Topic: Spoofed mail
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.5
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Ubuntu
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello,
Hoping someone can help me figure out how to prevent this going forward. One of our users got an email that was clearly spam but the from email address shown in the mail client shows mydomain@mail.mydomain.com, looking through the header I was able to see another email address but didn't know if there was a way to prevent it coming through looking like its from our subdomain. See below for the header.
Return-Path: <tgalban@evangelcc.org>
Delivered-To: enduser@mydomain.com
Received: from mail.mydomain.com (mail.mydomain.com [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 4XNtR94DDkz1V68R
for <enduser@mydomain.com>; Wed, 9 Oct 2024 13:05:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 1.822
X-Spam-Level: *
X-Spam-Status: No, score=1.822 tagged_above=-100 required=2.5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.1, RCVD_IN_BL_SPAMCOP_NET=1.347,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TO_NO_BRKTS_FROM_MSSP=0.001]
autolearn=no autolearn_force=no
Authentication-Results: mail.mydomain.com (amavisd-new);
dkim=pass (1024-bit key) header.d=evangelcc.onmicrosoft.com
Received: from mail.mydomain.com ([127.0.0.1])
by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id YAYhATA0F8g9 for <enduser@mydomain.com>;
Wed, 9 Oct 2024 13:05:24 +0000 (UTC)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2109.outbound.protection.outlook.com [40.107.93.109])
by mail.mydomain.com (Postfix) with ESMTPS id 4XNtR85JDPz1V5nW
for <enduser@mydomain.com>; Wed, 9 Oct 2024 13:05:24 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=aU3sUr8QAxkAjnZ396ViXp6E9KiJvafHxty9loJO578OOKKa5VBsgvc1+MGzRJW4oKdhLQwvrng1yqVQn/IxHqCoHc2WtlOcXf0DeF1NFdchxAENh8kazqYZ4DbDz+tYh8QB/A7hSphOj+g+lycTRJnoNLs3OwUB6VVTwJRAh4AUFV4q82p5k1tCpmjT2eIaDR8nykahCAVHow5uR9bPnEwv3KsUZj+lJjzlbnaHB7vBU+sqv/k7jLWa6i0P8uzG/FAA7NpsT62R/U3E0CEmtd0qS28MxITpqjKHeC0YFd6jkys2qJkcydZHIJmFRdTy+DQb0duxr953s9EVcru9fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=+CavMlaJTqPcEBY4oiF2OX7bo4A+BoQtgmYGWJMG380=;
b=UhkcrHMHYUKAzyM0nJmFbUUlBo/NwTvSqK0txLxsTkHOmivOTOIKLMq6pjPl6I7pOwpkyDWGrYUD8BcV/a0Z13NnA/vovcMzXfqZPJk3Gsiu1QC2Y6U3H4Nrs6wPlhezZFz/IwRBRh8rCye/yFeXVCfB65o7OcYzC0XuDNLp01FnjbNurYrQMqvp0qOy+EbSTHVDJXNQbJa2Ph4oRbztL5t6fEkQeWoT/mCZNWjmxrFfu1xgHsdSJgXDbDq3TjNJBlyAQxneTYGHtVbfqSJd7S3BBHB2hHLfD1YlnvdcTPTP/f5WGF1u0hpu6R1qm8DtxXpm9pJH17rWsXin5AYelw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
80.77.23.154) smtp.rcpttodomain=mydomain.com smtp.mailfrom=evangelcc.org;
dmarc=none action=none header.from=evangelcc.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=evangelcc.onmicrosoft.com; s=selector2-evangelcc-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=+CavMlaJTqPcEBY4oiF2OX7bo4A+BoQtgmYGWJMG380=;
b=jNJ9zT1VpGVtj3pJ2C3Z8cPkN4XhhzKOcExWaCRAh8OHFhIl0WnujxVQSaqt7WTzVMmjCXBNTf+7FV7ti9JhjBCKLiAlPAa9l+UorkaSGI7jG7/I90guXMlKrLGboHaMqbMtQxac7ZbZQLBILkDUcw683KpYeNDBX0oarYF2zq4=
Received: from SJ0PR03CA0254.namprd03.prod.outlook.com (2603:10b6:a03:3a0::19)
by IA2PR18MB5962.namprd18.prod.outlook.com (2603:10b6:208:4b3::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.23; Wed, 9 Oct
2024 13:05:20 +0000
Received: from CO1PEPF000042A8.namprd03.prod.outlook.com
(2603:10b6:a03:3a0:cafe::28) by SJ0PR03CA0254.outlook.office365.com
(2603:10b6:a03:3a0::19) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8048.17 via Frontend
Transport; Wed, 9 Oct 2024 13:05:19 +0000
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 80.77.23.154)
smtp.mailfrom=evangelcc.org; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=evangelcc.org;
Received-SPF: Fail (protection.outlook.com: domain of evangelcc.org does not
designate 80.77.23.154 as permitted sender) receiver=protection.outlook.com;
client-ip=80.77.23.154; helo=teal-17;
Received: from teal-17 (80.77.23.154) by
CO1PEPF000042A8.mail.protection.outlook.com (10.167.243.37) with Microsoft
SMTP Server id 15.20.8048.13 via Frontend Transport; Wed, 9 Oct 2024 13:05:19
+0000
Content-Type: multipart/mixed; boundary="===============3475885495040080030=="
MIME-Version: 1.0
To: enduser@mydomain.com
From: Mydomain@mail.mydomain.com, CHRO@mail.mydomain.com,
&@mail.mydomain.com, HR@mail.mydomain.com,
Manager@mail.mydomain.com, enduser <tgalban@evangelcc.org>
Subject: Key Updates on Recent Salary Modifications and Benefits for Our Team
X-Priority: 3
Message-ID: <172847911555.559991.2035529252088755228@teal-17>
Date: Wed, 09 Oct 2024 13:05:15 +0000 ----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.