1

Topic: Spoofed Email?

Greetings,

I started receiving complaints on Monday from some customers who were receiving spam mail spoofed from their own email address.

This was extremely odd to me because I know that iRedMail has safeguards against spoofed email (even email that we spoof on purpose sending through a third party mail server.

I'm curious if someone has a better idea in the diagnosis. This is on a stock install of iRedMail - no changes made to the default postfix setup during install.

Here is the full headers of an example of the mail. "domainx.com" is our domain and I've swapped it for a generic name:

From: <anthony@domainx.com>
Date: April 25, 2011 12:10:11 AM PDT
To: <anthony@domainx.com>
Subject: Newsletter Mon, 25 Apr 2011 09:10:11 +0200
return-path: <e6100246d@ms29.hinet.net>
delivered-to: anthony@domainx.com
received: from localhost (mail.domainx.com [127.0.0.1]) by mail.domainx.com (iRedMail) with ESMTP id B847612800A for <anthony@domainx.com>; Mon, 25 Apr 2011 00:10:13 -0700 (PDT)
received: from mail.domainx.com ([127.0.0.1]) by localhost (mail.domainx.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f+JNM-E2KmZF for <anthony@domainx.com>; Mon, 25 Apr 2011 00:10:13 -0700 (PDT)
received: from [178.122.3.12] (unknown [178.122.3.12]) by mail.domainx.com (iRedMail) with ESMTP id 9196C128004 for <anthony@domainx.com>; Mon, 25 Apr 2011 00:10:12 -0700 (PDT)
received: from 178.122.3.12(helo=domainx.com) by domainx.com with esmtpa (Exim 4.69) (envelope-from ) id 1MM9W7-2829qd-4Q for <anthony@domainx.com>; Mon, 25 Apr 2011 09:10:11 +0200
dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domainx.com; h=message-id:x-mailer:content-transfer-encoding:content-type :content-type:mime-version:date:date:subject:subject:to:from :from; s=dkim; t=1303715413; x=1306307413; bh=LAaksjVhPc8fJrurVF NRM9I5lwqO4lX8aoOkeKEPlkU=; b=H5I7Y+iEz0nHrNml1oNLo9+EGbJ0McqL7Q Clc8XPwiFFtyzPYUNZaI5ioXYacbFl0tmh+5KGLYgwcMvyDVSQdr1wrXnakptkzv Qk0Qn0cP56QWdYfnareKDNeRy2oLc+2qOuUsYCV4uQudrGIo0q2t211ZyM0GBkPI gFQX0rN58=
x-virus-scanned: amavisd-new at mail.domainx.com
x-spam-flag: NO
x-spam-score: 5.191
x-spam-level: *****
x-spam-status: No, score=5.191 tagged_above=-10 required=6.2 tests=[BAYES_99=3.5, RCVD_IN_PBL=0.905, RDNS_NONE=0.1, SPF_NEUTRAL=0.686] autolearn=no
x-original-helo: [178.122.3.12] (iRedMail: http://www.iredmail.org/)
mime-version: 1.0
content-type: text/plain; charset="us-ascii"
content-transfer-encoding: 7bit
x-mailer: rfrg-81
message-id: <0060319118.NQRPTS3G459147@gfdgn.ooamic.info>

And here are the logs in the mail log:

Apr 25 07:10:12 xray policyd: rcpt=13890, module=bypass, host=178.122.3.12 (unknown), from=e6100246d@ms29.hinet.net, to=anthony@domainx.com, size=1016
Apr 25 00:10:12 xray postfix/smtpd[15810]: 9196C128004: client=unknown[178.122.3.12]
Apr 25 07:10:12 xray policyd: connection from: 127.0.0.1 port: 58812 slots: 0 of 2044 used
Apr 25 07:10:13 xray policyd: rcpt=27841, throttle=new(a), host=178.122.3.12, from=e6100246d@ms29.hinet.net, to=anthony@domainx.com, size=1733/15728640, quota=1733/250000000, count=1/60(1), rcpt=1/3600(1), threshold=0%|0%|0%
Apr 25 00:10:13 xray postfix/cleanup[15813]: 9196C128004: message-id=<0060319118.NQRPTS3G459147@gfdgn.ooamic.info>
Apr 25 00:10:13 xray postfix/qmgr[1929]: 9196C128004: from=<e6100246d@ms29.hinet.net>, size=1998, nrcpt=1 (queue active)
Apr 25 00:10:13 xray postfix/smtpd[15810]: disconnect from unknown[178.122.3.12]
Apr 25 00:10:13 xray postfix/smtpd[15819]: connect from mail.domainx.com[127.0.0.1]
Apr 25 00:10:13 xray postfix/smtpd[15819]: B847612800A: client=mail.domainx.com[127.0.0.1]
Apr 25 07:10:13 xray policyd: connection from: 127.0.0.1 port: 58816 slots: 1 of 2044 used
Apr 25 07:10:13 xray policyd: rcpt=27842, whitelist=update, host=127.0.0.1 (mail.domainx.com), from=e6100246d@ms29.hinet.net, to=anthony@domainx.com, size=2982
Apr 25 00:10:13 xray postfix/cleanup[15813]: B847612800A: message-id=<0060319118.NQRPTS3G459147@gfdgn.ooamic.info>
Apr 25 00:10:14 xray postfix/smtpd[15819]: disconnect from mail.domainx.com[127.0.0.1]
Apr 25 00:10:14 xray postfix/qmgr[1929]: B847612800A: from=<e6100246d@ms29.hinet.net>, size=3185, nrcpt=1 (queue active)
Apr 25 00:10:14 xray amavis[14137]: (14137-19) Passed CLEAN, LOCAL [178.122.3.12] [178.122.3.12] <e6100246d@ms29.hinet.net> -> <anthony@domainx.com>, Message-ID: <0060319118.NQRPTS3G459147@gfdgn.ooamic.info>, mail_id: f+JNM-E2KmZF, Hits: 5.191, size: 1997, queued_as: B847612800A, 1254 ms
Apr 25 00:10:14 xray postfix/pipe[15820]: B847612800A: to=<anthony@domainx.com>, relay=dovecot, delay=0.65, delays=0.51/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 25 00:10:14 xray postfix/qmgr[1929]: B847612800A: removed

It looks like the first message was held due to greylisting, as normal process... However the second message made it through and wasn't blocked from spoofing.

Does anyone have any thoughts?

Thank You

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spoofed Email?

Could you please paste output of command "postconf -n"? it would help a lot.
NOTE: remove or hide sensitive information before pasting here.

Also, which version of iRedMail do you use?

3 (edited by maxie_ro 2011-04-28 14:04:04)

Re: Spoofed Email?

The problem is that the message is not exactly "spoofed":

Passed CLEAN, LOCAL [178.122.3.12] [178.122.3.12] <e6100246d@ms29.hinet.net> -> <anthony@domainx.com>

As you see in the logs, Postfix sees the sender to be "e6100246d@ms29.hinet.net". You can also see this Return-path in the message source:

From: <anthony@domainx.com>
return-path: <e6100246d@ms29.hinet.net>

Even if header From is "anthony@domainx.com", Postfix sees it as "e6100246d@ms29.hinet.net" because this is used in the SMTP "MAIL FROM" command.

Unfortunately SPF for "ms29.hinet.net" redirects to "spf.ms.hinet.net" which doesn't have correct SPF, so SPF checking in Postfix wouldn't help you here (that in the case you actually enabled SPF checking in Postfix).

I had the same problem multiple times, and I couldn't find a viable solution, because different return-path and envelope from are used quite a lot, especially by mailing lists.

L.E.:
On the other hand, I see that the IP from which you received the message (apparently 178.122.3.12) is in quite some blacklists, so if you had enabled those DNSBLs, Postfix would have rejected this spam message:
http://www.mxtoolbox.com/SuperTool.aspx … 8.122.3.12

Spamhaus ZEN would suffice in this case.

4 (edited by bp1 2011-04-29 16:19:32)

Re: Spoofed Email?

My postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_name = iRedMail
mail_owner = postfix
mail_version = 0.6.1
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 15728640
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = domainx.com
myhostname = mail.domainx.com
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mail.domainx.com
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap_recipient_bcc_maps_domain.cf, proxy:ldap:/etc/postfix/ldap_recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap_relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap_sender_bcc_maps_domain.cf, proxy:ldap:/etc/postfix/ldap_sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = 
smtpd_sasl_path = dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap_transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap_transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap_virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap_sender_login_maps.cf, proxy:ldap:/etc/postfix/ldap_catch_all_maps.cf
virtual_gid_maps = static:501
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_minimum_uid = 501
virtual_transport = dovecot
virtual_uid_maps = static:501

iRed mail is 0.6.1.

ZhangHuangbin wrote:

Could you please paste output of command "postconf -n"? it would help a lot.
NOTE: remove or hide sensitive information before pasting here.

Also, which version of iRedMail do you use?

5

Re: Spoofed Email?

I've added spamhaus-zen.

Thanks!

CJ

maxie_ro wrote:

The problem is that the message is not exactly "spoofed":

Passed CLEAN, LOCAL [178.122.3.12] [178.122.3.12] <e6100246d@ms29.hinet.net> -> <anthony@domainx.com>

As you see in the logs, Postfix sees the sender to be "e6100246d@ms29.hinet.net". You can also see this Return-path in the message source:

From: <anthony@domainx.com>
return-path: <e6100246d@ms29.hinet.net>

Even if header From is "anthony@domainx.com", Postfix sees it as "e6100246d@ms29.hinet.net" because this is used in the SMTP "MAIL FROM" command.

Unfortunately SPF for "ms29.hinet.net" redirects to "spf.ms.hinet.net" which doesn't have correct SPF, so SPF checking in Postfix wouldn't help you here (that in the case you actually enabled SPF checking in Postfix).

I had the same problem multiple times, and I couldn't find a viable solution, because different return-path and envelope from are used quite a lot, especially by mailing lists.

L.E.:
On the other hand, I see that the IP from which you received the message (apparently 178.122.3.12) is in quite some blacklists, so if you had enabled those DNSBLs, Postfix would have rejected this spam message:
http://www.mxtoolbox.com/SuperTool.aspx … 8.122.3.12

Spamhaus ZEN would suffice in this case.