This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Receiving spam from my Own Server
#1
Receiving spam from my Own Server
I'm not sure how this is happening or if there is a way I can prevent it by locking down or changing some configuration. I'm not an expert at this stuff, so I thought I would post here as I have looked around and can't seem to find my specific case.

Basically, I am getting email from some spammer, but the email is addressed from myemail@mydomain.com to myemail@mydomain.com. I have spamassassin running on this server, and it even flags the email as spam.

The issue is I have a filter setup in gmail to always move email to my inbox if it's from mydomain.com. Because obviously it shouldn't be spam, as it's from me.

Is there something that I didn't configure on the mail server to prevent this? Or is this something that can't be prevented?

Basically, I would not like to have spammers sending me emails from my address to my address. Any help would be greatly appreciated!

Thanks!
Reply
Thanks given by:
#2
RE: Receiving spam from my Own Server
Are they really from your server or sent with an other server just with a the fake email address which is yours?
You can see this in the source of the spam email.
Try to add or edit your SPF record if they are not being flagged as spam..

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:
#3
RE: Receiving spam from my Own Server
(05-08-2016, 02:51 AM)Ron-e Wrote: Are they really from your server or sent with an other server just with a the fake email address which is yours?
You can see this in the source of the spam email.
Try to add or edit your SPF record if they are not being flagged as spam..

Hi Ron-E! Thanks for replying to my post. I'm not exactly sure to be honest. I don't really know how to read these email headers. I thought it did, but even Spamassassin is showing a different IP address as the receiving IP as is listed at the top of the header (received: by 10.194.xxx.xxx). So I don't even understand where SpamAssassin is getting the IP address of 41.60.XXX.XXX.

I have copy and pasted the email original message below so you can see. I'd really appreciate any help you can provide. I slightly modified the below email to mask some of the IPs and my server domain name with MYDOMAIN.com and MYEMAIL@gmail.com (which is the email address my web server forwards contact@MYDOMAIN.com to).

As for the SPF record, I have this set on my MYDOMAIN.com DNS. It's listed as this:

TXT @ "v=spf1 a mx ip4:104.131.XXX.XXX ~all"

I think these are all setup properly and everything appeared to check out find when setting up the email server. And this server has been running for about a year now with these settings. I just recently noticed these spam emails coming from MYEMAIL@MYDOMAIN.COM to MYEMAIL@MYDOMAIN.com because of a gmail filter I setup, which says to NOT PUT IN SPAM folder if email comes from @MYDOMAIN.com. So now these spam emails are showing up in my inbox. It's not a big deal, I can just delete them, but I'm just curious if I have something setup incorrectly on my server allowing spammers to use my email server to email me spam. I'd like to prevent/stop this. Thank you!

Code:
Delivered-To: MYEMAIL@gmail.com
Received: by 10.194.XXX.XXX with SMTP id pe3csp3453454wjb;
        Sat, 7 May 2016 14:02:38 -0700 (PDT)
X-Received: by 10.98.XXX.XXX with SMTP id g65mr634345345pfj.91.14626534534500;
        Sat, 07 May 2016 14:02:38 -0700 (PDT)
Return-Path: <contact@MYDOMAINNAME.com>
Received: from panel.MYDOMAINNAME.com (mail.MYDOMAINNAME.com. [104.XXX.XXX.XXX])
        by mx.google.com with ESMTPS id i127si2633453457pfc.224.2016.05.07.14.02.37
        for <MYEMAIL@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 07 May 2016 14:02:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of contact@MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) client-ip=104.XXX.XXX.XXX;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of contact@MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) smtp.mailfrom=contact@MYDOMAINNAME.com
Received: by panel.MYDOMAINNAME.com (Postfix, from userid 1001)
    id 4B414536B027; Sun,  8 May 2016 06:02:37 +0900 (JST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    panel.MYDOMAINNAME.com
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Status: Yes, score=10.0 required=5.0 tests=DOS_OUTLOOK_TO_MX,
    HELO_MISC_IP,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PSBL,RCVD_IN_RP_RNBL,
    RDNS_NONE,URIBL_ABUSE_SURBL,URIBL_BLOCKED autolearn=no autolearn_force=no
    version=3.4.0
X-Spam-Report:
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
    *      blocklist
    *      [URIs: perfin.in]
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: perfin.in]
    *  2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
    *      [41.60.XXX.XXX listed in psbl.surriel.com]
    *  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
    *      https://senderscore.org/blacklistlookup/
    *      [41.60.XXX.XXX listed in bl.score.senderscore.com]
    *  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    *      [Blocked - see <http://www.spamcop.net/bl.shtml?41.60.XXX.XXX>]
    *  1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
    *  1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
    *  0.1 HELO_MISC_IP Looking for more Dynamic IP Relays
Received: from [41.60.XXX.XXX] (unknown [41.60.XXX.XXX])
    by panel.MYDOMAINNAME.com (Postfix) with ESMTP id B0E34346B025
    for <contact@MYDOMAINNAME.com>; Sun,  8 May 2016 06:02:31 +0900 (JST)
From: <contact@MYDOMAINNAME.com>
To: <contact@MYDOMAINNAME.com>
Subject: [***SPAM***] Hello!
Date: 8 May 2016 00:10:05 +0100
Message-ID: <002301d1a8b8$01f30ee7$13883c9c$@MYDOMAINNAME.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0020_01D1343r.01F16F67"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acjjujas70y2k3t8jjujas70y2k3t8==
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514
X-Spam-Prev-Subject: Hello!

This is a multi-part message in MIME format.

------=_NextPart_000_0020_01D1A8B8.01F16F67
Content-Type: text/plain;
    charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

r u down for right now? i'm 26/f looking for a f*ckbuddy on the side...
i'm crazy in bed ;) think you could tame my pu_$Sy?

my username is Ekaterina03
u can see my naughty pics >>
here =20
------=_NextPart_000_0020_01D1A8B8.01F16F67
Content-Type: text/html;
    charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dus-ascii" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.7601.17514"></HEAD>
<BODY>
<DIV><SPAN class=3D240339418-07052016><FONT size=3D2=20
face=3DArial>r u down for right now? i'm 26/f looking for a f*ckbuddy on =
the side...<br>
i'm crazy in bed ;) think you could tame my pu_$Sy?<br>
<br>
my username is Ekaterina03<br>
u can see my naughty pics <a =
href=3D"http://perfin.in/redir/zugrav6/">>><b> here</b> <<</a> =
<br></FONT></SPAN></DIV></BODY></HTML>
------=_NextPart_000_0020_01D1A8B8.01F16F67--
Reply
Thanks given by:
#4
RE: Receiving spam from my Own Server
If that 104.XXX.XXX.XXX is your server IP i think it's comming from your own server.

Code:
Received-SPF: pass (google.com: domain of contact[at]MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) client-ip=104.XXX.XXX.XXX;
Authentication-Results: mx.google.com;
      spf=pass (google.com: domain of contact[at]MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) smtp.mailfrom=contact[at]MYDOMAINNAME.com

Do you have a insecure email form on your site of maybe one of your clients?
p.s. The received: by 10.194.xxx.xxx part is i think a ip adress from gmail itself..

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:
#5
RE: Receiving spam from my Own Server
(05-08-2016, 06:41 PM)Ron-e Wrote: If that 104.XXX.XXX.XXX is your server IP i think it's comming from your own server.

Code:
Received-SPF: pass (google.com: domain of contact[at]MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) client-ip=104.XXX.XXX.XXX;
Authentication-Results: mx.google.com;
      spf=pass (google.com: domain of contact[at]MYDOMAINNAME.com designates 104.XXX.XXX.XXX as permitted sender) smtp.mailfrom=contact[at]MYDOMAINNAME.com

Do you have a insecure email form on your site of maybe one of your clients?
p.s. The received: by 10.194.xxx.xxx part is i think a ip adress from gmail itself..

Thanks Ron-E! Yes, the IP 104.XXX.XXX.XXX is my server IP address. So what does this mean? They are somehow sending the email to me via my email server? How can I figure out how this is possible?

I am the only person that uses this server and it just has a handful of Drupal websites. If my email server was insecure, I assume spammers would be using my server for a lot more than it's being used now.

As for the IP address, yes I think you are right. I wasn't thinking clearly, that's a private IP address, so I guess it's gmail's internal IP address. It seems the spammer IP is identified by the line:

Code:
Received: from [41.60.100.77] (unknown [41.60.100.77])

So any ideas how I can confirm this email was sent by using my server and how I can confirm/prevent it from happening in the future?
Reply
Thanks given by:
#6
RE: Receiving spam from my Own Server
Sorry my knollage about this ends here, but it looks like it's coming from your server if you ask me..

(05-08-2016, 07:56 PM)americanninja Wrote: I am the only person that uses this server and it just has a handful of Drupal websites. If my email server was insecure, I assume spammers would be using my server for a lot more than it's being used now.
How do you know that they aren't using it more? or just testing it? Huh

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:
#7
RE: Receiving spam from my Own Server
(05-08-2016, 08:19 PM)Ron-e Wrote: Sorry my knollage about this ends here, but it looks like it's coming from your server if you ask me..

(05-08-2016, 07:56 PM)americanninja Wrote: I am the only person that uses this server and it just has a handful of Drupal websites. If my email server was insecure, I assume spammers would be using my server for a lot more than it's being used now.
How do you know that they aren't using it more? or just testing it? Huh

Hi Ron-E. Well thanks for all the help you have given thus far. Well, what I would like to know is whether this person is sending the email to my server spoofing my email address or using my web/email server to send the emails. I'm hoping someone else comes across this thread and can answer that question.

As for now, I'm going to assume, since the lines state:
Received: from [41.60.100.77] (unknown [41.60.100.77])
by panel.MYDOMAIN.com (Postfix) with ESMTP id B0EDD16B025
for <contact@MYDOMAIN.com>; Sun, 8 May 2016 06:02:31 +0900 (JST)

I'm guessing this just means that my web/email server received the email destined for my email address with the spammer spoofing the same email address as the FROM address. Spamassassin picked it up as spam, tagged it, and then my email server forwarded it along to my gmail address which I have setup in my web/email server for this contact@MYDOMAIN.com address.

So perhaps everything is working as expected and it's just some low scum of the earth spammer just using my email address in the TO and FROM section of the email.

I came across this two articles during my research. So I think it's nothing out of the norm, but I'd love someone that is a bit more experienced than you and I to confirm this. At least email what story these email headers are telling us. Thanks!!
http://lifehacker.com/5875848/how-can-i-...and-family
http://lifehacker.com/how-spammers-spoof...1579478914
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
External mail client cannot connect to server iraqiboy90 2 6 ,941 02-28-2021, 11:34 AM
Last Post: iraqiboy90
Sentora Email Setup - EMAIL DOESN'T GO TO SPAM james30263 0 3 ,426 09-15-2018, 01:20 PM
Last Post: james30263
Incoming email not receiving. OinkyOverlord 7 15 ,700 06-01-2018, 06:49 AM
Last Post: natansousa1992

Forum Jump:


Users browsing this thread: 1 Guest(s)