1 Topic by randoof (edited by randoof 2015-02-17 03:12:16)

  • randoof
  • Member
  • Offline
  • Registered: 2013-01-28
  • Posts: 23

Topic: Recieving email apparently from my server (but it's not)

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue: N/A
====

Hi there,
I'm after a bit of help here with an email that has been received on my server by a couple of clients that are both hosted by me.

Neither of the domains that have received the email are my main mailserver domain but secondary domains.
So in the headers you will see main-domain.com and another-hosted-domain.com

main-domain.com is the hosting server address and another-hosted-domain.com is the domain that has received the email.
Below is the headers of the email, attached was a spreadsheet file (presumably a virus) and the email itself was blank.

I am not necesarily concerned about the fact it could be a virus (I understand, there are always people who are trying to get around this. 
 
I am more concerned about the fact it says that the email says it is sent from "from@mail.main-domain.com" -from@mail.main-domain.com is not a valid email address and there are no actual email addesses set up with @mail.main-domain.com

Can anyone shed any light as to why this is saying it's come from my server and what I could do about preventing this happening again?

I appreciate any help,
thank you

X-Spam-Level: ****
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_c7d59b39089f1b7ac73c8b0f091c732e"
X-Spam-Status: No, score=4.103 tagged_above=2 required=6.31 tests=[HK_NAME_FROM=0.999, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, RCVD_IN_XBL=0.724, RDNS_NONE=1.274] autolearn=no autolearn_force=no
X-Spam-Score: 4.103
Return-Path: <Shari3b24@static.telenet.be>
X-Spam-Flag: NO
List-Unsubscribe: <mailto:leave-6fd34f399842a83a56bdcb5b0fc68875@lists.static.telenet.be>
X-Virus-Scanned: Debian amavisd-new at mail.main-domain.co.uk
Received: from localhost (localhost [127.0.0.1]) by main-domain.co.uk (Postfix) with ESMTP id B1324183AA for <info@another-hosted-domain.com>; Mon, 16 Feb 2015 12:23:12 +0000 (UTC)
Received: from main-domain.co.uk ([127.0.0.1]) by localhost (mail.main-domain.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n647shUjBrdC for <info@another-hosted-domain.com>; Mon, 16 Feb 2015 12:23:12 +0000 (UTC)
Received: from d5153006C.static.telenet.be (unknown [81.83.0.108]) by main-domain.co.uk (Postfix) with ESMTP id 91EE218349 for <info@another-hosted-domain.com>; Mon, 16 Feb 2015 12:23:10 +0000 (UTC)
Message-Id: <xLvSoVST-3918724-5947169-2015.02.16-13.23.03--info#another-hosted-domain.com@lists.static.telenet.be>
Delivered-To: info@another-hosted-domain.com
Re: Data request [ID:862194-3427]

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Recieving email apparently from my server (but it's not)

randoof wrote:

Received: from d5153006C.static.telenet.be (unknown [81.83.0.108]) by main-domain.co.uk (Postfix) with ESMTP id 91EE218349 for <info@another-hosted-domain.com>; Mon, 16 Feb 2015 12:23:10 +0000 (UTC)

Looks like this email was sent from d5153006C.static.telenet.be (IP address [81.83.0.108]).

Any related log in Postfix log file (/var/log/mail.log)? We need full log related to some emails sent by this sender.

3 Reply by randoof (edited by randoof 2015-02-18 02:28:43)

  • randoof
  • Member
  • Offline
  • Registered: 2013-01-28
  • Posts: 23

Re: Recieving email apparently from my server (but it's not)

ZhangHuangbin wrote:
randoof wrote:

Received: from d5153006C.static.telenet.be (unknown [81.83.0.108]) by main-domain.co.uk (Postfix) with ESMTP id 91EE218349 for <info@another-hosted-domain.com>; Mon, 16 Feb 2015 12:23:10 +0000 (UTC)

Looks like this email was sent from d5153006C.static.telenet.be (IP address [81.83.0.108]).

Any related log in Postfix log file (/var/log/mail.log)? We need full log related to some emails sent by this sender.

Thanks for getting back, I dont know if I made this clear, but this was not sent by a user on my server, it seems like they are somehow spoofing something?

I tailed the last 100,000 lines and grepped for 'd5153006C', only one line came back.

log wrote:

me@mydomain:/var/log$ sudo tail -100000 mail.log | grep 'd5153006C'
Feb 16 12:23:10 mydomain postfix/smtpd[3030]: warning: hostname d5153006C.static.telenet.be does not resolve to address 81.83.0.108: Name or service not known

4 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Recieving email apparently from my server (but it's not)

The email is not coming from your mail server. What you see is simply that emails sent to your mail server will be delivered to amavisd for spam and virus scanning and after this scanning the are injected back into postfix for delivering to local mail users.
1) Received from d5153006C.static.telenet.be for info@another-hosted-domain.com "Received: from d5153006C.static.telenet.be (unknown [81.83.0.108]) by main-domain.co.uk (Postfix)"
2) Sent to amavisd "Received: from main-domain.co.uk ([127.0.0.1]) by localhost (mail.main-domain.co.uk [127.0.0.1]) (amavisd-new, port 10024)"
3) Reinjected into postfix for local delivery "Received: from localhost (localhost [127.0.0.1]) by main-domain.co.uk (Postfix) with ESMTP id B1324183AA for <info@another-hosted-domain.com>"

5 Reply by randoof

  • randoof
  • Member
  • Offline
  • Registered: 2013-01-28
  • Posts: 23

Re: Recieving email apparently from my server (but it's not)

Ok, thank you, that makes sense but why is it that in the email client (Outlook, Thunderbird etc) the "from" field displays "from@mail.main-domain.com" when this isn't a valid email and no other emails received on my server have the sent filed with this info. Is it because they are spoofing my main-domain.com?

mir wrote:

The email is not coming from your mail server. What you see is simply that emails sent to your mail server will be delivered to amavisd for spam and virus scanning and after this scanning the are injected back into postfix for delivering to local mail users.
1) Received from d5153006C.static.telenet.be for info@another-hosted-domain.com "Received: from d5153006C.static.telenet.be (unknown [81.83.0.108]) by main-domain.co.uk (Postfix)"
2) Sent to amavisd "Received: from main-domain.co.uk ([127.0.0.1]) by localhost (mail.main-domain.co.uk [127.0.0.1]) (amavisd-new, port 10024)"
3) Reinjected into postfix for local delivery "Received: from localhost (localhost [127.0.0.1]) by main-domain.co.uk (Postfix) with ESMTP id B1324183AA for <info@another-hosted-domain.com>"

6 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Recieving email apparently from my server (but it's not)

randoof wrote:

Ok, thank you, that makes sense but why is it that in the email client (Outlook, Thunderbird etc) the "from" field displays "from@mail.main-domain.com" when this isn't a valid email and no other emails received on my server have the sent filed with this info. Is it because they are spoofing my main-domain.com?

Yes, this is purely spoofing. Remember that you can write what ever you like in the from field unless the sending server restricts sender addresses.

This is the main reason for backscatters.

7 Reply by randoof

  • randoof
  • Member
  • Offline
  • Registered: 2013-01-28
  • Posts: 23

Re: Recieving email apparently from my server (but it's not)

mir wrote:
randoof wrote:

Ok, thank you, that makes sense but why is it that in the email client (Outlook, Thunderbird etc) the "from" field displays "from@mail.main-domain.com" when this isn't a valid email and no other emails received on my server have the sent filed with this info. Is it because they are spoofing my main-domain.com?

Yes, this is purely spoofing. Remember that you can write what ever you like in the from field unless the sending server restricts sender addresses.

This is the main reason for backscatters.

Thanks. Is there anything I can do about mail that looks like it's from my server, but isn't? I though that was the purpose of DKIM and SPF? It hasn't happened since, (which I feel is a bit strange) but it would be great if I could help defend against it.

Thank you

8 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Recieving email apparently from my server (but it's not)

randoof wrote:

Thanks. Is there anything I can do about mail that looks like it's from my server, but isn't? I though that was the purpose of DKIM and SPF? It hasn't happened since, (which I feel is a bit strange) but it would be great if I could help defend against it.

Thank you

If the mail server receiving a mail claiming to be send from you wants to send a bounce to the from address then there is nothing you can do. You could of course make a filter which silently rejects mail claiming to be sent from you but where the sending server is not a server allowed to send email for your domain. Read more here: http://www.postfix.org/BACKSCATTER_README.html