Spam Treat

Discussion in 'General' started by Morons, Feb 13, 2021.

Tags:
  1. Morons

    Morons Member

    I have run ISPC 3 and its predecessors for years and could find any treat easy but this one eludes me
    Recently I started to receive reports about dmark and dkim problems from all over and later SORBS blocking http://www.sorbs.net/lookup.shtml

    I cannot find the source of this hole in my security - please help.

    One of the recent reports listed below in the code block:

    Code:
    <?xml version="1.0"?>
<feedback>
    <version>1.0</version>
    <report_metadata>
        <org_name>1-Grid</org_name>
        <email>[email protected]</email>
        <extra_contact_info>[email protected]</extra_contact_info>
        <report_id>89610</report_id>
        <date_range>
            <begin>1613088000</begin>
            <end>1613174399</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>zonemail.co.za</domain>
        <p>reject</p>
        <sp>reject</sp>
        <pct>20</pct>
        <fo>0</fo>
    </policy_published>
    <record>
        <row>
            <source_ip>103.2.142.249</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>quarantine</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
                <reason>
                    <type>sampled_out</type>
                    <comment></comment>
                </reason>
            </policy_evaluated>
        </row>
        <identifiers>
            <envelope_to>sabertek.co.za</envelope_to>
            <header_from>ares.zonemail.co.za</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>smtpservice.net</domain>
                <selector>a1-4</selector>
                <result>pass</result>
                <human_result>pass</human_result>
            </dkim>
            <spf>
                <domain>e2i761.smtp2go.com</domain>
                <scope>helo</scope>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
</feedback>
     
    Morons, Feb 13, 2021
    #1
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    There's not much context to know how to interpret that report. Was this from a legitimate mail or forged externally? What is your domain? Is 103.2.142.249 your ip address? It is not listed in SORBS, so I'm guessing it may not be; what is your server's ip address?
     
    Jesse Norell, Feb 13, 2021
    #2
  3. Morons

    Morons Member

    Ubuntu 18.04.1 LTS (GNU/Linux 5.9.6-x86_64-linode139 x86_64)
    Yes it seem the Spammer use some AUTH to spam from other servers through mine - Is that possibly the case?
    Code:
    root@ares:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 176.58.119.143  netmask 255.255.255.0  broadcast 176.58.119.255
        inet6 fe80::f03c:91ff:fe59:a350  prefixlen 64  scopeid 0x20<link>
        inet6 2a01:7e00::f03c:91ff:fe59:a350  prefixlen 64  scopeid 0x0<global>
    I found some listings:
    Some of the "Listed stuff" goes back to 2017 ?? and will be "Handled" if you pay them - Seriously!!
    However here is one from Google
    Code:
    <?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>17230400322958794228</report_id>
    <date_range>
      <begin>1613001600</begin>
      <end>1613087999</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>zonemail.co.za</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>reject</sp>
    <pct>20</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>197.242.152.133</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <spf>
        <domain>zonemail.co.za</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>176.58.119.143</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <spf>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2a01:7e00::f03c:91ff:fe59:a350</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <spf>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>197.242.159.142</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <spf>
        <domain>zonemail.co.za</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2600:3c00::f03c:91ff:fe93:9f35</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>poseidon.zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>poseidon.zonemail.co.za</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>197.242.159.170</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zonemail.co.za</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>zonemail.co.za</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <spf>
        <domain>zonemail.co.za</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
</feedback>
     
    Morons, Feb 13, 2021
    #3

Share This Page