strangely incoming mails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

strangely incoming mails

Zsombor B
Hello,


I'm confused and need your help.

I run a small server with rspamd as spam filter (smtpd_milters =  
inet:localhost:11332).
There are only a limited number of users, they only can send emails  
with smtp auth.

Until recently everything was fine but in the last couple of days huge  
amount of undetected spam arrived to all mailboxes.

The thing is that all these emails are avoiding rspam completely (but  
other incoming mails are filtered as it supposed to happen).

I started some investigation and found this:
- for years now, because of reasons I put an extra header to all  
outgoing emails (with header_checks and PREPEND)
- I have tested again and "normal" incoming emails (spam & ham) don't  
contain this extra header just outgoing mails so this works fine
- however the mentioned spam seemingly comes from the internet (there  
is an "external" IP and hostname in the "Received: from" header) this  
extra outgoing header ("X-Original-Outgoing-Mail") can be seen in the  
mail headers as it was sent out from my server

The whole mail header can be found here: https://pastebin.com/UVK3d2V8 
(there's nothing special in it, except there is no rspamd invoked).

My first thought was that some of the "internal" senders (family &  
friends) got infected and they are sending these mails somehow but I  
also have rspamd in "non_smtpd_milters" and it's also not triggered)  
and there is an "external" IP and hostname in the incoming mails.

Any idea what's going on (especially for the extra outgoing header  
that appears in the incoming spam)?


Any advice is appreciated,
Zsombor


Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

Bastian Blank-3
On Sun, Sep 13, 2020 at 10:17:16PM +0200, Zsombor B wrote:
> I'm confused and need your help.

And we need information, see
http://www.postfix.org/DEBUG_README.html#html

Bastian

--
The more complex the mind, the greater the need for the simplicity of play.
                -- Kirk, "Shore Leave", stardate 3025.8
Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

Fred Morris
In reply to this post by Zsombor B
I concur with the person who suggested reviewing the DEBUG_README,
particularly reviewing logs surrounding one of the messages in question.

In addition, you've elided too much in the pastebin post to be useful in
answering the following question:

* Is the address in the Received: header your address or the spammer's or
someone else's?

In addition, /what does it look like if/:

* Someone sends mail (using smtp auth) which is from their local account
and delivered locally?

* Someone relays mail (using smtp auth) which is delivered locally?

(I'm omitting /why/ as well as some specific questions which I assume
would be answered by the output from postconf -n, such as what ports
you are running SMTP auth on.)

--

Fred Morris

Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

Viktor Dukhovni
In reply to this post by Zsombor B
On Sun, Sep 13, 2020 at 10:17:16PM +0200, Zsombor B wrote:

> I started some investigation and found this:
> - for years now, because of reasons I put an extra header to all  
>   outgoing emails (with header_checks and PREPEND)

When Postfix *prepends* a header, the header is placed at the top of the
message, above all other headers (including the locally added Received
header).

> - I have tested again and "normal" incoming emails (spam & ham) don't  
> contain this extra header just outgoing mails so this works fine

You really can't depend on inbound mail not containing a particular
header.  If you want separate processing for inbound and outbound mail,
add a header that signals that mail *is* external when it comes from
outside, rather than add an easily forged header that mail is internal
when it arrives from inside.  Or better yet, don't cross the streams,
run inbound and outbound mail through entirely separate filters.

> is an "external" IP and hostname in the "Received: from" header) this  
> extra outgoing header ("X-Original-Outgoing-Mail") can be seen in the  
> mail headers as it was sent out from my server
>
> The whole mail header can be found here: https://pastebin.com/UVK3d2V8 
> (there's nothing special in it, except there is no rspamd invoked).

But it was not at the top of the message headers!  Unless the message
headers got reordered along the way, this header was NOT prepended by
Postfix.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

Zsombor B
In reply to this post by Zsombor B
Hi,



Thanks everyone for the replies. Sorry I can only answer this way now.

This is postconf -n: https://pastebin.com/SmZG9SxG
This is master.cf: https://pastebin.com/S6h83rxi


1)
Bastian Blank:

I started to check the steps on  
http://www.postfix.org/DEBUG_README.html but it will take some time.


2)
Fred Morris:

> Is the address in the Received: header your address or the spammer's  
> or someone else's?

This is an actual "Received" header of such a spam mail:

Received: from SOME.EXTERNAL.DOMAIN (SOME.EXTERNAL.DOMAIN [A.B.C.D])
by MY.MAIL.SERVER (Postfix) with ESMTP id 4AC1F8DF7D
for <[hidden email]>; Mon, 14 Sep 2020 16:16:01 +0200 (CEST)

> * Someone sends mail (using smtp auth) which is from their local  
> account and delivered locally?

I have sent a mail from my local account to myself with thunderbird:  
https://pastebin.com/ZCfX5GXg

Also these are the headers of a "good" incoming mail (with lots of  
headers added by rspamd): https://pastebin.com/qQvmKp1K

> * Someone relays mail (using smtp auth) which is delivered locally?

I don't get this, sorry.


3)
Viktor Dukhovni:

> But it was not at the top of the message headers!  Unless the message
> headers got reordered along the way, this header was NOT prepended by
> Postfix.

Hmm... I'm sure I didn't reorder the headers.
Are you saying that someone has caught the content of this extra  
header in an outbound mail and put it back when they send emails to me  
mimicking that it was sent from my server? BTW I don't use the content  
of this header anymore, it's just kind of a legacy stuff so it will be  
removed.


Thanks again,
Zsombor


Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

James Moe
In reply to this post by Zsombor B
On 9/13/20 1:17 PM, Zsombor B wrote:

> The thing is that all these emails are avoiding rspam completely (but  
> other incoming mails are filtered as it supposed to happen).
>
  Does rspamd have pre-filters deciding if a mail is worthy of testing?
  Is there a filter that detects your custom header entry and does not call
rspamd if found?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.




signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strangely incoming mails

Benny Pedersen-2
James Moe skrev den 2020-09-14 21:24:
> On 9/13/20 1:17 PM, Zsombor B wrote:
>
>> The thing is that all these emails are avoiding rspam completely (but
>> other incoming mails are filtered as it supposed to happen).
>>
>   Does rspamd have pre-filters deciding if a mail is worthy of testing?
>   Is there a filter that detects your custom header entry and does not
> call
> rspamd if found?

rspamd supports sasl auth via milter call, if using plain smtp it can be
solved with postfix master.cf calling diff listners in rspamd so mapping
pickup, submission to other rspamd services is not same as if it was
from port 25

please read the imho good docs on all software used