Users reporting a lot of spam from fake email addresses matching their domain

Hi I'm on Ubuntu 16.04 LTS.

I've had a lot of email users lately reporting they're receiving spam from email addresses that match their domain name. Not genuine email addresses my mail users use, but instead a random name prefixing their real @domainname.com etc.

Is there a way to stop this spoofing going on?

Thanks for any help.

Status: 
Active

Comments

Howdy -- if you haven't already, you may want to enable greylisting (in the Email messages menu).

Greylisting can make a big difference in how much spam comes through.

Another thing to check is to verify that your domain is configured to use SPF. Having an SPF record can help cut down on spoofed email. That can be configured in Server Configuration -> DNS Options.

Awesome thanks I've added greylisting now to give that a go. Thanks again.

Great, let us know how that works for you.

SMTP config defaults to not accepting mail except for known users. Or maybe I changed mine, cant remember. In webmin, Check >>> servers >>> postfix >>> smtp options. the line halfway down "Restrictions on recipient addresses" Mine is on "permit_mynetworks permit_sasl_authenticated reject_unauth_destination" Mail is only received for existing users. I've never setup greylisting and get zero spam.

Hello there scotwnw -- we're happy to help, though it sounds like you're seeing an unrelated issue there. Could you open up a new request? We'll then help you out over there. Thanks!

No just trying to help, was trying to answer original posters question.

Ah my apologies scotwnw I misunderstood what you were saying there. You're quite welcome to offer your thoughts, thanks!

Hi thanks Scott, I checked that option and here is what I have already:

permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023

Does that look about right?

Thanks again.

Hi just a follow up on this. Some users complained that there was 24 hour delays on email, which obviously if you're a business waiting for some work on a Friday and then you're closed over the weekend - that can be pretty bad only then getting the email Monday...

SO I've had to disable greylisting. But I wanted to check if there is a way to reactivate it but reduce the delayed email? Or is this completely just up to the sender server? Any tips how to get this right?

When using greylisting, your server simply tells the sending mail servers that it will need to re-try the email later.

It's up to the sending server to re-send the message.

It will accept an email anytime after 5 minutes.

If the sending server isn't resending the email, there unfortunately isn't much you could do about that, sorry!

unborn's picture
Submitted by unborn on Thu, 03/30/2017 - 12:34 Pro Licensee

Hi, yes it is. Deploy dkim, sfp and dmarc - policy - set your dmarc policy to be straight or as other saying aggressive - to reject = delete. when I did dkim and dmarc on my server I had like 70 emails a day on root or admin@ like why I am getting this.. since ive setup dmarc out to reject and delete - zero issues.. what it means if email is spoofed and try to reach end email address of unkown people - it will not go to the spam, but it will be deleted... which is the thing you want for end users. This did cut 99% of questions and also spam delivered to any people like from whatever@yourdomain.com - it did really done the job. I mean you can grey listing those rubbish out but this worked for me automatically for years and did cut all of the burden I had from fake emails. Also dkim will stop them out there to your private emails as well.

EDIT : also set up your server to refuse any email which will come to yours without valid dkim.. you will reduce lot of spam gracefully and fake emails as well.

Hi thanks for the replies.

Would you be able to post what your DNS record is for your _dmarc just so I can see the difference to what I have and what makes it aggressive?

The problem is with it being aggressive though, would this mean there is a chance of legit mail bouncing?

Also just to update that since turning off Greylisting yesterday I've had a number of users now complain that they've got 50+ spam emails through the night. This is despite having spf records in place, dmarc records AND spam assassin filtering being turned on!

unborn's picture
Submitted by unborn on Sun, 04/02/2017 - 05:06 Pro Licensee

@soydemadrid

I think I wrote my reply in not very clear and user friendly way. I am very sorry about that.

Dmarc policy is for others out there, for example I had daily few people emailing to me that what is this email about from jack or robert and since I am one man business (freelancer) there are no emails other that I've send out. Soon as I deploy dmarc policy for reject I've got those reports from sites which fully support dmarc - it does not say what spoofed (fake email) address it is coming from but it will give you hits like how many and the ip. In mean time reject means that if someone try to send email looks like from nonexistinguser@yourdomain.com to anyone@anywhere.com email would be marked as spam and if they support policy for reject - it wont be delivered to that anyone@anywhere.com - not even into the spam, which means user 'anyone' would not need to put your @domain.com into spam filter = no spamhouse dealing issues etc. Dmarc is really great thing and if everything is setup correctly on your server, you would be clear from any of those in future. Basically its not aggressive, its just protecting your domains reputation and users from spam being delivered to them - not to you.

Regards receiving spam on your server, as I said - add rule to your server to reject anything without valid dkim keys. I would say this is proper standard for any sysops (sysadmins) and if not in place - that should rise red flag in your mind anyway. It is well know good practice! Even if you deploy this on your server, you may still receive some spam, but it wont be that bad. You know you will get those properly managed spam campaigns by humans (not automatic bots), to eliminate this issue, you can set your spam assassin level score to 3 or lower then 5. What will happen, you will still receive the email into your inbox, but all js, and any tracking (if any) embedded things like images in that email, will be disabled and simple text will be added to email like 'this looks like spam' or something like that, so you would not miss anything like false and positive. If abuse by spam seems legit, you can always block those like with filters in your virtualmin, to be thrown away.

Example like *@hotmail.com - means anyone or anything@hotmail.com would be simply deleted. I had 99.99% all spam coming into me from hotmail and outlook (around 800 mails alone to my own email address - not counting anyone other hosted on my server), so I just said to spam assassin to thrown those emails away right a way, be it legit or not. - That method could be called aggressive but, yet again, you have various ways to tell your clients to not use that email providers - be it your contact page or email it self. If your users still requesting they have to receive it, let them do and let your spam assassin mark them as spam, so users can request from you as server admin to add specific email address to filter 'never mark as spam', or if you let them manage those settings for themselves create simple wiki for users - perhaps video would be best..

Regards records, sure I can, but you can also test mine here: https://dmarcian.com/dmarc-inspector/ and my domain is topfreelancer.co.uk - let me know if you would still like to see those records perhaps how to set them up... I can create some youtube video for you or something. But 'basic record' looks like this: v=DMARC1; pct=100; ruf=mailto:postmaster@topfreelancer.co.uk; rua=mailto:postmaster@topfreelancer.co.uk; p=reject

In regards to the greylisting problem you were having -- is it just a handful of domains you're having problems receiving email from?

You can always configure Postgrey to not greylist certain domains, and have it greylist all the others.

You can add domains to the file "/etc/postgrey/whitelist_clients.local" in order to whitelist them.

Then, type "killall postgrey" to stop the Postgrey client (there's a bug in some distros init scripts that prevents it from restarting the service using the script), and then "service postgrey start" to start it back up.

hi thanks for the tips.

It is more 1 or 2 virtual servers that are having a real problem with the delays. Rather than whitelisting incoming mail servers, is there anyway to just have greylisting on but whitelist out a couple of my own domains/virtual servers so they don't use the greylisting if emails are addressed to them?

Thanks again for any help

I don't know if this will work, as they don't show an example of whitelisting an entire recipient domain... but it's worth a try.

Try adding something like *@domain.tld to "/etc/postgrey/whitelist_recipients.local", and then restart Postgrey as described above.

unborn's picture
Submitted by unborn on Mon, 04/03/2017 - 13:10 Pro Licensee

@andreychek

...as I suggested earlier.. - not bad for human :)

Hi thanks to both of you.

Unborn, your replies were awesome, in-depth, courteous and just setting an great example really. I wish everyone online could post for and receive help with your kind of approach. I've since tweaked dmarc and added dkim sending etc. Thank you!

And Eric, well you've always been awesome, you always are. That postgrey domain recipient whitelisting works a treat. If I just add the mydomain.com line and tick regexp it just works. No need for @ (or .@ as another thread mentions). I've kept an eye on the mail logs and can see mail being whitelisted for those domains now.

Thanks again guys :)

unborn's picture
Submitted by unborn on Tue, 04/04/2017 - 12:39 Pro Licensee

@soydemadrid

thank you for kind of words and you are very welcome. I am glad you have done your tweaks - you do protected your server and your users and many others again email spoofing and spam. Yet still if you need some youtube 'video' or you think something is missing out there in docs, we (you and me and others) can still make it right. I've maintain external repo with human friendly markdown files regards virtualmin.. you can do same or perhaps share your knowledge with others by using that repository and adding your knowledge to it (im sorry it have to be 'public' like this, but as virtualmin site does not allow to edit or restore or even have git repos on your own, it is the shame - I know, but I believe they are working on it and in one day, you will be able to add value to this docs by your self)...

If my replies did not helped you, im sorry then, but at least Ive tried. In end of the day, if you did 'resolved' your issue please mark it here as fixed or resolved (I do not remember it clearly what wording virtualmin guys are using)..