0

Possible Duplicate:
How to stop people from using my domain to send spam?

I am running a mail server with Ubuntu + Postfix + Maia Mailguard + Dovecot, all has been working well until recently people have started receiving spam email that appear to be sent from my domain.

For example:

From: myname@example.com
To: myname@example.com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234

But the return path is along the lines of:

Return-Path: <somename@spammer.com>

(See header and main.cf for mail servers below for more information.)

Would any one have any suggestions as the best way to block these type of emails? Some information that might be important, some of our users work remotely and so can connect into the gateway running Dovecot and receive (IMAPS) / send (SMTP) (authenticated) from any location in the world. I am not sure if this makes it harder to block the spam.

Example header of Spam:

Return-Path: <somename@spammer.com>
Delivered-To: myname@example.com
Received: from mail.example.com (gateway.localhost [10.0.0.1])
    by mail-int (Postfix) with ESMTP id 59CC1211180
    for <myname@example.com>; Tue, 01 Aug 2012 12:00:00 +0100 (IST)
Received: from localhost (localhost [127.0.0.1])
    by mail.example.com (Postfix) with ESMTP id 43EE4C0F5
    for <myname@example.com>; Tue, 01 Aug 2012 12:00:00 +0100 (IST)
Received: from mail.example.com ([127.0.0.1])
 by localhost (mail.example.com [127.0.0.1]) (amavisd-maia, port 20004)
 with ESMTP id 21183-01-6 for <myname@example.com>;
 Tue, 01 Aug 2012 12:00:00 +0100 (IST)
Received: from [xx.xx.xx.xx] (unknown [xx.xx.xx.xx])
    by mail.example.com (Postfix) with ESMTP id 946DBC0EB
    for <myname@example.com>; Tue, 01 Aug 2012 12:00:00 +0100 (IST)
Received: from  by mx1.optonline.net; Tue, 01 Aug 2012 12:00:00 +0100
Date: Tue, 01 Aug 2012 12:00:00 +0100
From: <myname@example.com>
Reply-To: <myname@example.com>
X-Priority: 3 (Normal)
Message-ID: <23443546456345234@example.com>
To: myname@example.com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 8702
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------27AF424950946E7"
X-Virus-Scanned: Maia Mailguard 1.0.2

main.cf for postfix on Gateway

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

### relayhost = www.example.com

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

### from previous confing file:
soft_bounce = no
queue_directory = /var/spool/postfix
mydomain = example.com
# debug_peer_level = 2

# SPAM Processing
content_filter = amavis:[127.0.0.1]:20004
## content_filter = smtp-amavis:[127.0.0.1]:20004

##queue_minfree = 24000000
notify_classes = 2bounce,resource,software

address_verify_negative_expire_time = 30h
bounce_queue_lifetime = 48h
maximal_queue_lifetime = 50h
delay_warning_time = 20h

### new things:

alias_maps = hash:/etc/aliases
myorigin = $mydomain
myhostname = mail.example.com
mynetworks = 127.0.0.0/8, 10.0.0.0/24, xx.xx.xx.xx
message_size_limit = 20971520
local_transport = error:No local mail delivery
mydestination = 
# mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, local.$mydomain
local_recipient_maps = 
# local_recipient_maps = hash:/etc/postfix/recipients
virtual_maps = hash:/etc/postfix/virtual
virtual_alias_maps = $virtual_maps
relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport
relay_domains = hash:/etc/postfix/relay_domains
recipient_delimiter = 

smtpd_helo_required = yes

smtpd_sender_login_maps = pcre:/etc/postfix/senders_map, hash:/etc/postfix/senders_map_other

smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauthenticated_se
nder_login_mismatch
## smtpd_recipient_restrictions = check_client_access,  hash:/etc/postfix/relay_clients
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_unverifie
d_recipient
smtpd_data_restrictions = reject_unauth_pipelining
### 2012-03-27
# add header for authenticated mail to strip IP
smtpd_sasl_authenticated_header = yes
header_checks = regexp:/etc/postfix/header_checks.regexp
header_checks = pcre:/etc/postfix/header_checks.pcre
body_checks = pcre:/etc/postfix/body_checks
unverified_recipient_reject_code = 550

##smtpd_client_connection_count_limit = 5
#default_process_limit = 4

disable_vrfy_command = yes

##### SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
##smtpd_sasl_local_domain = $mydomain
smtpd_sasl_application_name = smtpd
#broken_sasl_auth_clients = yes

##### TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_security_level = may 
smtpd_tls_security_level = may 
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes 
smtpd_tls_loglevel = 1 
smtpd_tls_received_header = yes 
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom 
smtpd_tls_cert_file=/etc/ssl/private/mail_example_com.crt
smtpd_tls_key_file=/etc/ssl/private/mail_example_com.key 
smtp_tls_CAfile = /etc/ssl/private/comodo-bundle.crt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

****main.cf for postfix on internal mail server****

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

myorigin = example.com
#### mydestination = example.com, localhost
### mydestination = 
mynetworks = 127.0.0.0/8, 10.0.0.0/24
myhostname = mail-int
mydomain = example.com

relayhost = 10.0.0.1

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no

## Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
message_size_limit = 20971520
smtpd_helo_required = yes


## TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
## See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
## information on enabling SSL in the smtp client.

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

### mailbox_transport = dovecot
virtual_transport = dovecot
virtual_mailbox_base = /home/MAIL
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
virtual_mailbox_domains = example.com
virtual_domain = example.com
virtual_minimum_uid = 30000
virtual_uid_maps = static:500
virtual_gid_maps = static:500
virtual_alias_maps = hash:/etc/postfix/aliases-virtual, ldap:/etc/postfix/ldap-aliases.cf

#allow_mail_to_files = alias
allow_mail_to_commands = alias
#alias_maps = hash:/etc/postfix/aliases
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

## Dovecot Deliver:
#mailbox_command = /usr/local/libexec/dovecot/deliver
mailbox_command = /usr/lib/dovecot/deliver
dovecot_destination_recipient_limit = 1
Jan Geep
  • 201
  • 2
  • 8

2 Answers2

1

Coincidentally, we're working on a Canonical Question about fighting spam:

Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

I think this is the type of spam that gets identified by setting up SPF and DKIM for your domain. Your antispam scanner in Amavis will be better able to pick these up as spam messages, as, with SPF, you will designate only specific servers as those that are allowed to send mail for mydomain.com, and, with DKIM, signing outgoing mail for your domain.

cjc
  • 24,533
  • 2
  • 49
  • 69
0

I'd recommend visiting our canonical thread on fighting spam for more detailed ideas on how to improve your spam-blocking capabilities, but I'd suggest a rule to filter from addresses based on location of the server being received from, or setting up Sender Policy Framework for your domain to establish the list of valid mailservers for your domain. After all, you shouldn't be receiving email from your domain, unless it's coming from an internal address, or the gateway, right? So if it comes from your domain, and is sent by an external mail server, it should probably be assigned a higher spam value or rejected.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • is it backscatter though? My understanding was backscatter was bounce messages received as a result of my email address being used as in the from field when sending spam. What's happening here is, real spam is getting though with the sender set to mydomain. – Jan Geep Aug 27 '12 at 10:18
  • @JanGeep My apologies, I didn't read the message carefully enough. You are correct, it's not backscatter. I'll update and/or delete my answer as appropriate. – HopelessN00b Aug 27 '12 at 10:20
  • I don't suppose you'd have examples of rules to block sender based on location as this seems the most logical option? – Jan Geep Aug 27 '12 at 10:47
  • @JanGeep No, I don't and would recommend setting up SPF for your domain if at all possible anyway. And probably using spam assassin as well, which it doesn't look like you're doing. Either should be effective, and both should reduce the amount of spam you get quite substantially. – HopelessN00b Aug 27 '12 at 10:57
  • thanks SPF it is, I guess. Maia Mailguard uses spamassassin so it is being used. I guess I'll just have to train it more. – Jan Geep Aug 27 '12 at 11:11