Koozali.org formerly Contribs.org

SPAMMERS sending e-mail to group accounts using my own domain

Offline Jáder

  • *
  • 1,077
    • LinuxFacil
I really HATE when someone send messages using my own domain antinsect.com.br

I have receive this message:

Code: [Select]
Return-Path: <administrator@antinsect.com.br>
Delivered-To: <valid-user-account>@andorinha.antinsect.com.br
Received: (qmail 55349 invoked by alias); 22 Mar 2021 04:18:26 -0000
Delivered-To: alias-localdelivery-<valid-user-account>@antinsect.com.br
Received: (qmail 55340 invoked by alias); 22 Mar 2021 04:18:26 -0000
Delivered-To: <valid-group-account>@andorinha.antinsect.com.br
Received: (qmail 55337 invoked by alias); 22 Mar 2021 04:18:25 -0000
Delivered-To: alias-localdelivery-<valid-group-account>@antinsect.com.br
Received: (qmail 55334 invoked by uid 453); 22 Mar 2021 04:18:24 -0000
X-Virus-Checked: by ClamAV 0.100.2 on antinsect.com.br
X-Virus-Found: No
X-Spam-Status: No, score=3.3 required=4.0 autolearn=disabled
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
andorinha.antinsect.com.br
X-Spam-Details: *  2.0 URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed
*       in the Spamhaus DBL blocklist
*      [URIs: cool-skool.net]
*  0.0 SPF_NONE SPF: sender does not publish an SPF Record
*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
*      identical to background
*  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
*      lines
*  1.2 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
X-Spam-Level: ***
X-HELO: host.eazme.com
Authentication-Results: antinsect.com.br; auth=none; spf=none smtp.mailfrom=antinsect.com.br; dkim=none
Received: from host.eazme.com (HELO host.eazme.com) (67.227.172.211)
 by antinsect.com.br (qpsmtpd/0.96) with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Mon, 22 Mar 2021 01:18:19 -0300
Received-SPF: none (antinsect.com.br: No applicable sender policy available) receiver=andorinha.antinsect.com.br; identity=mailfrom; envelope-from="administrator@antinsect.com.br"; helo=host.eazme.com; client-ip=67.227.172.211
Received: from ([127.0.0.1]) with MailEnable ESMTPA; Sun, 21 Mar 2021 17:11:56 -0400
From: IT support antinsect.com.br <administrator@antinsect.com.br>
To: <valid-group-account>@antinsect.com.br
Subject: (   <valid-group-accont>@antinsect.com.br   ) You have { 17 } pending mails
Date: 21 Mar 2021 22:11:55 +0100
Message-ID: <20210321221155.B8FCC3323863462B@antinsect.com.br>
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have seen this just when target account is happens just when target account is a group account (just for e-mail delivery) but I think something is wrong! So I think:
1) I have done some misconfiguration on anti-spam rules
2) there are something wrong with group-accounts
3) the spammer know much more than us about e-mail.

If I receive this e-mail from other domain, I´d not complain, but from my own domain it´s a shame!
I replace group account with <valid-group-account> and user account where this message was delivered with <valid-user-account> to avoid to expose any valid e-mails!

Any ideas/tips ?

Regards!
...

Offline Jean-Philippe Pialasse

  • *
  • 1,789
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #1 on: March 24, 2021, 03:04:32 PM »
that is what dkim, spf and dmarc conjugated are made for.

if your server is the only one authorized to send mail on your behalf no one can impersonate you anymore. 

do you use groups for mail purpose or not?

if you want this group to be only accessible internally then see this bugs that explains how to do it
https://bugs.contribs.org/show_bug.cgi?id=5812

Offline Jáder

  • *
  • 1,077
    • LinuxFacil
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #2 on: March 24, 2021, 04:57:39 PM »
that is what dkim, spf and dmarc conjugated are made for.

if your server is the only one authorized to send mail on your behalf no one can impersonate you anymore. 

I´m using JUST SPF, not DKIM or DMARC.
Should I use other two also ? Let me find an howto about this...

Quote
do you use groups for mail purpose or not?

if you want this group to be only accessible internally then see this bugs that explains how to do it
https://bugs.contribs.org/show_bug.cgi?id=5812

Yes, we´re using those groups to allow external clients to send e-mails to whole group.
I do not agree about this, but it´s a director´s decision! So I just have to live with that!
...

Offline Jean-Philippe Pialasse

  • *
  • 1,789
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #3 on: March 24, 2021, 06:02:44 PM »
yes you should.

do a transition with only test /report mode  so you can see what happen before getting mails rejected

and make sure no one is sending emails using its own isp. As an example s road warior or one working home with its computer set to default smtp to its isp.



Offline mmccarn

  • *
  • 2,563
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #4 on: March 25, 2021, 12:15:17 PM »
Three items:
1) group addresses and spam filtering
Long ago (5+ years) there was an issue with spam filtering not working for groups the same way it did for mailboxes. I *think* this was resolved, but if not you could create a mailbox for the group, then configure the mailbox to forward to the group.  (I don't know if this would let you set the group to 'internal only' or not)


2) DNSBL
The IP that delivered the sample message you've provided is listed by several DNS BL services:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a67.227.172.211&run=toolpage

This could have happened after the message was delivered, but you might check to see if you want to enable one of the DNSBL services that is listing the IP (Barracuda or SORBS, perhaps)


3) RHSBL or custom spamassassin score?
The spamassassin headers are showing that the email contains known bad URLs ("2.0 URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed...in the Spamhaus DBL blocklist")

You could create a custom score for this spamassassin rule, but it would be easier to enable 'RHSBL'.

Here are my qpsmtpd settings for reference:

Code: [Select]
# config show qpsmtpd
qpsmtpd=service
    BadCountries=
    Bcc=disabled
    BccMode=bcc
    BccUser=maillog
    DKIMSigning=enabled
    DNSBL=enabled
    GeoIP=enabled
    HeloPolicy=rfc
    HeloReject=1
    KeepLogFiles=30
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=zen.spamhaus.org,bl.spamcop.net,truncate.gbudb.net,ix.dnsbl.manitu.net,b.barracudacentral.org:Blocked - see http://bbl.barracudacentral.com/q.cgi?ip=%IP%
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=dbl.spamhaus.org,badconf.rhsbl.sorbs.net,nomail.rhsbl.sorbs.net
    TlsBeforeAuth=0
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=enabled
    access=public
    qplogsumm=enabled
    status=enabled

Offline Jean-Philippe Pialasse

  • *
  • 1,789
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #5 on: March 25, 2021, 02:36:28 PM »
DNSBL and RHBL are great when you are based in the US because of the relative weight of reporting what is considered spam.

when you are based in another country with non english language they tends to generate way more false positive than what can be tolerated. 

as an example most french isp are blacklisted 1-3 days a week on one or more of the bl you use.

Not saying not to use it, just that copy paste what works for one , will mostly fail for another.
I use a list of one or two list max. 
if you find one developed for your country it is great.


Offline mmccarn

  • *
  • 2,563
Re: SPAMMERS sending e-mail to group accounts using my own domain
« Reply #6 on: March 26, 2021, 04:04:44 AM »
...
I use a list of one or two list max. 
if you find one developed for your country it is great.

I put a one-line command on the Email Statistics Wiki Page that shows what a new RBL list you're thinking of using would do with the emails that you have received recently: https://wiki.contribs.org/Email_Statistics#Display_messages_that_would_have_been_blocked_via_DNSBL