I have run ISPC 3 and its predecessors for years and could find any treat easy but this one eludes me Recently I started to receive reports about dmark and dkim problems from all over and later SORBS blocking http://www.sorbs.net/lookup.shtml I cannot find the source of this hole in my security - please help. One of the recent reports listed below in the code block: Code: <?xml version="1.0"?> <feedback> <version>1.0</version> <report_metadata> <org_name>1-Grid</org_name> <email>[email protected]</email> <extra_contact_info>[email protected]</extra_contact_info> <report_id>89610</report_id> <date_range> <begin>1613088000</begin> <end>1613174399</end> </date_range> </report_metadata> <policy_published> <domain>zonemail.co.za</domain> <p>reject</p> <sp>reject</sp> <pct>20</pct> <fo>0</fo> </policy_published> <record> <row> <source_ip>103.2.142.249</source_ip> <count>1</count> <policy_evaluated> <disposition>quarantine</disposition> <dkim>fail</dkim> <spf>fail</spf> <reason> <type>sampled_out</type> <comment></comment> </reason> </policy_evaluated> </row> <identifiers> <envelope_to>sabertek.co.za</envelope_to> <header_from>ares.zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>smtpservice.net</domain> <selector>a1-4</selector> <result>pass</result> <human_result>pass</human_result> </dkim> <spf> <domain>e2i761.smtp2go.com</domain> <scope>helo</scope> <result>pass</result> </spf> </auth_results> </record> </feedback>
There's not much context to know how to interpret that report. Was this from a legitimate mail or forged externally? What is your domain? Is 103.2.142.249 your ip address? It is not listed in SORBS, so I'm guessing it may not be; what is your server's ip address?
Ubuntu 18.04.1 LTS (GNU/Linux 5.9.6-x86_64-linode139 x86_64) Yes it seem the Spammer use some AUTH to spam from other servers through mine - Is that possibly the case? Code: root@ares:~# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 176.58.119.143 netmask 255.255.255.0 broadcast 176.58.119.255 inet6 fe80::f03c:91ff:fe59:a350 prefixlen 64 scopeid 0x20<link> inet6 2a01:7e00::f03c:91ff:fe59:a350 prefixlen 64 scopeid 0x0<global> I found some listings: Some of the "Listed stuff" goes back to 2017 ?? and will be "Handled" if you pay them - Seriously!! However here is one from Google Code: <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>17230400322958794228</report_id> <date_range> <begin>1613001600</begin> <end>1613087999</end> </date_range> </report_metadata> <policy_published> <domain>zonemail.co.za</domain> <adkim>r</adkim> <aspf>r</aspf> <p>reject</p> <sp>reject</sp> <pct>20</pct> </policy_published> <record> <row> <source_ip>197.242.152.133</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>zonemail.co.za</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>zonemail.co.za</domain> <result>softfail</result> </spf> </auth_results> </record> <record> <row> <source_ip>176.58.119.143</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>zonemail.co.za</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>zonemail.co.za</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>2a01:7e00::f03c:91ff:fe59:a350</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>zonemail.co.za</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>zonemail.co.za</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>197.242.159.142</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>zonemail.co.za</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>zonemail.co.za</domain> <result>softfail</result> </spf> </auth_results> </record> <record> <row> <source_ip>2600:3c00::f03c:91ff:fe93:9f35</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>poseidon.zonemail.co.za</header_from> </identifiers> <auth_results> <spf> <domain>poseidon.zonemail.co.za</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>197.242.159.170</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>zonemail.co.za</header_from> </identifiers> <auth_results> <dkim> <domain>zonemail.co.za</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>zonemail.co.za</domain> <result>softfail</result> </spf> </auth_results> </record> </feedback>