ongoing spoofing issues

Discussion in 'Installation/Configuration' started by Austin7410, Nov 6, 2023.

  1. Austin7410

    Austin7410 New Member

    Hello ISPConfig Forum Members,

    We currently have spoofing issues that's causing us to be added to blacklists specifically backscatterer currently.

    Generating a mail summary from our logs with pflogsumm -d today /var/log/maillog > /tmp/mail_summary.txt
    and reviewing the senders by message count it is filled with spoof accounts.


    We have our current .cnf files setup as suggested in previous forms for anti-spoofing

    main.cf:
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

    mysql-virtual_sender_login_maps.cf:
    user = user
    password = password
    dbname = dbispconfig
    query = SELECT destination FROM mail_forwarding WHERE source = '%s' AND active = 'y' AND allow_send_as = 'y' AND server_id = 4 UNION SELECT email FROM mail_user WHERE email = '%s' AND disablesmtp = 'n' AND server_id = 4;
    hosts = 127.0.0.1


    Any suggestions or tips are welcome. Thank you for your time.
     
  2. remkoh

    remkoh Active Member HowtoForge Supporter

    What do you mean by spoofing? What is exactly happening?

    Nobody should be able to use your server to send out mail unless they are authenticated or from a trusted ip.
    If authenticated it can't be with a bogus account if everything is set up properly.
     
    till and Th0m like this.
  3. Austin7410

    Austin7410 New Member

    Here is a small snippet of our mail log I referred to previously. There is a lot of bogus accounts sending out. We have a standard setup with no special modifications. Maybe there is a bad user with an account that has been compromised?

    If there is any information or logs that would be helpful to provide please let me know.
    upload_2023-11-8_16-20-46.png
     
  4. remkoh

    remkoh Active Member HowtoForge Supporter

    This is nothing more then a message count.
    Compare those mailaddresses with your postfix logs to determen how they were sent.
    Especially which user was used to authenticate and change that user's password or kill the user.
    Or if they originate from a trusted host take appropiate messures on that host.
     
    till likes this.

Share This Page