Email from external sender appears to be sent from my server and appears as SPAM

Discussion in 'ISPConfig 3 Priority Support' started by AlexSr, May 27, 2021.

Tags:
  1. AlexSr

    AlexSr New Member

    Hello !

    I am seeing weird things happening with my email server. Lately I have received some messages labeled as SPAM, in trying to find the cause and resolving, there is something strange that I would like you to see and possibly help me out.

    I added a WordPress plugin called ClearTalk, which is supposed to help with security, so far looks OK, but during the activation process, they sent me a registration key, which I would think it must come from their email servers, the headers, however seem to indicate it was relayed from my own server. I would like to understand this better and do you see any indication of a fault in my server? a config error? or is this bad practice from the vendor? And, is this making me liable to bad-reputation flagging?

    I´d appreciate greatly if you could help me find any issue on my part or point me in the right direction:

    This is the body of that message, routed to gmail:
    (the vps is my server and the gmail address is mine, currently recorded as contact of the website)

    Code:
    Delivered-To: [email protected]
Received: by 2002:a9a:7403:0:b029:f9:1340:249f with SMTP id p3csp872639lkh;
        Thu, 27 May 2021 11:39:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxO0L3qxyGC4kstmHENEDHKPCQHRw4TMrtZBsy9stAFMBni1e3UhACTYf3ft7ddwXifPwWz
X-Received: by 2002:ab0:208:: with SMTP id 8mr4206922uas.12.1622140753267;
        Thu, 27 May 2021 11:39:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622140753; cv=none;
        d=google.com; s=arc-20160816;
        b=nnLj79502KDLofYvRbFVpA8dQR8tlPDADo1F0eAtX3ntUdz31aEHOvlQyOxMHX1gmh
         H6daVJzXjOaF1/LF9g3dVjFTYJGhcFL62HIyrMeepLF33NuT50cbcIia3aA+anCvUFEi
         HOC0uZVj3vYYyxf7N6JO2T3drhCduu8ga/Qx9kiXd3H+3R+HImVsNxKYmCWjoJitYufo
         tquFjLhOYp4i3q4La8Vgx5cNQvdTCmomnTnmKuZDZYAgR+shm6dMGeC8XRHqype189mo
         QzfHJEBWHMBiycSTld52Z4dayRRJEcB5C6BmbdA+m+Eu9/HRVuMlYbjMizLS2pB4Yu9M
         MySg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:subject:from:to:date:mime-version
         :content-transfer-encoding:dkim-signature:delivered-to;
        bh=RDPbvZrxO8fWqEJ2/KUkGfbvgW4cEIsOWqXzlcyYX4Y=;
        b=K0CxwRWkeEqAWu7q+/tM5KWb1m3WfyEZhSPvJHm2dCPx/bUHRTTTSf/RghDuXdItgh
         jVeMxw2jpyH//8oW0FJDjSkRazvd7rHjf5jprthLfXktHffNEIq7bfQo7o3E+QKf4F0M
         WR1b1MFj0qqq4+FhVY/Ug2Wd3YFxEb5bnyJJTRFP2bjLafQIrYOaTHtoxRu253eNoKZ4
         00bZMOh+nA/qQCIF1zsHO6xd0ApRsqgRKzI8qQAZeOsAmDpgcNbbMmdYh/6jEPyWvA/J
         hxCeeqrn74a79cukE8eazmPL55gn/RiOJGHqh4mNKoGOJWG1A2L+J49lmW30upHNumUf
         bTyA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail [email protected] header.s=mail header.b="T/2dfkmR";
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 144.xxx.xxx.xx as permitted sender) [email protected];
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cleantalk.org
Return-Path: <[email protected]>
Received: from vpsxxxxxx.vps.ovh.ca (xx.ip-144-xxx-xx.net. [144.xxx.xxx.xx])
        by mx.google.com with ESMTPS id p21si1929058vsc.277.2021.05.27.11.39.11
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 27 May 2021 11:39:13 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 144.xxx.xxx.xx as permitted sender) client-ip=144.xxx.xxx.xx;
Authentication-Results: mx.google.com;
       dkim=fail [email protected] header.s=mail header.b="T/2dfkmR";
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 144.xxx.xxx.xx as permitted sender) [email protected];
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cleantalk.org
Received: by vpsxxxxxx.vps.ovh.ca (Postfix, from userid 5000) id 0C28347235; Thu, 27 May 2021 13:39:08 -0500 (CDT)
X-Sieve: Pigeonhole Sieve 0.4.21 (92477967)
X-Sieve-Redirected-From: [email protected]
Delivered-To: [email protected]
Received: from vpsxxxxxx.vps.ovh.ca by vpsxxxxxx.vps.ovh.ca with LMTP id 2IgHAUznr2CoGgAAux1c6g for <[email protected]>; Thu, 27 May 2021 13:39:08 -0500
Received: from netserv3.cleantalk.org (netserv3.cleantalk.org [188.40.14.173]) by vpsxxxxxx.vps.ovh.ca (Postfix) with ESMTPS id B8B4A47233 for <[email protected]>; Thu, 27 May 2021 13:38:59 -0500 (CDT)
Received: by netserv3.cleantalk.org (Postfix, from userid 0) id C8B55C4282; Thu, 27 May 2021 23:38:56 +0500 (+05)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cleantalk.org; s=mail; t=1622140736; bh=2dBWj2uOsM+II3SWcTEfOn8m6AiLfDvKUh5pTwgtlxI=; h=Date:To:From:Subject; b=T/2dfkmRvHMv2cemTiy2jIDsoUEm5e1A3VNyyvqxF0bVQE6ILOl1Po/YgQYTwy1mU
     Z173Hh63tcIpvvRMeWE8xTfKvF3t6IwW/2ZN3mar0s18TKTY7aGbOmqAkra0CUgnoa
     5TMhGeKKKfgJ9QLC/B/w3U66T4IbI++Og0sdcA4o=
Content-Transfer-Encoding: binary
Content-Type: multipart/related; boundary="_----------=_16221407361319179"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.18; B3.15; Q3.13)
Date: Thu, 27 May 2021 23:38:56 +0500
To: [email protected]
From: CleanTalk <[email protected]>
Subject: *** SPAM *** racua.mx Blocked hacking attempts. Security report
Message-Id: <[email protected]>
X-Spamd-Bar: ++++++
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.10
Authentication-Results: vpsxxxxxx.vps.ovh.ca; dkim=temperror ("DNS error when getting key") header.d=cleantalk.org header.s=mail header.b="T/2dfkmR"; spf=temperror (vpsxxxxxx.vps.ovh.ca: error in processing during lookup of [email protected]: DNS error) [email protected]
    My server test file:


    Code:
    ##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Ubuntu 18.04.5 LTS

[INFO] uptime:  15:06:14 up 21:33,  1 user,  load average: 0.13, 0.10, 0.14

[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:           3.8G        2.2G        210M        381M        1.4G        978M
Swap:          4.0G        259M        3.7G

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.4


##### VERSION CHECK #####

[INFO] php (cli) version is 7.2.24-0ubuntu***.***.***.***
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.2.24
     
    AlexSr, May 27, 2021
    #1
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Your server was unable to perform dns lookups to authenticate the email (ie. verify dkim signature and check spf record) - likely fixing your dns issue will cause the mail to score much better. Other things you could do are to train your spam scanner with those messages so they identify them as HAM, not SPAM, and add some negative scoring for mail from cleantalk.org. (Ideally you base that on a dkim and/or spf match from cleantalk.org, so fix your DNS problem first.) Check rspamd.log (search by Message-Id) to see what rules matched.

    If you're into short term quick fixes, just whitelist that domain; that's not a very good solution overall, and you'll find yourself needing to do that again and again, so I personally would work on improving the system/scanner.

    Another thing to help delivery of your mail forwarded to gmail your account, setup DKIM for racua.mx, then create /etc/rspamd/local.d/arc.conf with:
    Code:
    sign_authenticated = false;
sign_inbound = true;
sign_local = false;
# Domain to use for ARC signing: can be "header", "envelope" or "recipient"
# note: is seems like 'recipient' is correct for inbound, but should use 'envelope' for authenticated, and maybe 'header' for local?
use_domain = "recipient";
try_fallback = false;
use_esld = false;
path_map = "/etc/rspamd/local.d/dkim_domains.map";
selector_map = "/etc/rspamd/local.d/dkim_selectors.map";
     
    Jesse Norell, May 27, 2021
    #2
  3. AlexSr

    AlexSr New Member

    Hello Jesse,
    Thank you very much for your prompt response. I did whitelist it to avoid more messages being labeled while I troubleshoot. I have added the arc.conf file as well (the DKIM record already existed).

    I´m now onto fixing the DNS issue, but I´m lost on it. What would be my first step on this?
    The server is running now and has been in production for about a couple years. I searched the knowledge base here but I only see instructions to do installs. I´m clueless on what could have caused it or where to begin to look. Can you help me ?
     
    AlexSr, May 28, 2021
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    One more for that (forwarding mail) would be to stop using subject rewriting (ie. prepending '*** SPAM ***' to the subject) and just add a header to indicate a message is spam. Changing any DKIM signed headers (including Subject) breaks the DKIM signature.

    Unless someone overrides in their local settings, rspamd is using localhost for the dns server (set in /etc/rspamd/local.d/options.inc), so start by logging in to your mail server and testing dns (eg. 'host -t txt cleantalk.org 127.0.0.1' for spf record, or 'host -t txt mail._domainkey.cleantalk.org 127.0.0.1' for dkim key).
     
    Jesse Norell, May 28, 2021
    #4
  5. AlexSr

    AlexSr New Member

    Hello again Jesse,
    Yes, RSPAMD is using localhost: (content of /etc/rspamd/local.d/options.inc)
    Code:
    # Addrs local to this server.
local_addrs = [
        "127.0.0.0/8",
        "::1",
        "144.217.93.11",
];

# This list is generated by ISPConfig, place custom addresses/networks in local$
local_networks = "/etc/rspamd/local.d/local_networks.inc";

dns {
        nameserver = ["127.0.0.1:53:10"];
}
    I did test:
    host -t txt cleantalk.org 127.0.0.1
    Result:
    ;; connection timed out; no servers could be reached

    and,

    host -t txt mail._domainkey.cleantalk.org 127.0.0.1
    Result:
    ;; connection timed out; no servers could be reached

    I got curious and also tested:
    Code:
    # host -t txt cleantalk.org
cleantalk.org descriptive text "google-site-verification=cYf_gQopnyURbYSD5Njd70IX_C1E4IN4pSyKatJyK00"
cleantalk.org descriptive text "stripe-verification=2593dd19986b23a937155cb80599a93e45aa229d07498449b7f5ac4f15fe756b"
cleantalk.org descriptive text "v=spf1 a mx ip4:188.40.14.173 include:spfapix.cleantalk.org include:spfmod.cleantalk.org include:amazonses.com include:_spf.google.com ~all"

And,

~# host -t txt mail._domainkey.cleantalk.org
mail._domainkey.cleantalk.org descriptive text "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz1KZZDpFgNbS1RIWIw9DCDtfXJjPLbbOr6DMhyvfNkPd8YQDG9JlPUoYitKMSU1Sl76Ej++t7RXHozpHxh2HnQRrKJ772lDpojmeCJ0xQB1YVcaPZ1syWVBhk/kBG0shPOZY+97oJoTbL7gH9wx2kzCZuwPoprs2N/lX0h66i5wIDAQAB"
    If I dropped the localhost address, the test does resolve. I think this means that the DNS lookup is going through my VPS provider DNS, would that be the case? Not sure why it does resolve when I drop 127.0.0.1

    I really appreciate your help in guiding me through the next steps I should take.

    Best,

    Alex
     
    AlexSr, May 28, 2021
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That would indicate you don't have a dns resolver, 'apt install unbound' will install one.
     
    Jesse Norell, May 29, 2021
    #6
  7. AlexSr

    AlexSr New Member

    I have BIND installed and apparently the issue was that the ip address of my VPS provider´s DNS server had to be added to the conf filie.
    I now get this back from the host command:
    Code:
    ~# host -t txt cleantalk.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

cleantalk.org descriptive text "google-site-verification=cYf_gQopnyURbYSD5Njd70IX_C1E4IN4pSyKatJyK00"
cleantalk.org descriptive text "stripe-verification=2593dd19986b23a937155cb80599a93e45aa229d07498449b7f5ac4f15fe756b"
cleantalk.org descriptive text "v=spf1 a mx ip4:188.40.14.173 include:spfapix.cleantalk.org include:spfmod.cleantalk.org include:amazonses.com include:_spf.google.com ~all"
    and, from the domainkey test:
    host -t txt mail._domainkey.cleantalk.org 127.0.0.1

    Code:
    # host -t txt mail._domainkey.cleantalk.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

mail._domainkey.cleantalk.org descriptive text "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz1KZZDpFgNbS1RIWIw9DCDtfXJjPLbbOr6DMhyvfNkPd8YQDG9JlPUoYitKMSU1Sl76Ej++t7RXHozpHxh2HnQRrKJ772lDpojmeCJ0xQB1YVcaPZ1syWVBhk/kBG0shPOZY+97oJoTbL7gH9wx2kzCZuwPoprs2N/lX0h66i5wIDAQAB"
root@vps222762:~#
    The email headers now show that the authentication succeeds in resolving both keys, so it seems it is now resolved and the issue was indeed the DNS resolver.

    Thanks for your help Jesse
     
    AlexSr, May 31, 2021
    #7

Share This Page