ISPconfig SPAM problem

Hello!

Lately I have problems with SPAM on my ISPconfig servers.
More specifically, my clients are getting mail from themselves or some other mail address in their domain.
Eg. [email protected] is getting mail from [email protected] (from himself) or from [email protected] (and 'epson' user does not exist).
How to prevent that?
Is there a way to 'forbid' spoofed email addresses?

Note that there is a SPF record on the DNS server for that domain and mail-tester.com gives 9/10 score on that domain.

 

This type of spam is quite hard to stop, imho. First step is to include RBL like spamhaus.org into the postfix server.

 

@Croydon
Thank you for your reply.
Could you, please, tell me how to do that?

 

Have a look at "System" --> "Server config" --> "yourservername" --> Tab "Mail" --> "Real-time Blackhole List"
Enter names (comma-separated) of rbl providers there, e. g. "zen.spamhaus.org".

 

Thank you again.
Is that enough or should I do something else?

 

There are lots of possibilities to fight spam, it would exceed the scope of this post. Another thing to do would be installing postgrey greylisting. See here: https://www.howtoforge.com/greylisting_postfix_postgrey

 

Find rbl servers http://www.anti-abuse.org/multi-rbl-check/

 

I've been seeing spam like this too recently - gets by everything even after you put in postgrey etc... and I do have zen.spamhaus.org in the RBL list (should I add some more).
on a spammed email headers:
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (unknown [127.0.0.1])
by ns9.cdbsystems.com (Postfix) with ESMTP id 8DF301A584F
for <[email protected]>; Mon, 9 May 2016 10:23:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
X-Spam-Flag: YES
X-Spam-Score: 4.992
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.992 tagged_above=-999 required=3
tests=[BAYES_50=1.5, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723, MISSING_MID=0.497, RDNS_NONE=0.793] autolearn=no
Received: from ns9.cdbsystems.com ([127.0.0.1])
by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7rLYCdzoRvKG for <[email protected]>;
Mon, 9 May 2016 06:23:15 -0400 (EDT)
Received: from ns79.yourdomainname.com (unknown [103.208.153.31])
by ns9.cdbsystems.com (Postfix) with ESMTP id 420461A583C
for <[email protected]>; Mon, 9 May 2016 06:23:11 -0400 (EDT)
X-Sender: "Rita"
<[email protected]>

but a message clearly spam has as headers:

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (unknown [127.0.0.1])
by ns9.cdbsystems.com (Postfix) with ESMTP id DFE631A5848
for <[email protected]>; Mon, 9 May 2016 11:25:21 +0000 (UTC)
X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
Received: from ns9.cdbsystems.com ([127.0.0.1])
by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Tv9Ieaz1SUcR for <[email protected]>;
Mon, 9 May 2016 07:25:20 -0400 (EDT)
Received: from 41.72.221.228.liquidtelecom.com (unknown [41.72.221.228])
by ns9.cdbsystems.com (Postfix) with ESMTP id 78E711A5819
for <[email protected]>; Mon, 9 May 2016 07:25:17 -0400 (EDT)
Message-ID: <F99D6398FD076606629C6702F899F99D@LCW0PPVLT>
From: <[email protected]>
To: <[email protected]>
Subject: Hello!
Date: 9 May 2016 16:03:54 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0023_01D1A9FE.02EA077A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.4929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.4929

the email goes on to suggest some rather inappropriate behaviour! LOL

but note there is NO X-Spam headers in the second email. - I have tagged-above sent to -999 so surely headers should be in ALL emails???
how does this second one get through? note it appears to be from one of my domains but I dont think I have any blocking on those....

any ideas?
cdb.

 

alas not as easy as that the second email to field is actually a forwarded email to the final delivered box. not a mailbox itself.
the domains all have normal spamfilter. but it seems like if the to field is a forwarded address rather than a destination box the spamfilter never gets applied
and I cant have it be a mailbox because then the forward is invalid.

 

Man, I've been doing that the hard way. I've been manually adding them to the config.

 

Still doing it manually... I should change it

 

lol
see how seemingly stupid question leads to all kinds of helpful information

 

I was also having the same issue for one of my client. As Mr. Croydon said it's kind of hard to stop spam...but it can be stoped. I have succeeded partially. In our case we can stop receiving SPAM from our own domain, if the user don't exist in database...Ex:- [[email protected] (and 'epson' user does not exist)] or any random generated user ids like [email protected], [email protected].

You can also prevent receiving SPAM messages from invalid domain names, if you like..

All you have to do is find and modify the line starts with 'smtpd_sender_restrictions =' in '/etc/postfix/main.cf' to reflect 'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_origina[....]'

It worked fine for me. I'm still working on solutions to stop receiving spoofed mails from my own domain's other existing user ids. I'll let you know if I ever succeed

 

I found something close to what I am looking for...
If you add one more parameter - 'reject_sender_login_mismatch' - to the same line ( Edited line should look like this ...

'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access, reject_sender_login_mismatch, regexp:/etc/postfix/tag_as_origina[....]'
),
that will block spoofed mail from existing user ids of our Domains and prevent Domain users from sending spoof mails to external/internal e-mail addresses. Ex:- [email protected] won't be able to send a mail from [email protected]. It's really helpful when a hacker gets login details of a user and tries to send spoofed mails. It happened to me a year ago. Hacker was using user credentials to send tons of mails that pretend to be from a bank.

There is a drawback with this method. The real user who is in 'from' field will receive bounce messages whenever spamer sends a mail that has his id on from field. For instance, we have two users in our domain [email protected] and [email protected]. Spamer send a mail to [email protected] pretending it is from [email protected]. Tom will receive bounce message like below, unless there is a configuration to stop this.

<[email protected]>: host my.host.com[IP] said:
553 5.7.1 <[email protected]>: Sender address rejected: not logged in
(in reply to RCPT TO command)

I hope it helps.

 

Be careful if your system use alternative login names.
i think reject_sender_login_mismatch is not working with an alternative login name.
Am I wrong?

 

Yes Chico...you are absolutely right, I just noticed that feature, thank you for pointing me. For those who use alternative login names, it won't work. If one want to tighten the security, reject_sender_login_mismatch is a must to have one (in my opinion). In my case, I'm tired of spoof mails, It's hard to convince a customer if he thinks his/colleague's account is hacked, just because they receive some strange message form their own domain and no one takes responsibility for it. Personally I would do anything to prevent them. Frankly, I haven't applied it on production environment, but I'll test it on low priority customers who won't care if things are getting a little problematic for a while

 

Is it? Where can the option be found? It'll will be much easier and right way to do it.