Phishing mail with fake From going through, please help!

S

Sysxpp

Member
Feb 18, 2023
22
2
8
Hello!

I have PMG working flawlessly with mydomain.com and recently starting to get some really wired phishing mails with field "From" such as "no-reply@mydomain.com", but I don't even have such address, why they are not blocked?
I have SPF set to "mydomain.com ~all" + DKIM and DMARC are set and valid.
How come some expobugurtina.com (sic!) is sending me phishing from MY OWN domain from non-existent address?

I found some similar topic on the forum and make two rules to quarantine everything with "From" ^.*<.*>.*<.*>.*$ and ^.*UTF-8.*<.*>.*$ as suggested there, but it did not wored for me.

Please tell my why this is even happening and how to block these mails?

Thank you!

Tracking log:
Code: 
Jan 16 12:43:55 mail postfix/smtpd[1076107]: connect from expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/smtpd[1076107]: ADC85121B8B: client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/cleanup[1076082]: ADC85121B8B: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:55 mail postfix/qmgr[1025]: ADC85121B8B: from=<no-reply@mydomain.com>, size=9035, nrcpt=1 (queue active)
Jan 16 12:43:55 mail postfix/smtpd[1076107]: disconnect from expoburaeuargentina.com[116.203.219.56] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 16 12:43:55 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: new mail message-id=<20250116084410.F506B48A789FF705@mydomain.com>#012
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: SA score=2/5 time=1.490 bayes=undefined autolearn=disabled hits=AWL(-0.901),DMARC_NONE(0.1),HTML_MESSAGE(0.001),KAM_DMARC_NONE(0.25),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),NUMERIC_HTTP_ADDR(0.001),RCVD_IN_BL_SPAMCOP_NET(1.246),RCVD_IN_HOSTKARMA_BL(1.5),SPF_HELO_PASS(-0.001),T_SPF_PERMERROR(0.01)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: connect from localhost.localdomain[127.0.0.1]
Jan 16 12:43:57 mail postfix/smtpd[1076091]: 6C28B121B9E: client=localhost.localdomain[127.0.0.1], orig_client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:57 mail postfix/cleanup[1076082]: 6C28B121B9E: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: from=<no-reply@mydomain.com>, size=10063, nrcpt=1 (queue active)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: accept mail to <sales@mydomain.com> (6C28B121B9E) (rule: default-accept)
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: processing time: 1.599 seconds (1.49, 0.041, 0)
Jan 16 12:43:57 mail postfix/lmtp[1076109]: ADC85121B8B: to=<sales@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.15/0/0.05/1.6, dsn=2.5.0, status=sent (250 2.5.0 OK (121B996788B8BBDAD00))
Jan 16 12:43:57 mail postfix/qmgr[1025]: ADC85121B8B: removed
Jan 16 12:43:57 mail postfix/smtp[1076097]: 6C28B121B9E: to=<sales@mydomain.com>, relay=192.168.255.3[192.168.255.3]:25, delay=0.18, delays=0.05/0/0.01/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20250116084410.F506B48A789FF705@mydomain.com> [InternalId=17360257810568, Hostname=MailBox.mydomain.local] 11407 bytes in 0.102, 108,703 KB/sec Queued mail for delivery)
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: removed

Message details:
Code: 
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Mailbox
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Thu, 16 Jan
 2025 12:43:56 +0500
Received: from pmg.mydomain.com (192.168.55.2) by MailBox.mydomain.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Frontend
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from pmg.mydomain.com (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 6C28B121B9E
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:57 +0500 (+05)
Received-SPF: permerror (mydomain.com: Included domain 'pmg.mydomain.com' has no applicable sender policy) receiver=mail.mydomain.com; identity=mailfrom; envelope-from="no-reply@mydomain.com"; helo=expoburaeuargentina.com; client-ip=116.203.219.56
Received: from expoburaeuargentina.com (expoburaeuargentina.com [116.203.219.56])
    by pmg.mydomain.com (Proxmox) with ESMTPS id ADC85121B8B
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:55 +0500 (+05)
Received: from ip-223-6.dataclub.info (unknown [46.183.223.6])
    by expoburaeuargentina.com (Postfix) with ESMTPSA id 87A10570BF
    for <sales@mydomain.com>; Thu, 16 Jan 2025 06:44:10 +0000 (UTC)
Authentication-Results: expoburaeuargentina.com;
    spf=pass (sender IP is 46.183.223.6) smtp.mailfrom=no-reply@mydomain.com smtp.helo=ip-223-6.dataclub.info
Received-SPF: pass (expoburaeuargentina.com: connection is authenticated)
From:
    =?UTF-8?B?0K3Qu9C10LrRgtGA0L7QvdC90LDRjyDQv9C+0YfRgtCwINCyINGB0LvRg9C20LHRgyDQmNCiLdC/0L7QtNC00LXRgNC20LrQuA==?=
    <no-reply@mydomain.com>
To: <sales@mydomain.com>
Subject: =?UTF-8?B?0J/QntCU0KLQktCV0KDQlNCY0KLQlSDQn9CQ0KDQntCb0Kwg0K3Qm9CV0JrQotCg0J7QndCd0J7QmSDQn9Ce0KfQotCrINCf0J7QktCi0J7QoNCd0J4gLSAg?=sales@mydomain.com
Date: Thu, 16 Jan 2025 08:44:10 +0200
Message-ID: <20250116084410.F506B48A789FF705@mydomain.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.901 Adjusted score from AWL reputation of From: address
    DMARC_NONE                0.1 DMARC none policy
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    NUMERIC_HTTP_ADDR       0.001 Uses a numeric IP address in URL
    RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    T_SPF_PERMERROR          0.01 SPF: test of record failed (permerror)
Return-Path: no-reply@mydomain.com
X-MS-Exchange-Organization-Network-Message-Id: e280746b-4432-48c4-a03e-08dd36018829
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: MailBox.mydomainin.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1991011
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1118.026
 
Last edited:
My SPF is "v=spf1 mx a:mail.mydomain.com include:mydomain.com ~all"
What can be done to make it correct?..
 
~all is softfail, essentially it means "accept the mail but be aware that there might possibly be something wrong with it."

If you know that only mydomain.com and mail.mydomain.com will be sending mail for your domain, change that to -all

Looking at your example spf record, changing to -all would be a more strict instruction of "the IP address or hostname listed in my MX records are allowed to send mail as me, the IP address that correlates with the A record for mail.mydomain.com is allowed to send mail as me, and also include anyone else who is allowed to send mail for mydomain.com, otherwise reject the mail"
 
Last edited:
  • Like
Reactions: Sysxpp
SteveSteve said:
~all is softfail, essentially it means "accept the mail but be aware that there might possibly be something wrong with it."

If you know that only mydomain.com and mail.mydomain.com will be sending mail for your domain, change that to -all

Looking at your example spf record, changing to -all would be a more strict instruction of "the IP address or hostname listed in my MX records are allowed to send mail as me, the IP address that correlates with the A record for mail.mydomain.com is allowed to send mail as me, and also include anyone else who is allowed to send mail for mydomain.com, otherwise reject the mail"
Click to expand...
I have left my spf record as softfail but I'm considering changing it.
Assuming the OPs txt record above is the spf for mydomain.com, doesn't this recursively include itself?
If so, presumably that's redundant or incorrect.
 
  • Like
Reactions: Sysxpp
Yes, it's technically redundant but still common, and doesn't actually hurt anything.

If this SPF record is for the domain "mydomain.com" and you use "include:mydomain.com", it's saying "also include anything in the SPF record you're already looking at", but DNS resolvers are (generally) smart enough to not get stuck in an infinite loop of "the SPF record for mydomain.com told me to check the SPF record for mydomain.com, which told me to check the SPF record for mydomain.com, which told me to...."

It could be useful if you had something like mydomain.org and mydomain.net as well, and you had the mail server for mydomain.com handling their mail, you could for the .net and .org records throw "include:mydomain.com" in there.
 
  • Like
Reactions: Sysxpp and keeka

SteveSteve

Thank you, I will try -all because these mails are really annoying.
~all was made because it is "safer" I guess, but now when I have mails with SPF_Permerror asking users for their passwords flying right into their Inboxes, I guess I have no choice but -all.
I also removed all the recursive records, thank you!

I still think there MUST be a way to workaround this without resorting to -all, but ok, let it be.
 
In the headers above, you have:
KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy

If I understand correctly:
This means PMG encounters the spf fail but was unable to find a valid dmarc policy for said domain (mydomain.com?).
It is the dmarc policy that ultimately decides the fate of the message following spf fail.
So, maybe double-check your dmarc record.
 
  • Like
Reactions: Sysxpp
Sysxpp said:

SteveSteve

Thank you, I will try -all because these mails are really annoying.
~all was made because it is "safer" I guess, but now when I have mails with SPF_Permerror asking users for their passwords flying right into their Inboxes, I guess I have no choice but -all.
I also removed all the recursive records, thank you!

I still think there MUST be a way to workaround this without resorting to -all, but ok, let it be.
Click to expand...
There are other ways you could do this, but you "shouldn't" do them.

Let's say you have Exchange behind PMG, and your users are sending from my domain.com to my domain.com, the mail would never actually leave the Exchange server (unless you went out of you way to make it need an external smarthost to deliver to itself) and you could create a rule for PMG to block mail "from" mydomain.com because it theoretically should only encounter mail to you, but never from you.

Alternately, block mail from mydomain.com when the server sending it is not the IP of your server that you know would be sending it.

The thing is though, when you use these workarounds to protect yourself from people spoofing mail from your domain, you aren't protecting the rest of the world from people getting spoofed mail from your domain, and that's how you get your domain on blacklists, which can be quite difficult to recover from.

-all isn't really something you resort to, it's the correct way to set up your mail once you've finished testing that everything works with ~all
 
  • Like
Reactions: Sysxpp

keeka

dmarc policy that ultimately decides the fate of the message following spf fail.
Click to expand...
My _dmarc record is "v=DMARC1; p=none;"
Not sure if it can decide anything in its current state, but I'll look into it, thank you!

SteveSteve

You are totally correct - I can implement both workarounds you mentioined (internal mail are indeed internal), but I found it stupid - I have to protect MYSELF, from mails that looks like I send them myself but it is not! This situation should not occur at all imo!
I put -all and will see how these scammers will send their bs now. :)
Thank you once again!
 

keeka

Well, I guess you're right - if I change my DMARC to "v=DMARC1; p=quarantine;" it should block emails that fail DKIM and SPF tests.
Maybe I I'll try it too in addition to "-all" in SPF.
 
Why not also add a DMARC email address. That way, you will get a better indication of the scale and origin of attempts to spoof your domain.
IME the big mail providers yahoo, gmail etc do send reports if you provide an rua address in the dmarc dns record.
 
Looks like SPF and DKIM are set up fine, but DMARC might need tweaking to be stricter. If emails from fake senders are still coming through, try enforcing DMARC to "reject" instead of "none" or "quarantine." Also, ISO 27001 Compliance Automation makes sure all email security policies are properly implemented and maintained, reducing the chances of spoofed emails slipping past your filters.
 
Last edited:
You must log in or register to reply here.
Top Bottom