Need help understanding why some spam attack emails get rejected and others not

[t0mz]

Our servers are currently under a spam attack trying to use our mail gateways as open relay and for reasons yet unknown, quite a few got through.
After a reboot (and update) the vast majority of connection requests get blocked with a relay access denied, as they should. But there are some which still get accepted and would be passed on if not for an additional rule I added today.

The screenshot below shows two emails from attacker to a random email address, none of the domains are ours.
The first one is only caught because of the Block DHL rule I created as a workaround
The second one is rejected right away, as it should but it's unclear why.

Can anyone spot a difference between those two emails or can think of a reason why the first one is accepted initially?
The actual sender or receiver email doesn't seem to matter, so there must be something else at play?

 

[dcsapak]

are you sure your external/internal ports are configured correctly?
how is your pmg configured in general? (ports/relay domains/trusted networks?)
did you modify the postfix template?

 

[t0mz]

Not sure I am afraid, I have inherited this (undocumented) setup and I still discover things I wasn't aware of. In it's defense I'd say that it's been working unchanged without any hiccups for more than a year, and it's only this weekend when things went wrong.

What's puzzling is that the update+reboot seems to have fixed the majority of relay attempts? My current theory is that maybe with the update some blacklists were updated as well attempts get rejected based on those? I would expect to somehow see a blacklist based rejecting in the log though? Similar to email1 where it says my rule was the reason for the block.

Are we able to say based on which configuration the rejection (email2) happens above? E.g. sender/receiver not being in the relay domains list?
Is there a way to crank up the PMG log level so I get to see more detail?

The attack is still going on, so I will get meaningful data
But my walls are holding and they all get rejected

 

[dcsapak]

Are we able to say based on which configuration the rejection (email2) happens above? E.g. sender/receiver not being in the relay domains list?

yes normally if the recipient domain is not in the relay domain it gets rejected, but only when the mail comes in on the external port (default 25)
for the internal port (default 26) all is allowed, but only on trusted networks and the same subnet as the pmg is configured

can you post your pmg config? (on the cli 'pmgconfig dump'; make sure you anonymize an sensitive data!)

 

[t0mz]

Now that is very helpful, I will check ports and internal network settings right away!
As far as the config dump is concerned, given that even IPs are potential sensitive data nowadays I'd rather send it to you directly. Need to check if this platform allows a direct message.

I am unable to open a direct conversation with you I am afraid. Maybe it works if you open the channel?

Edit: Thanks for helping to clearify the sitution, it indeed turned out that the attackers came in via the (rather) unprotected port 26 and on top of that were using an IP range which we had enabled as trusted network.

 

[Squiggle]

My trust network is empty, but attacker using my PMG spam email: https://forum.proxmox.com/threads/make-sure-pmg-not-send-any-outgoing-email.143862/

How to prevent that?