55
       for <[email protected]>; Mon, 14 Jun 2021 11:22:55 GMT
    X-Apple-MoveToFolder: INBOX
    X-Apple-Action: MOVE_TO_FOLDER/INBOX
    X-Apple-UUID: 31a30a8c-0315-4196-80eb-92a0d5cdee55
    Received: from server2.cl-i.net (server2.cl-i.net [167.86.74.26])
       by st11p00im-smtpin006.me.com (Postfix) with ESMTPS id 45046F45663
       for <[email protected]>; Mon, 14 Jun 2021 11:22:51 +0000 (UTC)
    X-ICL-SCORE: 3.2220332300
    X-ICL-INFO: GAtbVUseBFBHSVVESgMGUldZCh4MXUMRSFsIVVhDQ19XFwkZHRIWBxFERAAdUlsDBg0DBTgBG1Ad
     FhUDVlNZD1dZABNFEgdPRxEJBAweVQ0YW0YEEUALQERPUVlABhhVQVdUQVoQXgcZFltVC1VEFBAL
     VFkbXBsLWxcDA1oQRhYHREQEHUJABwdLSBQUHV9MGxwSVVhUUl9XDAgcFl9BDFdZCx4cDRReMiMg
     Tj9hA1MHSgwcL1NPIDktEBo7dkMbNhQVMjppX1FMMz8CIWAFNzQ5V1pKWFkRAVcFGBUOFEIHGltV
     DF9bBhM5CxJWU1kPVw==
    Authentication-Results: dmarc.icloud.com; dmarc=none header.from=1-2host.com
    x-dmarc-info: pass=none; dmarc-policy=(nopolicy); s=u0; d=u0
    x-dmarc-policy: none
    Authentication-Results: dkim-verifier.icloud.com; dkim=none
    Authentication-Results: spf.icloud.com; spf=none (spf.icloud.com: [email protected] does not designate permitted sender hosts) [email protected]
    Received-SPF: none (spf.icloud.com: [email protected] does not designate permitted sender hosts) receiver=p00-spfmilter-6ff467cfbf-zccc5; client-ip=167.86.74.26; helo=server2.cl-i.net; [email protected]
    Received: from localhost (localhost [127.0.0.1])
       by server2.cl-i.net (Postfix) with ESMTP id F3B3E5C1769
       for <[email protected]>; Mon, 14 Jun 2021 13:22:49 +0200 (CEST)
    X-Virus-Scanned: Debian amavisd-new at server2.cl-i.net
    Received: from server2.cl-i.net ([127.0.0.1])
       by localhost (server2.cl-i.net [127.0.0.1]) (amavisd-new, port 10024)
       with LMTP id Pfat69wNFJ9B for <[email protected]>;
       Mon, 14 Jun 2021 13:22:48 +0200 (CEST)
    Received: by server2.cl-i.net (Postfix, from userid 5012)
       id B00745C1783; Mon, 14 Jun 2021 13:22:48 +0200 (CEST)
    To: [email protected]
    Subject: New Message From 1-2 host
    Date: Mon, 14 Jun 2021 11:22:48 +0000
    From: AL SAEED CORPORATION LLC <[email protected]>
    Reply-To: "\"AL SAEED CORPORATION LLC\"" <[email protected]>
    Message-ID: <[email protected]>
    X-Mailer: PHPMailer 6.4.1 (https://github.com/PHPMailer/PHPMailer)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    X-MANTSH: 1TEIXWV4bG1oaGkNHB0JTTFwYGxsfGhkaGxEKTEMXGxoEHRwEGxMTBBIQGx4aHxo
     RCkxZFxseEQpZRBdveHtJQVljbnIbZBEKWU0XZEVETxEKWUkXG3EbBhh3BhMfBhoGGgYHGx0GB
     xkacRoQG3cGGgYaBhoGBxkfBhoGGnEaEBp3BhoRClleF2NjeREKQ04XQ0EeeXNgfFtlEh9Ma0x
     MG0xBZFtlXx14Hh5fSF5fEm8RClhcFxkEGgQeHgcfE0gcHhseGQUbHQQbHRgEEhsEEhwQGx4aH
     xoRCl5ZF3IFZWlEEQpNXBcHGR4RCkxaF3hiXWtrEQpFWRdoa28RCkxfF3oFBQUFBQUFBQVOEQp
     MRhdja2sRCkNaFxscHQQSHAQdHgQYHBEKQl4XGxEKQkUXbhtZWxNpQEVYc2cRCkJOF2hJZFpLa
     1gZGRkYEQpCTBdpY2gdZkkYW3lOWREKQmwXYWZif2dFRx55HWgRCkJAF21/WWtmYG9cbEh7EQp
     CWBdiYQVif0ZGZUx7RhEKQngXemJbRWhmWXxtfXIRCk1eFxsRCnBnF2ZEeBMdZlseeB5PEBsSE
     QpwaBdoeR5lZ0JYHF9iaxAZGhEKcGgXYBtyTwFQHWNdEkwQHhIRCnBoF2ZHRUt6fhJkXEhvEBk
     aEQpwZxdmEkREbWZjbhx/RxAbEhEKcGwXYB1gRFJjHkN7XU4QHhIRCm1+FxsRClhNF0sR
    X-CLX-Shades: None
    
    Wir sind AL SAEED CORPORATION LLC
    Wir vergeben Kredite an Privatpersonen/Firmen zu einem jährlichen Zinssatz von 2 %. Wir interessieren uns für die Finanzierung von Projekten mit großem Volumen. Die Rückzahlungsfrist beträgt 1 Jahr bis 30 Jahre.
    KONTAKTIERE UNS:
    E-Mail: [email protected]
    WhatsApp: +31687883894
    Telefonnummer: 84293231629
    
    
    
    i checked the box : reject sender and login mismatch
    I setup in email domains the domain 1-2host.com
    but still receiving spam from my domain, do you have any idea where else i can look for the problem?
    The domain name points at server2 but i did not setup mail.1-2host.com at the nameserver. can this be a problem maybe?
    thanks for your kind help
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sorry, bad previous answer on my part, reject_sender_login_mismatch only works with smtpd, your mail is locally submitted (which uses postdrop), so that doesn't help. It looks like you'd have to use
    local_login_sender_maps (and empty_address_local_login_sender_maps_lookup_key) to setup a similar restriction, which ISPConfig does not set up. I don't believe the postfix blacklist will work for postdrop, either.

    So other solutions ... there is a 'discard' transport which simply discards all mail, if you could get mail from your 1-2host.com domain to use that it'd suit your purposes. You could create an email account on the server for this purpose, eg. [email protected] (this is needed so mail to the address isn't rejected), then under Email Routing add a new transport with [email protected] as the Domain, type 'custom' and 'discard:' as the Destination. Now enable the (new) per-domain relay options (under Main Config > Mail, and enable in client template if needed/used), edit the 1-2host.com email domain and set Relayhost to [email protected]. This works because there's no verification that the 'Relayhost' is a valid hostname, but... it works for now, at least. :) Then see what happens.

    The above basically emulates the behavior of sender_dependent_default_transport_maps, which you could just use.

    Another option would be to switch from amavis to rspamd, and use the postfix blacklist (or maybe better (because a client can do it, not only the admin), use the 'Email blacklist' when logged in as the client, which is the same thing).
     

Share This Page