0

For several days now, I have been fighting a massive sending of emails from my server to external emails.

I set out to receive the email of errors on my Gmail, and I noticed in spam that I am invaded by emails titled: "Undelivered Mail Returned to Sender" and "Permanent Delivery Failure".

Analyzing the content of an email "Undelivered Mail Returned" which are the most frequent, around 400 per day, I found:

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

The mail system

: host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 209.97.135.69 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)

: host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 209.97.135.69 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)

The problem is that I noticed that they are sending emails from staff@mydomain.it, the problem is that I don't have the email called Staff! Do you have any idea how I can stop this (I assume) brute force attack? do users receive these spam emails even if the mailbox doesn't exist?

I have a Digitalocean VPS with Plesk Obsidian 18.0.24 and I have already configured Fail2Ban with the Jail plesk-postfix and postfix-sasl.

I really ran out of ideas...

LegoLiam
  • 3
  • 1

1 Answers1

0

Review your mail server logs to see if you can find any outbound messages coming from the "staff" email address. You mentioned that you're seeing bounces, but are you seeing any outbound messages in your logs?

If not, then it's possible someone is spoofing your server, so the email coming "from" staff@mydomain.it is actually coming from a different server. If you haven't already, make sure your domain has a valid SPF record. You may also want to look into enabling DKIM.

Secondly, make sure that your server is not setup as an Open Relay. In Plesk, you can check this by going to the admin panel, then Tools & Settings > Mail Server Settings and check the relaying setting in the server-wide mail preferences. It should be set to authorization is required. (Refer to the previous link).

Third, maybe it's possible the messages from the "staff" email address is actually being sent from a website that is hosted on the Plesk server? Perhaps someone / something (a bot) is submitting messages through a website contact form over and over again.

Good luck.

David W
  • 3,453
  • 5
  • 36
  • 62
  • Thanks so much for the very complete answer, By doing a verification with mail-tester, I receive a score of 8.9 with correctly valid DKIM and SPF... In authorization is required I set SMTP is correct? For sending emails through the contact form I thought so too, in fact I disabled them from InvisionPowerBoard... I noticed that in the Message Queue I had a huge list, I removed them all... but how did they get there? – LegoLiam Feb 29 '20 at 15:28
  • If you had a huge number of emails in your message queue coming from the website, then that's very possibly the culprit. You should double check the settings on any public-facing contact forms or other forms that could potentially send email upon submission, and make sure you have a CAPTCHA or something in place to filter out spam submissions. – David W Feb 29 '20 at 15:56
  • I write for those who need it: I had IP.Board installed, and with the latest version there is a bug in sharing via email and contact us, I invite everyone to disable them – LegoLiam Mar 17 '20 at 16:52