Phishing mail with fake From going through, please help!

S

Sysxpp

New Member
Feb 18, 2023
19
2
3
Hello!

I have PMG working flawlessly with mydomain.com and recently starting to get some really wired phishing mails with field "From" such as "no-reply@mydomain.com", but I don't even have such address, why they are not blocked?
I have SPF set to "mydomain.com ~all" + DKIM and DMARC are set and valid.
How come some expobugurtina.com (sic!) is sending me phishing from MY OWN domain from non-existent address?

I found some similar topic on the forum and make two rules to quarantine everything with "From" ^.*<.*>.*<.*>.*$ and ^.*UTF-8.*<.*>.*$ as suggested there, but it did not wored for me.

Please tell my why this is even happening and how to block these mails?

Thank you!

Tracking log:
Code: 
Jan 16 12:43:55 mail postfix/smtpd[1076107]: connect from expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/smtpd[1076107]: ADC85121B8B: client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/cleanup[1076082]: ADC85121B8B: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:55 mail postfix/qmgr[1025]: ADC85121B8B: from=<no-reply@mydomain.com>, size=9035, nrcpt=1 (queue active)
Jan 16 12:43:55 mail postfix/smtpd[1076107]: disconnect from expoburaeuargentina.com[116.203.219.56] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 16 12:43:55 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: new mail message-id=<20250116084410.F506B48A789FF705@mydomain.com>#012
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: SA score=2/5 time=1.490 bayes=undefined autolearn=disabled hits=AWL(-0.901),DMARC_NONE(0.1),HTML_MESSAGE(0.001),KAM_DMARC_NONE(0.25),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),NUMERIC_HTTP_ADDR(0.001),RCVD_IN_BL_SPAMCOP_NET(1.246),RCVD_IN_HOSTKARMA_BL(1.5),SPF_HELO_PASS(-0.001),T_SPF_PERMERROR(0.01)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: connect from localhost.localdomain[127.0.0.1]
Jan 16 12:43:57 mail postfix/smtpd[1076091]: 6C28B121B9E: client=localhost.localdomain[127.0.0.1], orig_client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:57 mail postfix/cleanup[1076082]: 6C28B121B9E: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: from=<no-reply@mydomain.com>, size=10063, nrcpt=1 (queue active)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: accept mail to <sales@mydomain.com> (6C28B121B9E) (rule: default-accept)
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: processing time: 1.599 seconds (1.49, 0.041, 0)
Jan 16 12:43:57 mail postfix/lmtp[1076109]: ADC85121B8B: to=<sales@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.15/0/0.05/1.6, dsn=2.5.0, status=sent (250 2.5.0 OK (121B996788B8BBDAD00))
Jan 16 12:43:57 mail postfix/qmgr[1025]: ADC85121B8B: removed
Jan 16 12:43:57 mail postfix/smtp[1076097]: 6C28B121B9E: to=<sales@mydomain.com>, relay=192.168.255.3[192.168.255.3]:25, delay=0.18, delays=0.05/0/0.01/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20250116084410.F506B48A789FF705@mydomain.com> [InternalId=17360257810568, Hostname=MailBox.mydomain.local] 11407 bytes in 0.102, 108,703 KB/sec Queued mail for delivery)
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: removed

Message details:
Code: 
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Mailbox
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Thu, 16 Jan
 2025 12:43:56 +0500
Received: from pmg.mydomain.com (192.168.55.2) by MailBox.mydomain.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Frontend
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from pmg.mydomain.com (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 6C28B121B9E
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:57 +0500 (+05)
Received-SPF: permerror (mydomain.com: Included domain 'pmg.mydomain.com' has no applicable sender policy) receiver=mail.mydomain.com; identity=mailfrom; envelope-from="no-reply@mydomain.com"; helo=expoburaeuargentina.com; client-ip=116.203.219.56
Received: from expoburaeuargentina.com (expoburaeuargentina.com [116.203.219.56])
    by pmg.mydomain.com (Proxmox) with ESMTPS id ADC85121B8B
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:55 +0500 (+05)
Received: from ip-223-6.dataclub.info (unknown [46.183.223.6])
    by expoburaeuargentina.com (Postfix) with ESMTPSA id 87A10570BF
    for <sales@mydomain.com>; Thu, 16 Jan 2025 06:44:10 +0000 (UTC)
Authentication-Results: expoburaeuargentina.com;
    spf=pass (sender IP is 46.183.223.6) smtp.mailfrom=no-reply@mydomain.com smtp.helo=ip-223-6.dataclub.info
Received-SPF: pass (expoburaeuargentina.com: connection is authenticated)
From:
    =?UTF-8?B?0K3Qu9C10LrRgtGA0L7QvdC90LDRjyDQv9C+0YfRgtCwINCyINGB0LvRg9C20LHRgyDQmNCiLdC/0L7QtNC00LXRgNC20LrQuA==?=
    <no-reply@mydomain.com>
To: <sales@mydomain.com>
Subject: =?UTF-8?B?0J/QntCU0KLQktCV0KDQlNCY0KLQlSDQn9CQ0KDQntCb0Kwg0K3Qm9CV0JrQotCg0J7QndCd0J7QmSDQn9Ce0KfQotCrINCf0J7QktCi0J7QoNCd0J4gLSAg?=sales@mydomain.com
Date: Thu, 16 Jan 2025 08:44:10 +0200
Message-ID: <20250116084410.F506B48A789FF705@mydomain.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.901 Adjusted score from AWL reputation of From: address
    DMARC_NONE                0.1 DMARC none policy
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    NUMERIC_HTTP_ADDR       0.001 Uses a numeric IP address in URL
    RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    T_SPF_PERMERROR          0.01 SPF: test of record failed (permerror)
Return-Path: no-reply@mydomain.com
X-MS-Exchange-Organization-Network-Message-Id: e280746b-4432-48c4-a03e-08dd36018829
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: MailBox.mydomainin.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1991011
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1118.026
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom