3

As a quick background we have spam that is being sent out with our domain name. As a result we have added SPF record to our domain DNS, now obviously this will assist in making sure this spam is not delivered however the question is if this spam is actually originating from our server. We received an abuse report from our host provider with the following headers

Received: from mx.poczta.onet.pl (unresolved [10.174.34.83]:53105)
    by ps15.m5r2.onet (Ota) with LMTP id 6B66CFF656749
    for <x>; Fri, 10 Mar 2017 23:36:17 +0100 (CET)
Received: from www.mydomain.com (unknown [xxx.xxx.xxx.xxx])
    by mx.poczta.onet.pl (Onet) with ESMTP id 3vg2DJ4tX1z92
    for <x>; Fri, 10 Mar 2017 23:36:16 +0100 (CET)
Date: Fri, 10 Mar 2017 17:36:15 -0500
To: x
From: Bethany <bethany@mydomain.com>
Subject: [SPAM] Do you want to give your man a strong...?
Message-ID: <8399________________________58f3@www.mydomain.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_8399a58bdbb7157cb3aeb3dc3e3f58f3"
Content-Transfer-Encoding: 8bit
X-ONET_PL-MDA-SEGREGATION: 0
X-ONET_PL-MDA-Version: 1.0.25
X-ONET_PL-MDA-Info: 015 35161 6B66CFF656749 1.000000
X-ONET_PL-MDA-From: bethany@mydomain.com
X-ONET_PL-MDA-Spam: YES

NOTE: I have dubbed out all places that include my domain with "mydomain.com" and my servers actual IP with xxx.xxx.xxx.xxx. All other uncensored information has no relation to me that I am aware of.

My understanding of SMTP headers is that ONLY the top line "received" is true and any "Received" below that is forged. If this is the case would that not mean that the spam is actually originating from the spammer @ "10.174.34.83" and not my own IP xxx.xxx.xxx.xxx?

May also be worth noting that Bethany@mydomain.com is not a valid email as well and does not exist. We use GSuite for our emails.

Jacob Sharkey
  • 33
  • 2
  • For the future, use `example.com`, instead of the domain `mydomain.com`, since you might attract spammers to the email servers at the linked domain, and example.com doesn't have any mail servers – Ferrybig Apr 19 '17 at 07:27

1 Answers1

8

Please don't obfuscate your server's identity. It make it impossible to check the DNS configuration to assist you.

You are incorrect in believing that all received are forged. However, they may be. Given the headers you have provided, if the IP on the second header is correct and that IP does not pass rDNS validation, it may well originate from your network. I assume the IP is not from your mail server, as its IP address should have passed rDNS validation.

A few things you can do:

  • Look for unexpected software running on the server with the IP address in the second header.
  • Block all internet traffic on port 25 for all servers except your mail server(s).
  • Investigate inplementing DMARC for your domain. This should give you a quick indication if you really are originating spam as well as the IP addresses it is originating from.
  • On your mail server, block all outgoing traffic on port 25 form user ids other than the one your mail server runs as.
  • Ensure your SPF policy ends -all, and only lists your outgoing mail servers.
  • Add an SPF record to all non-mail originating domains (such as www) specifying a policy of -all.
  • Add an SPF record to your mail servers domain(s) specifying a policy of A -all
  • Ensure you mail server does not forward mail from the internet unless the user has authenticated. This should only be allowed on the submission port (587). With the given headers this should not be the case unless you remove received headers when sending mail.
  • Develop and implement an email policy such as mine.
BillThor
  • 27,354
  • 3
  • 35
  • 69
  • I apologize, noted for the future. You are correct in the assumption that the second IP is correct and also that it is not my actual mailserver. It points to the server which we host our wordpress site on and aside from a few internal wordpress mails we do not use it as a primary mail server. We have implemented the SPF record changes to only allow google but have not done anything with DMARC. Thank you for the advice. – Jacob Sharkey Apr 19 '17 at 00:42
  • 1
    @JacobSharkey It seems you have malware or a broken plugin on the WordPress server. FIrst step would be to block port 25 access to the internet on this server. – BillThor Apr 19 '17 at 00:45
  • Thank you, that was my original assumption but I read an article stating that only the first Received entry is valid and spammers typically forge an entry under it that matches the domain. In this case xxx.xxx.xxx.xxx. does infact resolve to mydomain.com. I must have misunderstood or the article was incorrect. I will proceed with scanning the server for the malware and blocking port 25 in the interim. Do you have any tips for locating the origin script that is sending the emails? – Jacob Sharkey Apr 19 '17 at 00:54
  • @JacobSharkey Spammer may inject fake headers, usually a a list of 2 to 4 headers. Spam is usually sent directly to you, in which case only the first header is correct, However, they also use open relays and you need to trace back. It is usually fairly obvious where the faked headers begin. – BillThor Apr 19 '17 at 01:01