Spammer using my email address

I recently had an incident on my Virtualmin server where it was swamped with bounce emails. It appears that a spamer managed to use the email address of a client on one of my virtual servers in order to send spam mail to untold email addresses - of course he was not a particularly selective spammer, and had many generated e,ail addresses, so in a period of 80 odd hours, over 700000 bounce messages were went to my mail server - all to a single email address. I have now used the Disable domain option to disable the entire domain, however, it would be good if I could just disable the one email address so mails to that address are bounced - could you tell me how I could do this - (I did try just commenting out the user name in /etc/passwd, but this did not help at all.

Thanks in advance

Status: 
Active

Comments

Howdy -- if you're interested in stopping emails to a given address, you can always go into Edit Users -> USERNAME -> Email Settings, and in that section, set "Primary email address enabled" to "No".

The Support area here is for folks using Virtualmin Pro though... if you're using Virtualmin GPL, we'd encourage you to use the Forums for support. We monitor those, along with lots of wonderful folks in the community.

One thing of note is that it may be worth trying to dig into those bounce messages a bit more, so make sure there isn't a deeper problem.

If disabling the email address fixes it, that's great, but if it keeps occurring, you may want to post some additional details about that to the Forums in the hopes of figuring out if there's a solvable cause.

This is know as joe-jobbing, when spammers impersonate someone else and all the spam backscatter (bounces) get sent to you.

What you can do to avoid it is to set up a restrictive SPF policy which says "this domain only sends email from the IP of mail.mydomain.com, deny all other IPs", meaning that when spammers connect to someone and want to spam, pretending to be you, they will be denied (if the server implements SPF, most modern ones do). This severely reduces the amount of backscatter you get. It works by verifying the Envelope-From of the sender during the email transaction.

Here's an example SPF policy, imagining that you send email from "mx1.mydomain.com and mx2.mydomain.com":

mydomain.com. IN TXT "v=spf1 a:mx1.mydomain.com a:mx2.mydomain.com -all"
mydomain.com. IN SPF "v=spf1 a:mx1.mydomain.com a:mx2.mydomain.com -all"

This says to allow email to be sent from your domain ONLY if the sending mail server's IP is one of mx1 or mx2's IPs. Meaning that most impersonation spam will be rejected by the recipient srvers.

SPF allows more advanced policies, like for instance imagining that mx1.mydomain.com is on 81.82.83.1 and you want to allow 81.82.83.### as legal IPs to be sending email, to ease management and adding servers later:

mydomain.com. IN TXT "v=spf1 a:mx1.mydomain.com/24 -all"
mydomain.com. IN SPF "v=spf1 a:mx1.mydomain.com/24 -all"

This record tells the receiving mail server: "look up the IP of mx1.mydomain.com and then allow everything in the 255.255.255.0 netmask", which means that it looks at the IP and then allows any sender whose IP matches 81.82.83.### where ### may be anything from 0 to 255.

Remember that you must also add any relays if you aren't the only server sending emails for your domain. I.e. if you pass outgoing emails through another service provider, you'll have to add entries to the SPF records that whitelist them too.

I hope this gets you started. Good luck.

I also strongly suggest that you make sure that the killed mailbox really returns a "permanent rejection" error, so that bounces will be denied at the delivery stage, and sending mailservers will stop retrying.

I do this manually by having a hash-access map in Postfix where addresses can be added to be rejected, but I believe that andrey's advice will disable the mailbox and is sufficient. His advice should cause your server to reply with "550 User unknown in virtual address table" which means a "permanent no-such-user delivery failure" which tells the sending servers to give up.

Look in /var/log/maillog to see what rejection code is being given. You must be really sure it's 550 or at least in the 5xx permanent error range so that servers stop trying to deliver the bounces to you.

After a week or two, it should be okay to re-enable the mailbox and begin using it again, but in this case you've received nearly a million backscatter emails, meaning that the reputation of that address has been destroyed. In your case I suggest permanently closing that mailbox and beginning to use another address instead. This time, have an SPF record from day 1. ;-)