Hoax emails - outgoing

SYSTEM INFORMATION
OS type and version Ubuntu Server 22.04
Webmin version 2.021
Virtualmin version 7.5
Related packages SMTP

Which way would you go about stopping emails from being sent from your Virtualmin server? Is there a way to stop unauthorized emails from being sent?

How are they being sent? Are you sure they aren’t just forged? You have SPF and a DMARC policy in place? Do the logs show them being sent? If so, how?

Mar 30 18:29:36 rread postfix/qmgr[2190552]: 2110BC74126: removed
Mar 30 18:29:36 rread postfix/qmgr[2190552]: CD3F7D451B7: from=james@smart-guy.co.uk, size=777, nrcpt=1 (queue active)
Mar 30 18:29:36 rread postfix/smtpd[2212677]: 67EA5C70C48: client=eth-231.48-homell.natm.ru[84.242.231.48], sasl_method=LOGIN, sasl_username=james
Mar 30 18:29:36 rread postfix/smtp[2206845]: A73D7D67D56: host mx01.gmx.net[212.227.17.4] refused to talk to me: 554-gmx.net (mxgmx107) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit 554 Nemesis ESMTP Service not available No SMTP service IP address is block listed.
Mar 30 18:29:36 rread postfix/bounce[2214387]: 9347DD47E29: sender non-delivery notification: DF8B8C6F627
Mar 30 18:29:36 rread postfix/cleanup[2215295]: 67EA5C70C48: message-id=<>
Mar 30 18:29:36 rread postfix/smtp[2215676]: 64FFDD60486: to=lamp-sofo-0910-request@lists.stanford.edu, relay=mxb-00000d03.gslb.pphosted.com[148.163.153.234]:25, delay=23557, delays=22687/854/15/0.67, dsn=2.0.0, status=sent (250 2.0.0 3phvqx2wku-1 Message accepted for delivery)
Mar 30 18:29:36 rread postfix/qmgr[2190552]: 64FFDD60486: removed
Mar 30 18:29:36 rread postfix/qmgr[2190552]: D2002D63EB0: from=<>, size=3624, nrcpt=1 (queue active)
Mar 30 18:29:36 rread postfix/trivial-rewrite[2212482]: warning: do not list domain rread.co.uk in BOTH mydestination and virtual_alias_domains
Mar 30 18:29:36 rread postfix/qmgr[2190552]: 9347DD47E29: removed
Mar 30 18:29:36 rread postfix/qmgr[2190552]: 83982D64E4C: from=james@smart-guy.co.uk, size=703, nrcpt=1 (queue active)
Mar 30 18:29:37 rread postfix/smtp[2212478]: 9EBFCC733D3: to=matslind921@hotmail.com, relay=hotmail-com.olc.protection.outlook.com[104.47.11.33]:25, delay=14372, delays=13504/853/15/0.04, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.11.33] said: 550 5.7.1 Service unavailable, Client host [5.65.241.20] blocked using Spamhaus. To request removal from this list see https://www.spamhaus.org/query/ip/5.65.241.20 (AS3130). [VI1EUR02FT031.eop-EUR02.prod.protection.outlook.com 2023-03-30T17:29:36.421Z 08DB2C131A3F0AA5] (in reply to MAIL FROM command))
Mar 30 18:29:37 rread postfix/bounce[2215237]: 671F2D4813F: sender non-delivery notification: 3FD44C70BC8
Mar 30 18:29:37 rread postfix/smtp[2212478]: 9EBFCC733D3: lost connection with hotmail-com.olc.protection.outlook.com[104.47.11.33] while sending RCPT TO
Mar 30 18:29:37 rread postfix/smtp[2206845]: A73D7D67D56: to=peluche7@gmx.es, relay=mx00.gmx.net[212.227.15.10]:25, delay=4279, delays=3426/853/0.17/0, dsn=4.0.0, status=deferred (host mx00.gmx.net[212.227.15.10] refused to talk to me: 554-gmx.net (mxgmx003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit 554 Nemesis ESMTP Service not available No SMTP service IP address is block listed.)
Mar 30 18:29:37 rread postfix/qmgr[2190552]: A5323C7AFAE: from=james@smart-guy.co.uk, size=769, nrcpt=1 (queue active)
Mar 30 18:29:37 rread postfix/qmgr[2190552]: 671F2D4813F: removed
Mar 30 18:29:37 rread postfix/qmgr[2190552]: D772BD62B16: from=<>, size=3803, nrcpt=1 (queue active)
Mar 30 18:29:37 rread postfix/trivial-rewrite[2212482]: warning: do not list domain rread.co.uk in BOTH mydestination and virtual_alias_domains
Mar 30 18:29:37 rread postfix/cleanup[2215292]: D742CC702BF: message-id=20230330172937.D742CC702BF@rread.co.uk
Mar 30 18:29:38 rread postfix/smtp[2214504]: A3057C78361: Cannot start TLS: handshake failure
Mar 30 18:29:38 rread postfix/smtpd[2212677]: EC894C7897D: client=eth-231.48-homell.natm.ru[84.242.231.48], sasl_method=LOGIN, sasl_username=james
Mar 30 18:29:39 rread postfix/smtp[2212771]: E4278D44D4E: to=aamr1892@hotmail.com, relay=hotmail-com.olc.protection.outlook.com[104.47.11.97]:25, delay=33686, delays=32817/853/16/0.02, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.11.97] said: 550 5.7.1 Service unavailable, Client host [5.65.241.20] blocked using Spamhaus. To request removal from this list see https://www.spamhaus.org/query/ip/5.65.241.20 (AS3130). [DB5EUR02FT033.eop-EUR02.prod.protection.outlook.com 2023-03-30T17:29:37.884Z 08DB2B109B6453BB] (in reply to MAIL FROM command))
Mar 30 18:29:39 rread postfix/bounce[2214389]: 9EBFCC733D3: sender non-delivery notification: D742CC702BF
Mar 30 18:29:39 rread postfix/smtp[2212771]: E4278D44D4E: lost connection with hotmail-com.olc.protection.outlook.com[104.47.11.97] while sending RCPT TO
Mar 30 18:29:39 rread postfix/qmgr[2190552]: 9EBFCC733D3: removed
Mar 30 18:29:39 rread postfix/qmgr[2190552]: AFE12D40D86: from=<>, size=3559, nrcpt=1 (queue active)
Mar 30 18:29:39 rread postfix/cleanup[2214834]: 1E68CC76268: message-id=20230330172939.1E68CC76268@rread.co.uk
Mar 30 18:29:39 rread postfix/smtp[2214504]: A3057C78361: to=terran.alexander.king@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.133.27]:25, delay=11637, delays=9530/2090/17/0.25, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.133.27] said: 550-5.7.1 [5.65.241.20] The IP you’re using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError n4-20020adffe04000000b002d07ce6eaf1si28346346wrr.518 - gsmtp (in reply to end of DATA command))
Mar 30 18:29:39 rread postfix/cleanup[2215289]: 2C71CC733D3: message-id=20230330172939.2C71CC733D3@rread.co.uk
Mar 30 18:29:39 rread postfix/bounce[2214380]: E4278D44D4E: sender non-delivery notification: 1E68CC76268
Mar 30 18:29:39 rread postfix/qmgr[2190552]: E4278D44D4E: removed
Mar 30 18:29:39 rread postfix/qmgr[2190552]: 60203C750A9: from=james@smart-guy.co.uk, size=785, nrcpt=1 (queue active)
Mar 30 18:29:39 rread postfix/cleanup[2215290]: EC894C7897D: message-id=<>
Mar 30 18:29:39 rread postfix/bounce[2215240]: A3057C78361: sender non-delivery notification: 2C71CC733D3
Mar 30 18:29:39 rread postfix/qmgr[2190552]: A3057C78361: removed
Mar 30 18:29:39 rread postfix/qmgr[2190552]: 88A12D67B20: from=james@smart-guy.co.uk, size=807, nrcpt=1 (queue active)
Mar 30 18:29:39 rread postfix/local[2214118]: 6CE93C7DB57: to=<james@smart-guy.co.uk@rread.co.uk>, orig_to=james@smart-guy.co.uk, relay=local, delay=23865, delays=21380/2474/0/11, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

That’s the mail.log? Is that a helpful log to look at?

Also the auth.log shows login attempts that I’d like to ideally strengthen against?

Mar 30 18:38:29 rread sshd[2222303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.226.194.142 user=root
Mar 30 18:35:48 rread sshd[2220907]: Disconnected from invalid user sensor 129.205.208.20 port 45208 [preauth]
Mar 30 18:35:48 rread sshd[2220907]: Received disconnect from 129.205.208.20 port 45208:11: Bye Bye [preauth]
Mar 30 18:35:48 rread sshd[2220907]: Failed password for invalid user sensor from 129.205.208.20 port 45208 ssh2
Mar 30 18:35:46 rread sshd[2220907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.205.208.20
Mar 30 18:35:46 rread sshd[2220907]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 18:35:46 rread sshd[2220907]: Invalid user sensor from 129.205.208.20 port 45208
Mar 30 18:35:41 rread sshd[2220843]: Disconnected from authenticating user root 103.111.23.22 port 49752 [preauth]
Mar 30 18:35:41 rread sshd[2220843]: Received disconnect from 103.111.23.22 port 49752:11: Bye Bye [preauth]
Mar 30 18:35:41 rread sshd[2220843]: Failed password for root from 103.111.23.22 port 49752 ssh2
Mar 30 18:35:39 rread sshd[2220843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.111.23.22 user=root
Mar 30 18:35:28 rread proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd2220762 ruser=root rhost=195.226.194.142 user=root
Mar 30 18:35:28 rread proftpd: pam_listfile(proftpd:auth): Refused user root for service proftpd
Mar 30 18:35:02 rread CRON[2220559]: pam_unix(cron:session): session closed for user root
Mar 30 18:35:01 rread CRON[2220559]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 30 18:34:43 rread auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=wendy@smart-guy.co.uk rhost=81.156.124.168
Mar 30 18:34:43 rread auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 30 18:34:38 rread systemd: pam_unix(systemd-user:session): session closed for user smart-guy.co.uk
Mar 30 18:34:38 rread auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=wendy@smart-guy.co.uk rhost=81.156.124.168
Mar 30 18:34:38 rread auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 30 18:34:38 rread systemd: pam_unix(systemd-user:session): session closed for user stockifly
Mar 30 18:34:38 rread sshd[2219886]: Connection closed by authenticating user root 13.234.217.228 port 54034 [preauth]
Mar 30 18:34:35 rread saslauthd[1591]: : auth failure: [user=loves@co.uk] [service=smtp] [realm=co.uk] [mech=pam] [reason=PAM auth error]
Mar 30 18:34:34 rread saslauthd[1591]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Mar 30 18:34:34 rread sshd[2219886]: Failed password for root from 13.234.217.228 port 54034 ssh2
Mar 30 18:34:32 rread saslauthd[1591]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 30 18:34:32 rread saslauthd[1591]: pam_unix(smtp:auth): check pass; user unknown
Mar 30 18:34:32 rread sshd[2219886]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=13.234.217.228 user=root
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user rread
Mar 30 18:34:30 rread su: pam_unix(su:session): session opened for user rread by (uid=0)
Mar 30 18:34:30 rread su: (to rread) root on none
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user files
Mar 30 18:34:30 rread su: pam_unix(su:session): session opened for user files by (uid=0)
Mar 30 18:34:30 rread su: (to files) root on none
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user rread
Mar 30 18:34:30 rread su: pam_unix(su:session): session opened for user rread by (uid=0)
Mar 30 18:34:30 rread su: (to rread) root on none
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user video
Mar 30 18:34:30 rread systemd: pam_unix(systemd-user:session): session opened for user video by (uid=0)
Mar 30 18:34:30 rread su: pam_unix(su:session): session opened for user video by (uid=0)
Mar 30 18:34:30 rread su: (to video) root on none
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user ads
Mar 30 18:34:30 rread systemd: pam_unix(systemd-user:session): session opened for user ads by (uid=0)
Mar 30 18:34:30 rread su: pam_unix(su:session): session opened for user ads by (uid=0)
Mar 30 18:34:30 rread su: (to ads) root on none
Mar 30 18:34:30 rread su: pam_unix(su:session): session closed for user tj-maintenance
Mar 30 18:34:29 rread systemd: pam_unix(systemd-user:session): session opened for user tj-maintenance by (uid=0)
Mar 30 18:34:29 rread su: pam_unix(su:session): session opened for user tj-maintenance by (uid=0)
Mar 30 18:34:29 rread su: (to tj-maintenance) root on none
Mar 30 18:34:29 rread su: pam_unix(su:session): session closed for user rread
Mar 30 18:34:29 rread systemd: pam_unix(systemd-user:session): session opened for user rread by (uid=0)

Not without an example of the ‘hoax’ email. Back to step one. Do you have an example? Do the headers show it came from your server?

IF it actually came from your server then go through the logs and look to see how it was sent. A random log dump is of no use.

1 Like

If you have a user sending hoax emails, you need to address it with that user. Note that it is possible to send email even without Postfix. Sending mail can literally be done with telnet, a shell script, a PHP or Perl or Python script, netcat, etc. It is not rocket science to send email without going through the mail server.

Exploited web apps are the most common source of spam. And, the right way to address it is to fix those web apps.

It is possible to block port 25 for all users except the Postfix user, which mandates all users send through the local mail server (which you can then change the config to require authentication so you can know who is sending mail, and also prevent some malware from sending mail, assuming you’ve got exploited web apps). I just posted about this a day or two ago, so I won’t go into detail on that again.

1 Like

This is the raw read of the email:

Return-Path: james@smart-guy.co.uk
Received: from trailerzgk (unknown [188.136.142.252])
by rread.co.uk (Postfix) with ESMTPA id 51A1EC77B20
for fanilyram1@hotmail.com; Thu, 30 Mar 2023 01:53:23 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=smart-guy.co.uk;
s=202302; t=1680137605;
bh=K+JAKzj0yt+0SfcmnY3A+0fB09aw0Fn6xd8DYaeIGHk=;
h=From:Date:Subject:To:From;
b=Vx6Yr7hBtwn8MIWh40aeHYrPXvKLFQo5C2ZMcUJGMPy3Nc1tRWR3y103MbxYpjcQ9
3fIQHN5IJ8Q0q10m6s5bB8ffVwr9S2q5z5ACllm8DmY+ybS9AwfQRrF7qhqqyFbGQn
lH962yx9BHyle4ZeTzKFkO6vCuOxtQ7xNRK5piQLnwHXDYxim7sUa6B+Js5SUIFp6C
af4FJkS6ZQGDbXcgNaQzD7USwdGgWArNZXFHWqG51C/GeN+HcMDwCt+HSgUPHjIrzd
N5+6b/6BF61IMKOefl9xhO0bafrU3iS5bjIoPnZtzQv7R3F60XgkRo7DOBLe4xYmpb
pojD13cjCZqVQ==
From: “Alexandra” james@smart-guy.co.uk
Content-Type: text/plain;
charset=“us-ascii”
Content-Transfer-Encoding: quoted-printable
Date: Thu, 30 Mar 2023 02:47:16 -0500
Subject: Invite:-) May u r able to talk. sir astonishing:)
To: fanilyram1@hotmail.com
Mime-Version: 1.0

my sir open!

hello!
Where are U stay now?
immediately Im seeking slapup dude)
I am alone superb 27 years old Miss in Russian Federation! email me at lolom=
oloki5@gmail.com :slight_smile:
I’ll reply to You my pictures;)
have a nice day

This is the email headers

Mail headers
Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on rread.co.uk
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS autolearn=ham autolearn_force=no version=3.4.4
X-Original-To: james@smart-guy.co.uk
Delivered-To: “james@smart-guy.co.uk”@rread.co.uk
Received: by rread.co.uk (Postfix) id DDB2AD45FF5; Thu, 30 Mar 2023 10:03:24 +0100 (BST)
Date: Thu, 30 Mar 2023 10:03:24 +0100 (BST)
From: MAILER-DAEMON@rread.co.uk (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: james@smart-guy.co.uk
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary=“51A1EC77B20.1680167004/rread.co.uk”
Content-Transfer-Encoding: 8bit
Message-Id: 20230330090324.DDB2AD45FF5@rread.co.uk

I may have to ask you for some sort of method to block any traffic bar postfix through 25, and to have every sent email authenticated to avoid being marked by spamhauss etc

There isn’t any actual users per se, they’re coming from one virtual server only, which hasn’t had any other webapps installed? They’re simply my email@domain that I know I haven’t used to send these emails.

Is this your server IP? 188.136.142.252

My guess is they are using you to divert bounces too. Back in the beginning of spam I had a site get DOS’ed by this. They just picked a domain name at random and rotated all sorts of user names with it. Why would Iran be involved in a hotmail bounce?

netname:        FanapTelecom
country:        IR
admin-c:        TN3118-RIPE
tech-c:         TN3118-RIPE
mnt-lower:      ir-javidan-1-mnt
mnt-routes:     ir-javidan-1-mnt
status:         ASSIGNED PA
mnt-by:         ir-javidan-1-mnt
created:        2021-12-12T03:00:44Z
last-modified:  2021-12-12T03:00:44Z
source:         RIPE

role:           FANAPTELECOM NETWORK
address:        No6 - 3rd St. - Shams Tabrizi St. - Mirdamad Ave.
address:        TEHRAN-IRAN
abuse-mailbox:  h.shirgir312@gmail.com

That’s not my IP, 5.65.241.20 is?
So how do I overcome this?

No? 5.65.241.20 is?

I’m also UK based. Why would Indian and Iranians be using my domain? Kinda odd eh?

How long have you run the mail server? At least one line in the logs says that they won’t accept your email unless you send it through your provider. You really can’t run an effective email server from just any IP even if it is static.

No, that’s not odd at all. Spammers don’t care where you’re from.

Do you have properly configured SPF records, and DKIM? That allows receiving mail servers to check to see if an IP is allowed to send mail for a given domain.

It seems like you’re dealing with “backscatter”. And, the way to solve it (somewhat) is to make it so mail servers know that randos in India are not permitted to send mail on behalf of your domains.

I know its not ideal to use residential IP, and its not static, its dynamic. I have DKIM setup, and SPF too. So how can i further secure outgoing emails from my postfix? I’ve had issues with “backscatter” on this domain for a fair while. Reinstalling didn’t resolve the issue, and ive reinstalled/changed passwords, to no effect. Now i’m keenly looking to secure postfix further.

as far as i am aware, i have them both setup correctly. but being set up, doesnt mean its done correctly haha! how would i go about checking for proper setup?