I am getting emails sent from my own with spam

Discussion in 'Installation/Configuration' started by Gijonash, Oct 11, 2015.

  1. Gijonash

    Gijonash New Member

    Hi ,:)
    My name is Nacho. im new in your forum and I've worked one year with ispconfig and i am delighted.
    I am costing me a bit because I come from the Windows world, but forums like this gets a bit easier.
    i´ve a problem: I am getting emails sent from my own.
    When looking at the headers see everyone comes from a different ip. I see the emails addresses come from other countries. And each post is a different IP address. It seems to me difficult to block all directions ... one to one
    How can I do to avoid this problem?
    As best I can securize my mail server?
    We use POP and IMAP.
    We do not have security SMTP. I dont have enable "Authentication required" on our SMTP server... What do you recommend me?
    Thank you very much in advance.

    P.D. That is my config:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.0.5.4p8


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 5.4.39-0+deb7u2
    [INFO] php-cgi (used for cgi php in default vhost!) is version 5.4.39-0+deb7u2

    ##### PORT CHECK #####


    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 12469)
    [INFO] I found the following mail server(s):
    Postfix (PID 22364)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 23746)
    [INFO] I found the following imap server(s):
    Dovecot (PID 17182)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 2334)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:110 (23746/dovecot)
    [anywhere]:143 (17182/imap-login)
    [localhost]:783 (5681/spamd.pid)
    [anywhere]:465 (22364/master)
    [anywhere]:21 (2334/pure-ftpd)
    ***.***.***.***:53 (15966/named)
    [localhost]:53 (15966/named)
    [anywhere]:22 (5159/sshd)
    [localhost]:953 (15966/named)
    [anywhere]:25 (22364/master)
    [anywhere]:993 (17182/imap-login)
    [anywhere]:995 (23746/dovecot)
    [localhost]:10024 (5903/amavisd-new)
    [localhost]:10025 (22364/master)
    [localhost]:3306 (22132/mysqld)
    [anywhere]:587 (22364/master)
    [localhost]:11211 (5259/memcached)
    [localhost]10 (23746/dovecot)
    [localhost]43 (17182/imap-login)
    *:*:*:*::*:8080 (12469/apache2)
    *:*:*:*::*:80 (12469/apache2)
    *:*:*:*::*:8081 (12469/apache2)
    *:*:*:*::*:465 (22364/master)
    *:*:*:*::*:21 (2334/pure-ftpd)
    *:*:*:*::*:53 (15966/named)
    *:*:*:*::*:22 (5159/sshd)
    *:*:*:*::*:953 (15966/named)
    *:*:*:*::*:25 (22364/master)
    *:*:*:*::*:443 (12469/apache2)
    *:*:*:*::*:993 (17182/imap-login)
    *:*:*:*::*:995 (23746/dovecot)
    *:*:*:*::*:587 (22364/master)




    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target prot opt source destination
    fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport
    dports 22
    DROP tcp -- [anywhere]/0 ***.***.***.***/8
    ACCEPT all -- [anywhere]/0 [anywhere]/0 state RELATE
    D,ESTABLISHED
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    DROP all -- ***.***.***.***/4 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0 state RELATE
    D,ESTABLISHED
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain PUB_IN (5 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 0
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1000
    0
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306
    DROP icmp -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain PUB_OUT (5 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    DROP all -- ***.***.***.*** [anywhere]/0
    RETURN all -- [anywhere]/0 [anywhere]/0
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which Tutorial did you use to install the server? Please post the complete headers of one of these emails.
     
  3. Gijonash

    Gijonash New Member

    Thanks for your answer Till.
    I´ve a OVH server. And I select Ispconfig + debian, while configure my server.
    I have not followed any particular manual.
    I share the header of an email:
    *************
    Return-Path: <info[arroba]mydomain.es>
    Delivered-To: info[arroba]mydomain.es
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by nsxxxxxx.ip-xxx-xxx-xxx.eu (Postfix) with ESMTP id 187E94C80086
    for <info[arroba]mydomain.es>; Tue, 13 Oct 2015 10:08:53 +0200 (CEST)
    X-Virus-Scanned: Debian amavisd-new at nsxxxxxx.ip-xxx-xxx-xxx.eu
    Received: from nsxxxxxx.ip-xxx-xxx-xxx.eu ([127.0.0.1])
    by localhost (nsxxxxxx.ip-xxx-xxx-xxx.eu [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id I6QVUW7psfsH for <info[arroba]mydomain.es>;
    Tue, 13 Oct 2015 10:08:53 +0200 (CEST)
    Received: from [121.54.58.157] (unknown [121.54.58.157])
    by nsxxxxxx.ip-xxx-xxx-xxx.eu (Postfix) with ESMTP id 378284C80084
    for <info[arroba]mydomain.es>; Tue, 13 Oct 2015 10:08:52 +0200 (CEST)
    From: <info[arroba]mydomain.es>
    To: <info[arroba]mydomain.es>
    Subject: Hola querido!
    Date: 13 Oct 2015 22:55:47 +0700
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0025_01D105D1.016FAF0A"
    X-Mailer: Microsoft Office Outlook 12.0
    Thread-Index: Acgecf4qjs8sg36agecf4qjs8sg36a==
    Content-Language: en
    x-cr-hashedpuzzle: 2D4= cf4q js8s g36a gecf 4qjs 8sg3 6age cf4q js8s g36a gecf 4qjs 8sg3 6age cf4q;1;js8sg36agecf4qjs8sg36agecf4qjs8sg36agecf4qjs8sg3;Sosha1_v1;7;\{9C5556DB-889F-D805-CCCF-421106419C55\};ZQB3AGUAZgcf4qjs8sg36agecf4qjs8sg36agecf4qjs8sg3;13 Oct 2015 22:55:47 +0700;6agecf4qjs8sg36a
    x-cr-puzzleid: \{9C5556DB-889F-D805-CCCF-421106419C55\}
    **************
    I have not concealed the IP of the spammer(121.54.58.157). But I have to say, that has changed with respect to other mail. Curiously I get e myself with more time than the acutal late arrival. For example I get some mail at 10:00 PM with time 12: 00pm
    Thanks in advance.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see this mail is not sent from your server. Spammers often use the recipient address as sender address or a faked address of your domain as sender address. So there is no issue with your server configuration, that's just normal spam so the normal methods to prevent and filter spam will help you.

    1) Add some real time blacklists under System > Server config > mail.
    2) ensure that you selected a spam filter policy for your email domain and / or mailbox in ispconfig.
    3) You can also test to lower the spam tag 2 level of the selected policy.
    4) Add a DNS spf record for your domain to define the servers that are allowed to send email for your domain.
     
  5. Gijonash

    Gijonash New Member

    Thanks Till.
    I comment you over your four points:
    POINT 4:
    I had ruled out this option because I configured the SPF record and validated correctly like you recommend in
    *****
    TXT my[dot]domain[dot]es. v=spf1 a mx ptr ipx:xxx.xxx.xxx.xx ~all
    *****
    And its validation:
    SPF Record Published Record found
    SPF Syntax Check The record is valid
    SPF Multiple Records Less than two records found
    SPF Record Deprecated No deprecated records found
    SPF Included Lookups Number of included lookups is OK
    And i dont understand how they cansend on behalf ofmy domain...

    IN POINTS 2 AND 3.
    Ive a Spamfilter. I ve TAG in 2. And the other optiones like this:
    Tag=2
    second Tag=4,5
    Kill=50
    Cutoff=0,0
    In the general config have that: 4 first option´s with YES and the other three NO.

    In POINT 1.
    I had no any RBL.
    Looking for any, i think that two RBL would be nice¿?:
    cbl[dot]abuseat[dot]org and b[dot].barracudacentral[dot]org
    I only have to put it on "System > Server config > mail.", or i have to register my mail server in wich one? Or i Must do what Javier Córdoba recommends¿? "hardening-postfix-for-ispconfig-3 dnsbl-dns-based-blacklistblocklist"
    Thanks a lot for your help!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    SPF is a recommendation for spamfilters, not more. so it will help your and other spamfilter to filter out spam emails. A SPF record is not mecahnism to hard block emails.

    Try to set the tag2 level to 3.5 or 3.

    Just add the blacklists there that you want to use.

    You can use that but that setup is really strict and you might find out that legetimate email is not received anymore.
     
    Gijonash likes this.
  7. Gijonash

    Gijonash New Member

    Ok Till.
    I've made the changes you mention me.
    You think interesting use authentication and security in shipping SMTP IMAP¿ ?.
    My setup allows me STARTTLS, port 587 and user authentication ... Is that correct?

    We prove with these changes, and I'll tell you how it went.
    Thank you.
     
  8. Jesse Norell

    Jesse Norell Active Member

    If you change your SPF record to a hard fail, ie. ends with "-all" instead of "~all", it will be an outright block for those spam messages in many, though certainly not all, places. It should make your spamassassin score increase as well.

    If you want to implement rejecting mail for SPF hard fails yourself, follow the instructions in that hardening postfix guide to install postfix-policyd-spf-python or postfix-policyd-spf-perl (ie. the "SPF Check For Postfix" step).
     
    Gijonash likes this.
  9. Gijonash

    Gijonash New Member

    Thanks Jesse. I test that.
    Since yesterday, the number of spam mails, has decreased, but still have in a few accounts.
    Thanks for your help!
     

Share This Page