| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu 22.04.5 |
| Webmin version | 2.202 |
I’ve had an email come from my server at
support@domain.com and sent to support@domain.com (same address)
It is then sent to our Helpdesk.
How can I find the origin of that email?
It’s a phishing email and got past because my own email server passes SPF and DKIM (er, obviously).
So where did it come from?
You need to look at the log. Get the message ID from the headers, and then search the maillog or the journal for the postfix unit for that ID.
Thanks Joe,
I found the following-
Nov 15 13:10:05 host.domain.com.au postfix/smtpd[19762]: CFFC989CF1: client=unknown[**172.245.93.75**]
Nov 15 13:10:06 host.domain.com.au postfix/cleanup[19766]: CFFC989CF1: message-id=<20241115031004.1D32495B9BD6E19A@domain.com.au>
Nov 15 13:10:06 host.servicemax.com.au opendkim[838]: CFFC989CF1: external host [172.245.93.75] attempted to send as domain.com.au
Nov 15 13:10:06 host.domain.com.au postfix/qmgr[1752]: CFFC989CF1: from=<support@domain.com.au>, size=9298, nrcpt=1 (queue active)
Nov 15 13:10:07 host.domain.com.au postfix/local[19770]: CFFC989CF1: to=<support-domain.com.au@host.domain.com.au>, orig_to=<support@domain.com.au>, relay=local, delay=1.5, delays=0.75/0.01/0/0.79, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Nov 15 13:10:07 host.domain.com.au postfix/local[19770]: CFFC989CF1: to=<support-domain.com.au@host.domain.com.au>, orig_to=<support@domain.com.au>, relay=local, delay=1.6, delays=0.75/0.01/0/0.79, dsn=2.0.0, status=sent (forwarded as 6505689CF2)
Nov 15 13:10:07 host.domain.com.au postfix/qmgr[1752]: CFFC989CF1: removed
Looking at this IP, it doesn’t seem to have any permission to send on behalf etc.
Are there any clues as to why it was allowed to forward this email?
Look in the mail headers, do you see SpamAssassin headers indicating score and what rules were triggered? Almost all spam decisions are made by SpamAssassin.
Also, I think the SPF records Virtualmin creates by default are marked with ~, which means it’s not strict. It probably ought to by strict, by default, but I don’t think that’s ever happened (when SPF was introduced it was still pretty messy in its enforcement on the internet as a whole and how people understood it, so locking it down caused a lot of problems for folks). So, you may need to make that strict.
It’s possible to enforce SPF at the Postfix level using a policy server, but I don’t think we do that in Virtualmin. I think everything other than greylisting is handled post-acceptance by Postfix (i.e. via Procmail and SpamAssassin and ClamAV).
We probably should add a policy server for SPF to the default system, as well, though it’s not a big difference for most users…it only matters in very high volume environments. One such option: Postfix/SPF - Community Help Wiki
But, for your case, I think you just need to make sure mail is actually hitting SpamAssassin, and then figure out why it’s not triggering on the SPF failure. It’s probably a simple config change.
Thanks for the comprehensive and thoughtful reply Joe,
it’s not a high volume server, and I suspect that might be the answer- strict enforcement of SPF rules.
Will study a bit closer and see what I can find, thanks again
ok here is some more info. It doesn’t answer the question about what rule allowed the email, but it does shed light on what happened.
When I search for that IP address, it shows a bunch of attempts to send as various emails, and manages to slip one through when the user table recognises ‘support’
Nov 15 08:38:23 host.domain.com.au postfix/smtpd[115127]: warning: hostname 172-245-93-75-host.colocrossing.com does not resolve to address 172.245.93.75: Name or service not known
Nov 15 08:38:23 host.domain.com.au postfix/smtpd[115127]: connect from unknown[172.245.93.75]
Nov 15 08:38:23 host.domain.com.au postfix/smtpd[115127]: D1AD0804C7: client=unknown[172.245.93.75]
Nov 15 08:38:24 host.domain.com.au opendkim[945]: D1AD0804C7: external host [172.245.93.75] attempted to send as buymax.com.au
Nov 15 08:38:24 host.domain.com.au postfix/smtpd[115127]: disconnect from unknown[172.245.93.75] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 15 09:09:00 host.domain.com.au postfix/smtpd[121194]: warning: hostname 172-245-93-75-host.colocrossing.com does not resolve to address 172.245.93.75: Name or service not known
Nov 15 09:09:00 host.domain.com.au postfix/smtpd[121194]: connect from unknown[172.245.93.75]
Nov 15 09:09:01 host.domain.com.au postfix/smtpd[121194]: 2878D804C7: client=unknown[172.245.93.75]
Nov 15 09:09:01 host.domain.com.au opendkim[945]: 2878D804C7: external host [172.245.93.75] attempted to send as buymax.com.au
Nov 15 09:09:01 host.domain.com.au postfix/smtpd[121194]: disconnect from unknown[172.245.93.75] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
-- Boot 01dbd8e1d6694a85a6e45988bfcc7336 --
Nov 15 12:58:07 host.domain.com.au postfix/smtpd[16638]: warning: hostname 172-245-93-75-host.colocrossing.com does not resolve to address 172.245.93.75: Name or service not known
Nov 15 12:58:07 host.domain.com.au postfix/smtpd[16638]: connect from unknown[172.245.93.75]
Nov 15 12:58:07 host.domain.com.au postfix/smtpd[16638]: NOQUEUE: reject: RCPT from unknown[172.245.93.75]: 550 5.1.1 <info@domain.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<info@domain.com.au> to=<info@domain.com.au> proto=ESMTP helo=<domain.com.au>
Nov 15 12:58:07 host.domain.com.au postfix/smtpd[16638]: disconnect from unknown[172.245.93.75] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Nov 15 13:06:20 host.domain.com.au postfix/anvil[16640]: statistics: max connection rate 1/60s for (smtp:172.245.93.75) at Nov 15 12:58:07
Nov 15 13:06:20 host.domain.com.au postfix/anvil[16640]: statistics: max connection count 1 for (smtp:172.245.93.75) at Nov 15 12:58:07
Nov 15 13:10:05 host.domain.com.au postfix/smtpd[19762]: warning: hostname 172-245-93-75-host.colocrossing.com does not resolve to address 172.245.93.75: Name or service not known
Nov 15 13:10:05 host.domain.com.au postfix/smtpd[19762]: connect from unknown[172.245.93.75]
Nov 15 13:10:05 host.domain.com.au postfix/smtpd[19762]: CFFC989CF1: client=unknown[172.245.93.75]
Nov 15 13:10:06 host.domain.com.au opendkim[838]: CFFC989CF1: external host [172.245.93.75] attempted to send as domain.com.au
Nov 15 13:10:06 host.domain.com.au postfix/smtpd[19762]: disconnect from unknown[172.245.93.75] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 15 13:13:49 host.domain.com.au postfix/anvil[19764]: statistics: max connection rate 1/60s for (smtp:172.245.93.75) at Nov 15 13:10:05
Nov 15 13:13:49 host.domain.com.au postfix/anvil[19764]: statistics: max connection count 1 for (smtp:172.245.93.75) at Nov 15 13:10:05
Nov 15 13:44:58 host.domain.com.au postfix/smtpd[28067]: warning: hostname 172-245-93-75-host.colocrossing.com does not resolve to address 172.245.93.75: Name or service not known
Nov 15 13:44:58 host.domain.com.au postfix/smtpd[28067]: connect from unknown[172.245.93.75]
Nov 15 13:44:58 host.domain.com.au postfix/smtpd[28067]: NOQUEUE: reject: RCPT from unknown[172.245.93.75]: 550 5.1.1 <hello@domain.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<hello@domain.com.au> to=<hello@domain.com.au> proto=ESMTP helo=<domain.com.au>
Nov 15 13:44:58 host.domain.com.au postfix/smtpd[28067]: disconnect from unknown[172.245.93.75] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
you can see the successful send at 13:10:06, and looks like ‘opendkim’ is partly responsible, so I will look there…