SPAM email - spoofed as me

Help! (Home for newbies)
1
SYSTEM INFORMATION
Ubuntu Linux 18.04.6 REQUIRED
Webmin 2.100,
Virtualmin version 7.7 REQUIRED

I have CSF, CLAMAV, Spamassassin installed
separate (external) DNS, with DKIM / domainkey, dmarc, spf records.
mxtoolbox says all 3 are correct

I have changed passwords for root, and all email accounts
CLAMav had found a virus prior, but today is clear, and yet still more spoof email
I removed only 5.x and 7.x PHP, now running 8.1 - I thought it was PHP script vulnerability

I cannot stop my server sending spam
i see in my own inbox email spoofed by external sender as sent my me
I click on the header and see the email send from external source (see below)
i can stop them for a while by blocking their IP address
the email header says the DKIM is failed, so how does it get through ?
what log can show me who this is ?
so how can i stop this ?

Return-Path: <>
X-Original-To: info@abc.com
Delivered-To: xyz-abc.com@localhost.localdomain
Received: by server.abc.com (Postfix)
id 46D43B1608; Wed, 26 Jul 2023 13:31:01 +0000 (UTC)
Delivered-To: info-abc.com@localhost.localdomain
Received: from dcacinc.com (unknown [45.132.18.248])
by server.abc.com (Postfix) with ESMTP id D4B45B15D7
for info@abc.com; Wed, 26 Jul 2023 13:31:00 +0000 (UTC)
Authentication-Results: server.abc.com;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=aol.com header.i=@aol.com header.b=“og8IRrhz”;
dkim-atps=neutral
Received: by 2002:a05:6022:419e:b0:44:32db:72ed with SMTP id c30csp259366laa;
Wed, 26 Jul 2023 05:27:49 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHuZVqJLPqHsFEeJP1Gz5r2NzYnm4V+UFeMXwAWAthRG8HONhNiX9G5DRTEeYPt1GfbUj0c
X-Received: by 2002:a05:620a:2a0b:b0:768:2b02:d41 with SMTP id o11-20020a05620a2a0b00b007682b020d41mr2519469qkp.57.1690374468860;
Wed, 26 Jul 2023 05:27:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690374468; cv=none;
d=google.com; s=arc-20160816;
b=Xb0lkn0dNkD1V4xPSFFvAEd46Ufe5lFD1TxXwu/oNJcGMcIiucuJHoR/hZ/x9jxI9w
Udzz9BnAwQOBf/ehIwJsO2hCMDObp34Dd6D1Pd0CaR6M2mNFYZ26UOb/EqTcDCGvd0+E
Gm99cdzQy2ILr38jE+gIF2v7d0li+awWtiFkmt7bAZRTtwlW0MuwtyoVoUobjUGTv4Sx
yFKTMv3thi0YBqqNb60B9ukSUUKWCEavflXNsZMR/Yuh7CEbA8tBO8tJK1wUni6afdrB
+sf2wJt/VHmqFFV1uxKmcfzJfV4CWfCLKHAdj9lXyRlsfS7dWaOQ9+dAB34UYIpC44VQ
L0Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:subject:references:in-reply-to:message-id:to:from:date
:dkim-signature;
bh=9CaJcABoSJ3Y5lrB6ZBgwoEg/MuJi3tVa6htKxkH4ik=;
fh=L8Cjpnf7WAnb36w845cXirL8nff2NdMyffZDlRztYgA=;
b=DwDADEq2SK4lt9lWgD9GkRoZWwUdRC8BFwBJZt8xSa2jG9qUesu0h9sQnggcmxIWSm
fgEh4x/FV9k0Op7ZIGD9bZiWfVjsL0c8vDe0oer77lh5Va679foeF2tDjQs/1IsqaITq
QnRsTmSWBAHrormbiHBbSFVJVcLf9QUcvwk3TPMMebyhsNeGywf7SjzJqPHKkcqfIC4Q
ySPVG0vySKEE2UWCvYdN+k0eteW8kBlBQw9/wlkOec2Be3VNVvukgmsQUjmPieLgfrqf
+OS4xvx1U6nscPRRzumLJCL9LdVNpAsVVfE/MsbwrK0VjmBJaxUchd4Xb75wXdHs2Ogo
EDWg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@aol.com header.s=a2048 header.b=og8IRrhz;
spf=pass (google.com: domain of info@abc.com designates 66.163.185.206 as permitted sender) smtp.mailfrom=info@abc.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
Received: from sonic321-25.consmr.mail.ne1.yahoo.com (sonic321-25.consmr.mail.ne1.yahoo.com. [66.163.185.206])
by mx.google.com with ESMTPS id f10-20020a05622a104a00b00403c7a46698si8056971qte.440.2023.07.26.05.27.48
for info@abc.com
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 26 Jul 2023 05:27:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of info@abc.com designates 66.163.185.206 as permitted sender) client-ip=66.163.185.206;
Authentication-Results: mx.google.com;
dkim=pass header.i=@aol.com header.s=a2048 header.b=og8IRrhz;
spf=pass (google.com: domain of info@abc.com designates 66.163.185.206 as permitted sender) smtp.mailfrom=info@abc.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1690374468; bh=9CaJcABoSJ3Y5lrB6ZBgwoEg/MuJi3tVa6htKxkH4ik=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; …


V7 wow–
X-Sonic-MF: info@abc.com
X-Sonic-ID: 7913b128-550d-4559-8ca4-085a9aa835e9
Received: from sonic.gate.mail.ne1.yahoo.com by sonic321.consmr.mail.ne1.yahoo.com with HTTP; Wed, 26 Jul 2023 12:27:48 +0000
Date: Wed, 26 Jul 2023 15:30:46 +0200
From: Shell 2022 info@abc.com
To: Shell 2022 info@abc.com
Message-ID: 1165396162.5485103.1690163815330@mail.yahoo.com
Subject: you have (1) Shell Reward ready to claim !
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=“----=_Part_5447617_1191263717.1690374466117”
X-Mailer: WebService/1.1.21647 AolMailNorrin

from the mail log:
Jul 26 13:31:01 server postfix/qmgr[3795]: D4B45B15D7: removed
Jul 26 13:31:01 server postfix/local[20806]: D4B45B15D7: to=info-abc.com@localhost.localdomain, orig_to=info@abc.com, relay=local, delay=0.45, delays=0.42/0/0/0.03, dsn=2.0.0, status=sent (forwarded as 46D43B1608)
Jul 26 13:31:01 server postfix/local[20806]: D4B45B15D7: to=info-abc.com@localhost.localdomain, orig_to=info@abc.com, relay=local, delay=0.44, delays=0.42/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a “$EXTENSION” DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir)
Jul 26 13:31:01 server postfix/qmgr[3795]: D4B45B15D7: from=<>, size=12960, nrcpt=1 (queue active)
Jul 26 13:31:01 server opendkim[381]: D4B45B15D7: bad signature data
Jul 26 13:31:01 server opendkim[381]: D4B45B15D7: s=a2048 d=aol.com SSL error:04091068:rsa routines:int_rsa_verify:bad signature
Jul 26 13:31:01 server opendkim[381]: D4B45B15D7: external host [45.132.18.248] attempted to send as abc.com
Jul 26 13:31:01 server postfix/cleanup[20663]: D4B45B15D7: message-id=1165396162.5485103.1690163815330@mail.yahoo.com
Jul 26 13:31:00 server postfix/smtpd[20797]: D4B45B15D7: client=unknown[45.132.18.248]

image
image1049×543 32.7 KB

2

If the email was sent from an external source (IP address that isn’t your server’s), I think you can just ignore it as long as you have set up an SPF record to reject unknown IPs.

3

external IP is normal, i.e all our outlook clients are external emails, and customers are external.
what is different here is that openDKIM[381] has detected the email is bad, but let it through ?

here is an example of a legitimate email (received):
Jul 26 20:53:32 server postfix/qmgr[18614]: 8023AB15B0: removed
Jul 26 20:53:32 server postfix/local[24021]: 8023AB15B0: to=xyz-abc.com@localhost.localdomain, orig_to=xyz@abc.com, relay=local, delay=0.16, delays=0.14/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a “$EXTENSION” DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir)
Jul 26 20:53:32 server postfix/qmgr[18614]: 8023AB15B0: from=RTE+NE-null-de34cA07341473S5TNKG2Z0TM@sellernotifications.amazon.com, size=33842, nrcpt=1 (queue active)
Jul 26 20:53:32 server opendkim[381]: 8023AB15B0: s=jvxsykglqiaiibkijmhy37vqxh4mzqr6 d=amazon.com SSL
Jul 26 20:53:32 server opendkim[381]: 8023AB15B0: message has signatures from amazon.com, amazonses.com
Jul 26 20:53:32 server postfix/cleanup[23974]: 8023AB15B0: message-id=0100018993fa7434-f3decb21-1dcc-471f-85d3-6bc6789e0994-000000@email.amazonses.com
Jul 26 20:53:32 server postfix/smtpd[24187]: 8023AB15B0: client=a13-63.smtp-out.amazonses.com[54.240.13.63]

and an example of a sent email: (note, i don’t see any DKIM on sent ?)
Good example (sent)
Jul 26 22:51:11 server postfix/qmgr[18614]: A2F8DB15B0: removed
Jul 26 22:51:11 server postfix/smtp[8408]: A2F8DB15B0: to=qwerty@yahoo.com, relay=mta7.am0.yahoodns.net[67.195.204.74]:25, delay=0.95, delays=0.26/0.01/0.34/0.33, dsn=2.0.0, status=sent (250 ok dirdel)
Jul 26 22:51:10 server postfix/qmgr[18614]: A2F8DB15B0: from=xyzr@abc.com, size=7920, nrcpt=1 (queue active)
Jul 26 22:51:10 server postfix/cleanup[8407]: A2F8DB15B0: message-id=00d601d9c013$abf9b280$03ed1780$@abc.com
Jul 26 22:51:10 server postfix/smtpd[8403]: A2F8DB15B0: client=user-11.11.11.11.knology.net[11.11.11.11], sasl_method=LOGIN, sasl_username=xyz@abc.com

and the same good email, as received by our client:
and receipt ay abc:
Received: from 10.197.39.105
by atlas305.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Wed, 26 Jul 2023 22:51:11 +0000
Return-Path: xyz@abc.com
X-Originating-Ip: [216.137.177.223]
Received-SPF: pass (domain of abc.com designates 11.11.11.11 as permitted sender)
Authentication-Results: atlas305.free.mail.bf1.yahoo.com;
dkim=pass header.i=@abc.com header.s=202200;
spf=pass smtp.mailfrom=abc.com;
dmarc=pass(p=REJECT) header.from=abc.com;
X-Apparently-To: qwertyr@yahoo.com; Wed, 26 Jul 2023 22:51:11 +0000
X-YMailAVSC: …
X-YMailISG: …
Received: from 11.11.11.11 (EHLO server.abc.com)
by 10.197.39.105 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Wed, 26 Jul 2023 22:51:11 +0000
Received: from client (user-22.22.22.22.knology.net [22.22.22.22])
by server.abc.com (Postfix) with ESMTPSA id A2F8DB15B0
for qwerty@yahoo.com; Wed, 26 Jul 2023 22:51:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=abc.com;
s=202200; t=1690411870;
bh=dC5d75MUh5EgbbX0Pz36zZd41NJPoi52U0ZKAaXylz8=;
h=From:To:Subject:Date:From;
…==

versus the bad:
server opendkim[381]: 2F0FCB15D7: external host sc-ord-mta116.mtasv.net attempted to send as abc.com

so Postfix / opendkim ‘knows’ its bad, but did nothing ?

exact same issue here

4

Have you tested for open relay, external hosts should not be able to connect in the first place.

I searched my logs and have found no “attempted to send as” or “external host”. So sound like you haven opened up something from standard.

useing mxtools can you do a mail health test.

5

Not everything works perfectly 100 percent of the time. As long as the spoofed mails are only an occasional thing, I don’t worry about them.

Richard

6

i performed a mxtoolbox email health test
all good , no relay, all mail server 25 tests are good.
but one warning on DNS “SOA Expire Value out of recommended range”, which is 1hr, but RFC1912 says 2-4 weeks, but go-daddy has a max 1 week. either way, its a minor nit, and not the issue here.

interesting, digging on the good vs bad (2 bad examples):

list of all the opendkim[381]
Jul 26 23:46:01 server opendkim[381]: E2B41B15B0: s=jvxsykglqiaiibkijmhy37vqxh4mzqr6 d=amazon.com SSL
Jul 26 23:46:01 server opendkim[381]: E2B41B15B0: message has signatures from amazon.com, amazonses.com
Jul 26 23:45:24 server opendkim[381]: 97C48B15B0: s=jvxsykglqiaiibkijmhy37vqxh4mzqr6 d=amazon.com SSL
Jul 26 23:45:24 server opendkim[381]: 97C48B15B0: message has signatures from amazon.com, amazonses.com
Jul 26 23:17:49 server opendkim[381]: EEEB4B15B0: s=20221208 d=gmail.com SSL
Jul 26 22:35:30 server opendkim[381]: C28D5B15B0: s=dk d=studentsforlife.org SSL
Jul 26 21:07:31 server opendkim[381]: 248C5B15B0: bad signature data
Jul 26 21:07:31 server opendkim[381]: 248C5B15B0: s=sailthru d=mail.bloombergbusiness.com SSL error:04091068:rsa routines:int_rsa_verify:bad signature
Jul 26 21:07:31 server opendkim[381]: 248C5B15B0: external host [195.133.196.250] attempted to send as abc.com
Jul 26 21:01:58 server opendkim[381]: 29262B15B0: s=smtpapi d=sendgrid.net SSL
Jul 26 20:53:32 server opendkim[381]: 8023AB15B0: s=jvxsykglqiaiibkijmhy37vqxh4mzqr6 d=amazon.com SSL
Jul 26 20:53:32 server opendkim[381]: 8023AB15B0: message has signatures from amazon.com, amazonses.com
Jul 26 19:36:00 server opendkim[381]: BC423B15B0: s=k2 d=mailchimpapp.net SSL
Jul 26 18:31:36 server opendkim[381]: 38DABB15B0: s=k1 d=mailengine4.com SSL
Jul 26 18:27:38 server opendkim[381]: 0BF3FB15B0: s=200608 d=niceforyou.com SSL
Jul 26 18:13:09 server opendkim[381]: 533E1B15B0: s=200608 d=Diodes.com SSL
Jul 26 17:47:31 server opendkim[381]: DD5B2B15B0: s=umail d=dm.mydidadi-logistics.com SSL
Jul 26 17:45:52 server opendkim[381]: 7952DB15B0: bad signature data
Jul 26 17:45:52 server opendkim[381]: 7952DB15B0: s=sailthru d=mail.bloombergbusiness.com SSL error:04091068:rsa routines:int_rsa_verify:bad signature
Jul 26 17:45:52 server opendkim[381]: 7952DB15B0: external host [195.133.49.211] attempted to send as abc.com
Jul 26 17:30:22 server opendkim[381]: EFB06B15B0: s=pps1 d=ups.com SSL

Here is the BAD email ID 248C5B15B0

Return-Path: <>
X-Original-To: info@abc.com
Delivered-To: info-abc.com@localhost.localdomain
Received: from maktoob.net (unknown [195.133.196.250])
by server.abc.com (Postfix) with ESMTP id 248C5B15B0
for info@abc.com; Wed, 26 Jul 2023 21:07:31 +0000 (UTC)
Authentication-Results: server.abc.com;
dkim=fail reason=“signature verification failed” (1024-bit key; unprotected) header.d=mail.bloombergbusiness.com header.i=noreply@mail.bloombergbusiness.com header.b=“Th4se77R”;
dkim-atps=neutral
Received: from bloomberg-b.sailthru.com (192.64.236.13) by
VI1EUR04FT061.mail.protection.outlook.com (10.152.28.106) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6277.18 via Frontend Transport; Sun, 2 Apr 2023 13:46:29 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:86FA9243A492EC13472F2590BE2EF458385AD9B45079815655D74C895BA45EE9;UpperCasedChecksum:34E3DA021E188A42672D0A7BC02764F9E1E4832CBB80517544D1AB18FC50C8D7;SizeAsReceived:1757;Count:21
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=sailthru; d=mail.bloombergbusiness.com;
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe;
i=noreply@mail.bloombergbusiness.com;
bh=xeTIMBGO05F0Sc0M2qjv99c6PELzxI6J+QQSijNezaw=;
b=Th4se77RHXYPNLaktKLCl5TTF8KrwQorIalsY5NsiZ+c5P+ReUkRzTAdqgwmXZ16oH6h4CKYt4Op
F8Q9MFqroiE4UGECasBXqWyAMoYGlFfC9GC1lMIyOc5L8VYDI7rNlo+wysMkUOpgT3wJ4VYifp05
H4Oaoyp8+DNhlYTV3ug=
Received: from nj1-mta32.sailthru.com (204.153.120.167) by bloomberg-b.sailthru.com id h563ja30nu8a for info@abc.com; Sun, 2 Apr 2023 09:46:17 -0400 (envelope-from delivery_20230402094616.31039365.62936@mx.sailthru.com)
Date: Wed, 26 Jul 2023 23:07:27 +0200
From: Samsung TV info@abc.com
To: infoinfo@abc.com
Message-ID: 4lzeIpT82DJGZzSSPk9jBCOL9pNSk@sailthru.com
Subject: Congratulations you won!
Content-Type: text/html;
Precedence: bulk
X-Feedback-ID: 6358:31039365:campaign:sailthru
X-TM-ID: 20230402094616.31039365.62936
X-Info: Message sent by sailthru.com customer Bloomberg Business
X-Info: We do not permit unsolicited commercial email
X-Info: Please report abuse by forwarding complete headers to
X-Info: info@abc.com
X-Mailer: sailthru.com
X-JMailer: nj1-bigcopper.flt
X-Unsubscribe-Web: Bloomberg Business - Opt Out
List-Unsubscribe: https://link.mail.bloombergbusiness.com/oc/6426c311095284e9580effd1iha4l.1ck8/3799de1c, mailto:unsubscribe_20230402094616.31039365.62936@mx.sailthru.com
X-rpcampaign: stjko31039365
X-IncomingHeaderCount: 21
X-MS-Exchange-Organization-ExpirationStartTime: 02 Apr 2023 13:46:29.7527
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e2bf3a9f-0cf0-462c-041e-08db3380a99d
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
VI1EUR04FT061:EE_|SA1PR15MB4452:EE_|MW4PR15MB4476:EE_
X-MS-Exchange-Organization-AuthSource:
VI1EUR04FT061.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 4/1/2023 10:53:49 PM
X-MS-Office365-Filtering-Correlation-Id: e2bf3a9f-0cf0-462c-041e-08db3380a99d
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 192.64.236.13
X-SID-PRA: NOREPLY@MAIL.BLOOMBERGBUSINESS.COM
X-SID-Result: PASS
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:2;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2023 13:46:29.4558
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e2bf3a9f-0cf0-462c-041e-08db3380a99d
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
VI1EUR04FT061.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR15MB4452
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.2530387
X-MS-Exchange-Processed-By-BccFoldering: 15.20.6254.030
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(90000117)(90012020)(91020020)(91040095)(9050020)(9100338)(4810010)(4910033)(8820095)(9575002)(10195002)(9320005);
X-Message-Info:
qZelhIiYnPkx84CNH6AeQs2r1mfbx475RiI5K0+Xb2fvrntBfTJ10N2zNIvcvtf7VgXmo/rIiDQIXO6S3rtSdn/H4xrzDv+I2RFpBW+pxB4yhwf8VqBxAb2oTJ+jKAPjknpLKx0rGhWF/Oowozp6RA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?SG5jbGI4SzRnVVNXQUpFeUl3QTEzYUxxdUpVL1dQaWlCcUJKRnowUlhORlMv?=
=?utf-8…=

7

Maybe thats just a warning failure, it does say attempted. I mean if a robber attempted to break in means the robber failed.

8

I received the email, it as it is in my inbox. - just concerned if ‘they’ are spamming others from me…

could this be related to allowing port 25? should i close 25 and only 587 or 465 ?
I need email from external clients like outlook (using 465, SSL), and also localhost for php scripts.
see similar issue, " Make postfix reject incoming email spoofed as from my own domain" here

9

The header indicts it comming from a marketing mob, have you tried the opt-out linked.

image
image806×308 33.2 KB

10

every email is different, its not the same kind of message, or same ‘opt-out’

think i could solve this with Postfix ‘SMTP Client Restrictions’ ?

image
image1420×611 79.1 KB

11

We all get spam, how may emails are you getting?
The default virtualmin setup has all the restriction you need. You should avoid changing settings in webmin as Virtualmin setup the server on a per domain basis. I’ve never had a issue that worried me with spam. Virtuamin has spamassin, you can create rules in there to block emails.

Steve

12

getting hundreds, its a pain. there is an issue here that virtualmin/webmin is NOT dealing with.
why is it not rejecting: external host [109.206.242.67] attempted to send as abc.com
this is a bug that needs a solution

example without ‘opt-out’: 50BDEB1689
Jul 24 00:59:29 server postfix/smtpd[19144]: 50BDEB1689: client=unknown[109.206.242.67]
Jul 24 00:59:29 server postfix/cleanup[19148]: 50BDEB1689: message-id=20230724025928.629CF2106D4EE5AB@abc.com
Jul 24 00:59:29 server opendkim[363]: 50BDEB1689: external host [109.206.242.67] attempted to send as abc.com
Jul 24 00:59:29 server postfix/qmgr[9878]: 50BDEB1689: from=info@abc.com, size=7850, nrcpt=1 (queue active)
Jul 24 00:59:29 server postfix/local[19149]: 50BDEB1689: to=info-abc.com@localhost.localdomain, orig_to=info@abc.com, relay=local, delay=0.5, delays=0.47/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a “$EXTENSION” DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir)
Jul 24 00:59:29 server postfix/local[19149]: 50BDEB1689: to=info-abc.com@localhost.localdomain, orig_to=info@abc.com, relay=local, delay=0.5, delays=0.47/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as A8BF8B168B)
Jul 24 00:59:29 server postfix/qmgr[9878]: 50BDEB1689: removed

13

If info is where all the emails are going to, remove and use a different email address.
See if that slows the emails.

14

If this is going to your email server? I don’t see any SPAM Headers that show your Spamassassin is picking this up. Check to make sure it is running.

15

This is NOT A BUG. It’s a practice done by many spammers and your opendkim is doing it’s job reporting that to you in the logs.

16

I disagree, OPENDKIM is flagging , but doing nothing about it, there doesn’t seem to be any switch i can set for it to remove

alos, i agree on spamassassin, it doesn’t seem to be making the subject modification (add “*** SPAM ***”), i never see any output from spamassassin, ho can i verify ?

17

ok, fixed the delivery, was sending to folder .spam, but outlook pop3 can only view email from the ‘inbox’, so changed to ‘deliver normally’ following the virtualmin setup here

so i may see email now with my modified header.
but regardless, why it didn’t stop the opendkim warned " server opendkim[381]: 7952DB15B0: external host [195.133.49.211] attempted to send"
or with failed dkim : dkim=fail reason=“signature verification failed” (1024-bit key; unprotected)

why are these allowed through ?

also, for the spamassassin integration, i assume its the standalone option?

image
image1547×737 123 KB

18

Anyone using a bad signature is usually sent to the spam folder by spamassassin if you have it running.
You can always look into OpenDKIM Documentation: http://www.opendkim.org/docs.html so you can understand what each directive does in your opendkim.conf rules are here: opendkim.conf

spamc should be ticked

19

ok, changed to spamc

also modified the opendkim.conf as no way to set this in virtualmin setup (note guys, a good thing to add for future release!)
nano /etc/opendkim.conf

On-Default accept
On-BadSignature reject
On-DNSError tempfail
On-InternalError tempfail
On-KeyNotFound accept
On-NoSignature accept
On-Security tempfail
On-SignatureError reject

then to reload: systemctl restart opendkim

image
image1063×687 96.1 KB

20

why do i not see any x-spam headers on emails ?
how can i check virtualmin setup files ?