Email spoofing 2

AllanIT · May 31, 2013, 4:37am

Hi guys

I am having two email spoofing problems that I will discuss in separate post. The second problem I have is I am receiving an email up to 50 times a day that appears to be ‘to’ and ‘form’ me. The source is below. I have changed the ‘Edit Sender Permitted From’ to ‘Disallow (-all)’ and restarted both postfix and bind but that has not made any difference. I have sent the email to spamtrap@myserver.com.au but again it did not stop the email.

Can you please suggest anything that I can do to stop this spam?


From - Fri May 31 09:59:14 2013
X-Account-Key: account4
X-UIDL: 0000141b4cda4628
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	my.server.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-76.4 required=5.0 tests=BAYES_50,FILL_THIS_FORM,
	FILL_THIS_FORM_LONG,HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RCVD_IN_RP_RNBL,
	RCVD_IN_SORBS_WEB,RDNS_NONE,SPF_SOFTFAIL,TVD_RCVD_IP,T_RCVD_IN_SEMBLACK,
	URIBL_BLACK,URIBL_RHS_DOB,USER_IN_WHITELIST autolearn=no version=3.3.2
X-Original-To: myemail@myvserver.com.au
Delivered-To: myuser@my.server.com.au
Received: from 212.174.55.146.static.ttnet.com.tr (unknown [212.174.55.146])
	by my.server.com.au (Postfix) with ESMTP id 540633660487
	for ; Fri, 31 May 2013 05:46:50 +0800 (WST)
Received: from apache by pcrglefpdpbcrejchrdihcrch.omahahen.org with local (Exim 4.63)
	(envelope-from <>)
	id 51JDB3-J4Q6FZ-A6
	for ; Thu, 30 May 2013 23:46:49 +0200
To: 
Subject: Environmental organization is expanding and currently recruiting worldwide reps
Date: Thu, 30 May 2013 23:46:49 +0200
From: 
Message-ID: <06B8537944CA21C1C734DD44483C11BD@pcrglefpdpbcrejchrdihcrch.lsinter.net>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
Commission of 5 percent on 200K USD monthly turnover derived

from sales of intellectual property products on the internet
Features required:

Company ownership
Timely performance of all tasks
Continuous availability for Email, Skype and telephone feedback

Considering your interest, please furnish us with the following:

Full Name
Age
Location
Telephone
Email

Please reply to: Hazel@googlein-de.com
Kind Regards,

Marketing, Liaison and HR Department

helpmin · June 1, 2013, 1:23pm

I think the problem is that the user is whitelisted in your spamassassin config, because spamassassin added the following flag

USER_IN_WHITELIST

The score for that is -100, so you get the following:

score=-76.4 required=5.0

AllanIT · June 2, 2013, 2:53am

Hi helpmin

Yes the User is probably whitelisted however correct me if I am wrong I thought that setting ‘Edit Sender Permitted From’ to ‘Disallow (-all)’ would prevent mail being sent to the virtual server to and from the User from an external IP Address.

So the way I read it is if ‘Edit Sender Permitted From’ is set to ‘Disallow (-all)’ and if your IP Address is 0.0.0.1 and the User or any one on 0.0.0.1 sends an email To: User and From: User the email would be sent. However if the mail is sent from any other IP Address then only two of the three conditions are correct and the mail would be dropped. Which should prevent this particular type of email spoofing.

In the mail above the Received: from 212.174.55.146 is not my servers IP Address and is probably a fake IP address but the mail is still arriving.

helpmin · June 2, 2013, 4:10am

Hi, you asked:

Can you please suggest anything that I can do to stop this spam?

I suggested to “not whitelist” the user, because spamassassin would reliably flag those emails as SPAM.

Unfortunately I am not familar with that “disallow” option (where did you find it in Virtualmin)?

But you could also check the SMTP Client Restrictions in the postfix config section.

AllanIT · June 3, 2013, 2:28am

Hi helpmin

I think we may be talking at cross purposes. The user/email address that is receiving the spoofed email on my server is a real user/email on my server and therefor is white listed. Is it not?

In response to your question (where did you find it in Virtualmin)?
Webmin> Servers> BIND DNS Server> Select any FQD from the zone list then Sender Permitted From> and scroll to the bottom of the page, select the Sender Permitted From Record for this server and toward the bottom of the page you will find Action for other senders.

helpmin · June 3, 2013, 6:32am

Ah, OK. SPF You are probably trying to do it the right way. And basically what you are saying is that you are trying to change how SPF records are be treated.

You set it to -all, which should be a “hard fail”. That is probably just fine, however Bind itself doesn’t do any email filtering (based on the my understanding of DNS). It just provides information for example to MTAs. So it looks like your MTA (postfix) is not “SPF records” aware. You probably need to install/configure a package like postfix-policyd-spf-perl.

Unfortunately I am not not knowledgeable at all about that topic (and not able to assist). But I am glad I subscribed to this topic. I am going to learn something very useful here. Hopefully Eric will see this topic and shine more light on this