Hello! Lately I have problems with SPAM on my ISPconfig servers. More specifically, my clients are getting mail from themselves or some other mail address in their domain. Eg. [email protected] is getting mail from [email protected] (from himself) or from [email protected] (and 'epson' user does not exist). How to prevent that? Is there a way to 'forbid' spoofed email addresses? Note that there is a SPF record on the DNS server for that domain and mail-tester.com gives 9/10 score on that domain.
This type of spam is quite hard to stop, imho. First step is to include RBL like spamhaus.org into the postfix server.
Have a look at "System" --> "Server config" --> "yourservername" --> Tab "Mail" --> "Real-time Blackhole List" Enter names (comma-separated) of rbl providers there, e. g. "zen.spamhaus.org".
There are lots of possibilities to fight spam, it would exceed the scope of this post. Another thing to do would be installing postgrey greylisting. See here: https://www.howtoforge.com/greylisting_postfix_postgrey
I've been seeing spam like this too recently - gets by everything even after you put in postgrey etc... and I do have zen.spamhaus.org in the RBL list (should I add some more). on a spammed email headers: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (unknown [127.0.0.1]) by ns9.cdbsystems.com (Postfix) with ESMTP id 8DF301A584F for <[email protected]>; Mon, 9 May 2016 10:23:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com X-Spam-Flag: YES X-Spam-Score: 4.992 X-Spam-Level: **** X-Spam-Status: Yes, score=4.992 tagged_above=-999 required=3 tests=[BAYES_50=1.5, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, MISSING_MID=0.497, RDNS_NONE=0.793] autolearn=no Received: from ns9.cdbsystems.com ([127.0.0.1]) by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rLYCdzoRvKG for <[email protected]>; Mon, 9 May 2016 06:23:15 -0400 (EDT) Received: from ns79.yourdomainname.com (unknown [103.208.153.31]) by ns9.cdbsystems.com (Postfix) with ESMTP id 420461A583C for <[email protected]>; Mon, 9 May 2016 06:23:11 -0400 (EDT) X-Sender: "Rita" <[email protected]> but a message clearly spam has as headers: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (unknown [127.0.0.1]) by ns9.cdbsystems.com (Postfix) with ESMTP id DFE631A5848 for <[email protected]>; Mon, 9 May 2016 11:25:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com Received: from ns9.cdbsystems.com ([127.0.0.1]) by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tv9Ieaz1SUcR for <[email protected]>; Mon, 9 May 2016 07:25:20 -0400 (EDT) Received: from 41.72.221.228.liquidtelecom.com (unknown [41.72.221.228]) by ns9.cdbsystems.com (Postfix) with ESMTP id 78E711A5819 for <[email protected]>; Mon, 9 May 2016 07:25:17 -0400 (EDT) Message-ID: <F99D6398FD076606629C6702F899F99D@LCW0PPVLT> From: <[email protected]> To: <[email protected]> Subject: Hello! Date: 9 May 2016 16:03:54 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01D1A9FE.02EA077A" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.4929 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.4929 the email goes on to suggest some rather inappropriate behaviour! LOL but note there is NO X-Spam headers in the second email. - I have tagged-above sent to -999 so surely headers should be in ALL emails??? how does this second one get through? note it appears to be from one of my domains but I dont think I have any blocking on those.... any ideas? cdb.
Seems as if there is no spam policy set for the email address or domain that you can see in the "to" header of the second email. Check the settings in ispconfig and enable the same spamfilter policy that yo have set for the domain and / or address of the first email.
alas not as easy as that the second email to field is actually a forwarded email to the final delivered box. not a mailbox itself. the domains all have normal spamfilter. but it seems like if the to field is a forwarded address rather than a destination box the spamfilter never gets applied and I cant have it be a mailbox because then the forward is invalid.
I was also having the same issue for one of my client. As Mr. Croydon said it's kind of hard to stop spam...but it can be stoped. I have succeeded partially. In our case we can stop receiving SPAM from our own domain, if the user don't exist in database...Ex:- [[email protected] (and 'epson' user does not exist)] or any random generated user ids like [email protected], [email protected]. You can also prevent receiving SPAM messages from invalid domain names, if you like.. All you have to do is find and modify the line starts with 'smtpd_sender_restrictions =' in '/etc/postfix/main.cf' to reflect 'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_origina[....]' It worked fine for me. I'm still working on solutions to stop receiving spoofed mails from my own domain's other existing user ids. I'll let you know if I ever succeed
I found something close to what I am looking for... If you add one more parameter - 'reject_sender_login_mismatch' - to the same line ( Edited line should look like this ... 'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access, reject_sender_login_mismatch, regexp:/etc/postfix/tag_as_origina[....]' ), that will block spoofed mail from existing user ids of our Domains and prevent Domain users from sending spoof mails to external/internal e-mail addresses. Ex:- [email protected] won't be able to send a mail from [email protected]. It's really helpful when a hacker gets login details of a user and tries to send spoofed mails. It happened to me a year ago. Hacker was using user credentials to send tons of mails that pretend to be from a bank. There is a drawback with this method. The real user who is in 'from' field will receive bounce messages whenever spamer sends a mail that has his id on from field. For instance, we have two users in our domain [email protected] and [email protected]. Spamer send a mail to [email protected] pretending it is from [email protected]. Tom will receive bounce message like below, unless there is a configuration to stop this. <[email protected]>: host my.host.com[IP] said: 553 5.7.1 <[email protected]>: Sender address rejected: not logged in (in reply to RCPT TO command) I hope it helps.
Be careful if your system use alternative login names. i think reject_sender_login_mismatch is not working with an alternative login name. Am I wrong?
Yes Chico...you are absolutely right, I just noticed that feature, thank you for pointing me. For those who use alternative login names, it won't work. If one want to tighten the security, reject_sender_login_mismatch is a must to have one (in my opinion). In my case, I'm tired of spoof mails, It's hard to convince a customer if he thinks his/colleague's account is hacked, just because they receive some strange message form their own domain and no one takes responsibility for it. Personally I would do anything to prevent them. Frankly, I haven't applied it on production environment, but I'll test it on low priority customers who won't care if things are getting a little problematic for a while
