SPAM email - spoofed as me (v2)

built new server, and webmin/virtualmin with spamassassin has been forwarding emails with my header modification [*** SPAM ***] just fine
but, i still get these emails spoofed as me.
MXtoolbox email health says I’m all good, i.e DKIM, SPF working ok

how can they do this ?
UID 1001 ? what does this mean ?
HEADER_FROM_DIFFERENT_DOMAINS - how do i block this ?
NO_DNS_FOR_FROM - how di I block this ?

Aug 8 18:16:36 server postfix/pickup[48365]: 34542346AB: uid=1001 from=
Aug 8 18:16:36 server postfix/cleanup[52298]: 34542346AB: message-id=20230808181636.34542346AB@server.abc.com
Aug 8 18:16:36 server postfix/qmgr[1194]: 34542346AB: from=abc@localhost.localdomain, size=882, nrcpt=1 (queue active)
Aug 8 18:16:58 server spamd[11147]: spamd: processing message 20230808181636.34542346AB@server.abc.com for info@abc.com:1003
Aug 8 18:17:02 server spamd[11147]: spamd: result: . 3 - FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,NO_DNS_FOR_FROM,NO_RELAYS,T_PDS_PRO_TLD,URIBL_BLOCKED scantime=4.8,size=1024,user=info@abc.com,uid=1003,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39126,mid=20230808181636.34542346AB@server.abc.com,autolearn=no autolearn_force=no
Aug 8 18:17:02 server postfix/local[52299]: 34542346AB: to=<“info@abc.com”@localhost.localdomain>, orig_to=info@abc.com, relay=local, delay=27, delays=0.01/0/0/27, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Aug 8 18:17:02 server postfix/cleanup[52298]: 3662933987: message-id=20230808181636.34542346AB@server.abc.com
Aug 8 18:17:02 server postfix/local[52299]: 34542346AB: to=<“info@abc.com”@localhost.localdomain>, orig_to=info@abc.com, relay=local, delay=27, delays=0.01/0/0/27, dsn=2.0.0, status=sent (forwarded as 3662933987)
Aug 8 18:17:02 server postfix/qmgr[1194]: 34542346AB: removed
Aug 8 18:17:25 server spamd[11147]: spamd: processing message 20230808181636.34542346AB@server.abc.com for qwerty@abc.com:1002
Aug 8 18:17:29 server spamd[11147]: spamd: result: . 3 - FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,NO_DNS_FOR_FROM,NO_RELAYS,T_PDS_PRO_TLD,URIBL_BLOCKED scantime=4.5,size=1181,user=qwerty@abc.com,uid=1002,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39888,mid=20230808181636.34542346AB@server.abc.com,autolearn=no autolearn_force=no

Note, I just deleted all the alias email address (hostmaster, postmaster, webmaster, abuse), and created separate accounts each with their own password, and forward the emails to the main account.

also, i removed the email account for the main virtualserver - the one without the .com at the end, (as this seems most likely). email out and in still works fine without this, so will see if this was the issue (somehow sending email from the main server account)

image1200×598 61.8 KB

image1243×732 49.7 KB

I don’t think that is a good idea. IIRC there are system messages like LE cert renewals and some Cron jobs and possibly others that go to the VS domain owner’ mailbox.
Also those aliases are expected global defaults for any website/email on a domain.

the change seems ok, all email still works

However, i just had another email, it says it used SASL login under one of my email address (this is legit: sasl_username=orders@abc.com)
i changed this email password 1 hr ago, and they still sent the message, so HOW ?

Aug 8 20:29:01 server postfix/smtpd[12663]: AF5F033DA8: client=unknown[11.22.33.44], sasl_method=LOGIN, sasl_username=orders@abc.com
Aug 8 20:29:01 server postfix/cleanup[12665]: AF5F033DA8: message-id=20230808202901.AF5F033DA8@server.abc.com
Aug 8 20:29:01 server postfix/qmgr[9802]: AF5F033DA8: from=info@abc.com, size=1086, nrcpt=1 (queue active)
Aug 8 20:29:24 server spamd[771]: spamd: processing message 20230808202901.AF5F033DA8@server.abc.com for info@abc.com:1003
Aug 8 20:29:28 server spamd[771]: spamd: result: . 1 - ALL_TRUSTED,FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,URIBL_BLOCKED scantime=4.2,size=1200,user=info@abc.com,uid=1003,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=53192,mid=20230808202901.AF5F033DA8@server.abc.com,autolearn=no autolearn_force=no
Aug 8 20:29:28 server postfix/local[12666]: AF5F033DA8: to=<“info@abc.com”@localhost.localdomain>, orig_to=info@abc.com, relay=local, delay=27, delays=0.05/0.01/0/27, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Aug 8 20:29:28 server postfix/cleanup[12665]: BBE06346F6: message-id=20230808202901.AF5F033DA8@server.abc.com
Aug 8 20:29:28 server postfix/local[12666]: AF5F033DA8: to=<“info@abc.com”@localhost.localdomain>, orig_to=info@abc.com, relay=local, delay=27, delays=0.05/0.01/0/27, dsn=2.0.0, status=sent (forwarded as BBE06346F6)
Aug 8 20:29:28 server postfix/qmgr[9802]: AF5F033DA8: removed
Aug 8 20:29:52 server spamd[771]: spamd: processing message 20230808202901.AF5F033DA8@server.abc.com for qwerty@abc.com:1002
Aug 8 20:29:56 server spamd[771]: spamd: result: . 1 - ALL_TRUSTED,FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,URIBL_BLOCKED scantime=4.2,size=1357,user=qwerty@abc.com,uid=1002,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=54022,mid=20230808202901.AF5F033DA8@server.abc.com,autolearn=no autolearn_force=no

and spamassassin why not reject with score of 1.8 in 5 ?? why not rejected ?

Return-Path: info@abc.com
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server.abc.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=ALL_TRUSTED,
FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6
X-Original-To: info@abc.com
Delivered-To: “info@abc.com”@localhost.localdomain
Received: from abc.com (unknown [11.22.33.44])
by server.abc.com (Postfix) with ESMTPA id AF5F033DA8
for info@abc.com; Tue, 8 Aug 2023 20:29:01 +0000 (UTC)
MIME-Version: 1.0
To: info@abc.com
Subject: =?UTF-8?B?RW5xdWlyeSBKZWZmcmV5YXBvcnk=?=
Date: Tue, 08 Aug 2023 20:29:01 +0000
From: =?UTF-8?B?SmVmZnJleWFwb3J5?= info@abc.com
Reply-To: =?UTF-8?B?a29tYXJvdmFfb2xpYV8xOTc5XzE5XzlAbWFpbC5ydQ==?= komarova_olia_1979_19_9@mail.ru
X-Mailer: PHP/8.1.2-1ubuntu2.13
Content-Type: multipart/mixed; boundary=“----=_NextPart_08981528acbccddb82417cc5021b0569”
Message-Id: 20230808202901.AF5F033DA8@server.abc.com

From what I can see, you have SpamAssassin set to reject at 5. The SPAM score of 1.8 is not high enough to trigger the rejection

I have a theory here, that opencart is not blocking spammers with reCAPTCHA v3 and it the contact form, hence why its my own IP…
going to try and re-fix

and spamassassin why not reject with score of 1.8 in 5 ?? why not rejected ?

Return-Path: info@abc.com
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server.abc.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=ALL_TRUSTED,
FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6
X-Original-To: info@abc.com
Delivered-To: “info@abc.com”@localhost.localdomain
Received: from abc.com (unknown [11.22.33.44])
by server.abc.com (Postfix) with ESMTPA id AF5F033DA8
for info@abc.com; Tue, 8 Aug 2023 20:29:01 +0000 (UTC)
MIME-Version: 1.0
To: info@abc.com
Subject: =?UTF-8?B?RW5xdWlyeSBKZWZmcmV5YXBvcnk=?=
Date: Tue, 08 Aug 2023 20:29:01 +0000
From: =?UTF-8?B?SmVmZnJleWFwb3J5?= info@abc.com

Spamassasin is set to 5 and it only score 1.8 so it won’t do anything.

SPF shall reject or flag the email but I have not been able to set it up for that.

In these cases I prefer to block those emails with postfix black lists (specially when the spam email is higher than 500 emails per week). As a matter of fact IP unknown [11.22.33.44] is blacklisted and shall be rejected right away. I combine black list with fail2ban rejection in order to not deal with those pesky ips very often. There is a long discussion about using or not using the black lists

It was mentioned mod_security in that post related to “Fighting Spam & Malware with Virtualmin”. Support for this Apache module will be passed to the community, when the Trustware company announced the EOL of its support effective July 1, 2024.

Source: https://www.modsecurity.org/

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.