Phishing.Email.SpoofedDomain

Discussion in 'ISPConfig 3 Priority Support' started by Harvey Sharman, Jan 4, 2017.

  1. Please help support, (HAPPY NEW YEAR) :)

    On one of our domains, there is 2 email accounts which keep receiving same scam 'Spoofed' emails. These do not arrive externally through our MX records as we have Barracuda Networks for security and protection and there is no email delivery of these through the MX, they seem to be independently generated on the ISPConfig mail server only. When you sign in via webmail, there is no sent email related to this, just spoofed emails in the inbox with same wording. They seem to automatically generate in that inbox as they are not arriving externally through the MX records as we would notice and block these in Barracuda Networks. All email arriving gets filtered and cleaned through Barracuda MX then sends it to our ISPConfig mail server which works really well.

    I ran rkhunter and ClamAV with latest database and Clam found lots of (Phishing.Email.SpoofedDomain) and these have all now been removed by ClamAV and all clean. I scanned this several times and still all clean but 2 of the accounts still receive these. All passwords have been updated without luck. The PC's have all been scanned with Malwarebytes etc.

    Thank you
    Harvey Sharman
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the mail.log of the server, the email delivery of these emails should be logged there and you should be able to get more infor from the mail headers of one of these emails.
     
  3. Thank you @till update..

    See mail.log below and headers that looks relevant and actual spam email same every time (removed clients email) but cluster001vps is first part of our hostname that kept so you know what it is.

    This is the headers but many have different Received: from

    mail.log
    This is the actual email which is same everytime
    Harvey Sharman
     
    Last edited: Jan 5, 2017
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you know the IP address 80.78.70.84? is tis an address of one of your systems?
     
  5. @till No, I looked up the IP and it is coming from Albania. Many of these identical spam emails has several different IP addresses and some has hostnames with IPs. I noticed I have port 25 open on this ISPConfig server which I don't use port 25. I use 995 or 993 inlcuding 443, not 25.

    UPDATE. Only one domain who is receiving these. All other domains not getting these.

    Harvey
     
    Last edited: Jan 5, 2017
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so these emails get send to your ispconfig server like any other normal mail, they do not get generated on your ispconfig server. If you do not use port 25 e.g. when this server does not receive any mail directly, then close the port in the firewall.
     
  7. @till
    Before any email arrives to the ISPConfig mail server, they route through Barracuda MX Networks before it delivers it to our mail server (hostname.domain.com). On our DNS MX records, there is 2 Barracuda MX entries. There is no sign of any spam email relating to this filtering through Barracuda. We can see every email allowed/Quarantined/blocked before they arrive to the users inbox otherwise Barracuda would of blocked these emails as it is very effective antispam appliance. Somehow something must be bypassing straight to the ISPConfig server address.

    Is there a rule that prevents this type of spoofed back to the same users recipient?

    Harvey
     
  8. @till .. is there a rule or spam setting in ISPConfig to prevent email user receiving their own email return?

    Harvey
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    As long as ispconfig is not in a private network or a firewall and port 25 is open, then any mail server can send emails to it, no matter if the MX points to the barracuda or not. If you do not want that any mail gets send to the ispconfig server that has not gone trough the barracuda server, then you should close port 25 (if barracuda does not use it) or open port 25 only for the IP address of the barracuda server.

    You should setup an SPF record for the affected domain so that the spamfilter on the barracuda and amavis on the ispconfig server know when it receives an email from a non-permitted sending server.
     
  10. Yes of course thank you will look into this as you mentioned. Fully understand about this.

    Harvey
     
  11. Thank you @till - Just quick update. Really appreciated this support from you. Successfully programmed a strict range of IP's for port 25 only delivered by Barracuda mail security and since had NO spam bypassing or distributed at any ISPConfig mail server. Please forgive me of my slight lack of practice.

    Thank you..
     
    till likes this.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That's great to hear that you were able to solve it with firewall rules!
     

Share This Page