1

I got an issue on both of my servers (Postfix + Dovecot and one on Zimbra) My issue is some robots send spam without login to our hosted mailboxes using the same FROM/RCPT. It seems Google got the same issue too : https://www.theverge.com/2018/4/22/17268740/gmail-spam-email-spoofed-header-google

So it means our mailboxes are getting spam emails from theirself. But these spammer can't send from external mailboxes (who is not hosted by our server).

These spammers don't use a remote SMTP to send email, if they do this, our SPF policy will block them.

These spammer use our SMTP to send on our local mailboxes with the same FROM and RCPT

The server is not open-relay.

Example, we host these mailboxes :

  1. test@example.com
  2. boby@example.com

Robot sends spam from: test@example.com to test@example.com by using our SMTP

But this work also : test@example.com to boby@example.com by using our SMTP

without needing any password.

How can I prevent this?

My main.cf https://pastebin.com/V1KYuKTk

My telnet test :

Connection: opening to mail2test.domain.tld:25, timeout=300, options=array ()
Connection: opened
SERVER -> CLIENT: 220 mail2test.domain.tld ESMTP Postfix (Debian/GNU)
CLIENT -> SERVER: EHLO tools.test.com
SERVER -> CLIENT: 250-mail2test.domain.tld
                 250-PIPELINING
                 250-SIZE 50240000
                 250-VRFY
                 250-ETRN
                 250-STARTTLS
                 250-AUTH PLAIN LOGIN
                 250-AUTH=PLAIN LOGIN
                 250-ENHANCEDSTATUSCODES
                 250-8BITMIME
                 250 DSN
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
CLIENT -> SERVER: EHLO tools.test.com
SERVER -> CLIENT: 250-mail2test.domain.tld
                 250-PIPELINING
                 250-SIZE 50240000
                 250-VRFY
                 250-ETRN
                 250-AUTH PLAIN LOGIN
                 250-AUTH=PLAIN LOGIN
                 250-ENHANCEDSTATUSCODES
                 250-8BITMIME
                 250 DSN
CLIENT -> SERVER: MAIL FROM: <test@mail2test.domain.tld>
SERVER -> CLIENT: 250 2.1.0 Ok
CLIENT -> SERVER: RCPT TO: <test@mail2test.domain.tld>
SERVER -> CLIENT: 250 2.1.5 Ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 End data with .
CLIENT -> SERVER: Date: Thu, 19 Apr 2018 15:13:20 +0000
CLIENT -> SERVER: To: test@mail2test.domain.tld
CLIENT -> SERVER: From: Test SMTP Test 
CLIENT -> SERVER: Subject: Test SMTP Test Message
CLIENT -> SERVER: Message-ID: <4a50b5853919acdfe9237d71982be37b@blog.test.com>
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Test SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.124 Safari/537.36
CLIENT -> SERVER: xxx.xxx.xxx.xxx
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 2.0.0 Ok: queued as A86F61383C
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 2.0.0 Bye
Connection: closed

My mail.log 

Apr 19 17:13:21 mail2 postfix/smtpd[26584]: A86F61383C: client=tools.test.com[96.126.113.160]
Apr 19 17:13:22 mail2 postfix/cleanup[26589]: A86F61383C: message-id=<4a50b5853919acdfe9237d71982be37b@blog.test.com>
Apr 19 17:13:22 mail2 postfix/qmgr[26511]: A86F61383C: from=<test@mail2test.domain.tld>, size=795, nrcpt=1 (queue active)
Apr 19 17:13:25 mail2 postfix/smtp[26591]: A86F61383C: to=<test@mail2test.domain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5, delays=0.49/0.01/0.01/3, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=02360-01, from MTA: 250 2.0.0 Ok: queued as ED1FF1383D)
Apr 19 17:13:25 mail2 postfix/qmgr[26511]: A86F61383C: removed

My current SPF :

mail2test.domain.tld.   299 IN  TXT "v=spf1 a mx -all"

A or MX are not pointing to 96.126.113.160

The email I got :

Return-Path: <test@mail2test.domain.tld>
Delivered-To: test@mail2test.domain.tld
Received: from localhost (localhost [127.0.0.1])
    by mail2test.domain.tld (Postfix) with ESMTP id 1421713802
    for <test@mail2test.domain.tld>; Thu, 19 Apr 2018 17:13:45 +0200 (CEST)
Received: from mail2test.domain.tld ([xxx.xxx.xxx.xxx])
 by localhost (mail2test.domain.tld [127.0.0.1]) (amavisd-maia, port 10024)
 with ESMTP id 02355-01 for <test@mail2test.domain.tld>;
 Thu, 19 Apr 2018 17:13:25 +0200 (CEST)
Received: from tools.test.com (tools.test.com [96.126.113.160])
    by mail2test.domain.tld (Postfix) with ESMTP id A86F61383C
    for <test@mail2test.domain.tld>; Thu, 19 Apr 2018 17:13:25 +0200 (CEST)
Date: Thu, 19 Apr 2018 15:13:23 +0000
To: test@mail2test.domain.tld
From: Wormly SMTP Test <test@mail2test.domain.tld>
Subject: Wormly SMTP Test Message
Message-ID: <4a50b5853919acdfe9237d71982be37b@blog.test.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Virus-Scanned: Test Mail 0.1

This message was sent using the Wormly SMTP testing tool by this user:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.124 Safari/537.36
xxx.xxx.xxx.xxx
Maxence
  • 197
  • 1
  • 1
  • 13
  • Looks something familiar with Gmail issue, people report the same issue as us : https://www.theverge.com/2018/4/22/17268740/gmail-spam-email-spoofed-header-google – Maxence Apr 23 '18 at 12:13

1 Answers1

2

The issue you most likely have is that the to address matches so the email is accepted - this is not a relaying problem, and is a very common setup.

One way - maybe the easiest and best way depending on your usage case - would be to ensure your mail servers honour SPF record settings and set SPF records for your domains. This means that people purporting to be you sending unauthenticated email from an IP address which is not your mail server will be rejected.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • My server already check SPF record but this issue come from only if I use my server as a SMTP to send on a local mailbox of this SMTP, we got a lot of spammer using this since few days now. If I send this email from an external SMTP who is not allowed on my SPF the email is blocked, but if the robot use my SMTP to send email on a local mailbox, it pass. – Maxence Apr 20 '18 at 10:31
  • Please try explain the above sentence better - its very difficult to understand. Do you have an SPF record for your domain ? Is the spammer coming from an IP address inside or outside your network - ie are they coming from 10.x.x.x or 127.0.0.1? – davidgo Apr 20 '18 at 10:35
  • It may have unintended consequences but if they are coming from 10.x, you could remove "permit_mynetworks" from SMPD_RECIPIENT_RESTRICTIONS if you ensure all senders are using smtp auth. – davidgo Apr 20 '18 at 10:38
  • yes I got a SPF who allow my IP to send email, the spammer don't use any external SMTP to send an email, he uses my SMTP without any login and password, if he tries to send to an email who is not hosted on my email server, the email is blocked but if the spammer know I'm hosting test@example.com, he can send as test@example.com to test@example.com an email by using my SMTP server. – Maxence Apr 20 '18 at 10:39
  • Yes, but where is he sending the email FROM? Is it one of the machines on your network? – davidgo Apr 20 '18 at 10:39
  • What is your domain name? If you wont tell us, please post the SPF record you are using. – davidgo Apr 20 '18 at 10:41
  • He sends the email to is FROM, when the spammer use my SMTP, he use same FROM and RCPT, so when I get his email, it says, test@example.com send an email to test@example.com But if he knows I host test2@example.com, he can send an email a FROM test@example.com and RCPT test2@example.com it will works too Actually the spammer can send any email from all my hosted mailbox to any mailbox I host by simply using my SMTP server to send the email. – Maxence Apr 20 '18 at 10:44
  • My SPF is : v=spf1 a mx -all – Maxence Apr 20 '18 at 10:45
  • Not if your SPF record is correctly set up and he is not sending email from your domain. – davidgo Apr 20 '18 at 10:45
  • Is the spam originating from an IP address in the 10.x.x.x range? Are you certain your SPF checks are working? If the spammer is sending unauthenticated email from a remote address, the FROM IP address will not match the SPF record and should be dropped. – davidgo Apr 20 '18 at 10:49
  • Yes if it use a remote SMTP the SPF block this email, but if it uses my SMTP to send localy to my mailbox, it pass and I want to block this, I want to force SASL AUTH for this case. – Maxence Apr 20 '18 at 10:52
  • You are not answering my question. What is the source IP address of the sending mail server? – davidgo Apr 20 '18 at 10:55
  • it seems 127.0.0.1! I added header email + spf + log postfix on my question – Maxence Apr 20 '18 at 11:03
  • if you want to try by yourself, this is my server : mail2test.definima.net You can send email from mail2test.definima.net to test@mail2test.definima.net by using mail2test.definima.net as a SMTP server without any login server – Maxence Apr 20 '18 at 11:07
  • 1
    Ok, so this email is originating outside your network. It looks like you are not doing SPF checks on your incoming mail. (What is happening on port 10031?) – davidgo Apr 20 '18 at 11:07
  • (Not related to your problem, but are you aware port 10031 is open to the world?) – davidgo Apr 20 '18 at 11:11
  • I think your policyd instance (I assume thats whats on 10031) is incorrectly set up. (Unfortunately I need to leave now). – davidgo Apr 20 '18 at 11:12
  • yes for now this test machine don't have any FW for testing purpose! – Maxence Apr 20 '18 at 11:12
  • you can try to send an email from a remote SMTP as test@mail2test.definima.net to test@mail2test.definima.net you will be blocked for sure. – Maxence Apr 20 '18 at 11:13
  • You can try here : https://www.wormly.com/test-smtp-server Server : mail2test.definima.net, Recipient email and Sender email : mail2test.definima.net or simply try to redo my telnet I posted on my question – Maxence Apr 20 '18 at 11:22
  • Looks something similar https://www.theverge.com/2018/4/22/17268740/gmail-spam-email-spoofed-header-google – Maxence Apr 23 '18 at 11:53