Phishing mail with fake From going through, please help!

S

Sysxpp

New Member
Feb 18, 2023
19
2
3
Hello!

I have PMG working flawlessly with mydomain.com and recently starting to get some really wired phishing mails with field "From" such as "no-reply@mydomain.com", but I don't even have such address, why they are not blocked?
I have SPF set to "mydomain.com ~all" + DKIM and DMARC are set and valid.
How come some expobugurtina.com (sic!) is sending me phishing from MY OWN domain from non-existent address?

I found some similar topic on the forum and make two rules to quarantine everything with "From" ^.*<.*>.*<.*>.*$ and ^.*UTF-8.*<.*>.*$ as suggested there, but it did not wored for me.

Please tell my why this is even happening and how to block these mails?

Thank you!

Tracking log:
Code: 
Jan 16 12:43:55 mail postfix/smtpd[1076107]: connect from expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/smtpd[1076107]: ADC85121B8B: client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:55 mail postfix/cleanup[1076082]: ADC85121B8B: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:55 mail postfix/qmgr[1025]: ADC85121B8B: from=<no-reply@mydomain.com>, size=9035, nrcpt=1 (queue active)
Jan 16 12:43:55 mail postfix/smtpd[1076107]: disconnect from expoburaeuargentina.com[116.203.219.56] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 16 12:43:55 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: new mail message-id=<20250116084410.F506B48A789FF705@mydomain.com>#012
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: SA score=2/5 time=1.490 bayes=undefined autolearn=disabled hits=AWL(-0.901),DMARC_NONE(0.1),HTML_MESSAGE(0.001),KAM_DMARC_NONE(0.25),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),NUMERIC_HTTP_ADDR(0.001),RCVD_IN_BL_SPAMCOP_NET(1.246),RCVD_IN_HOSTKARMA_BL(1.5),SPF_HELO_PASS(-0.001),T_SPF_PERMERROR(0.01)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: connect from localhost.localdomain[127.0.0.1]
Jan 16 12:43:57 mail postfix/smtpd[1076091]: 6C28B121B9E: client=localhost.localdomain[127.0.0.1], orig_client=expoburaeuargentina.com[116.203.219.56]
Jan 16 12:43:57 mail postfix/cleanup[1076082]: 6C28B121B9E: message-id=<20250116084410.F506B48A789FF705@mydomain.com>
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: from=<no-reply@mydomain.com>, size=10063, nrcpt=1 (queue active)
Jan 16 12:43:57 mail postfix/smtpd[1076091]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: accept mail to <sales@mydomain.com> (6C28B121B9E) (rule: default-accept)
Jan 16 12:43:57 mail pmg-smtp-filter[1075953]: 121B996788B8BBDAD00: processing time: 1.599 seconds (1.49, 0.041, 0)
Jan 16 12:43:57 mail postfix/lmtp[1076109]: ADC85121B8B: to=<sales@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.15/0/0.05/1.6, dsn=2.5.0, status=sent (250 2.5.0 OK (121B996788B8BBDAD00))
Jan 16 12:43:57 mail postfix/qmgr[1025]: ADC85121B8B: removed
Jan 16 12:43:57 mail postfix/smtp[1076097]: 6C28B121B9E: to=<sales@mydomain.com>, relay=192.168.255.3[192.168.255.3]:25, delay=0.18, delays=0.05/0/0.01/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20250116084410.F506B48A789FF705@mydomain.com> [InternalId=17360257810568, Hostname=MailBox.mydomain.local] 11407 bytes in 0.102, 108,703 KB/sec Queued mail for delivery)
Jan 16 12:43:57 mail postfix/qmgr[1025]: 6C28B121B9E: removed

Message details:
Code: 
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Mailbox
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from MailBox.mydomainin.local (192.168.255.3) by MailBox.mydomainin.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Thu, 16 Jan
 2025 12:43:56 +0500
Received: from pmg.mydomain.com (192.168.55.2) by MailBox.mydomain.local
 (192.168.255.3) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Frontend
 Transport; Thu, 16 Jan 2025 12:43:56 +0500
Received: from pmg.mydomain.com (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 6C28B121B9E
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:57 +0500 (+05)
Received-SPF: permerror (mydomain.com: Included domain 'pmg.mydomain.com' has no applicable sender policy) receiver=mail.mydomain.com; identity=mailfrom; envelope-from="no-reply@mydomain.com"; helo=expoburaeuargentina.com; client-ip=116.203.219.56
Received: from expoburaeuargentina.com (expoburaeuargentina.com [116.203.219.56])
    by pmg.mydomain.com (Proxmox) with ESMTPS id ADC85121B8B
    for <sales@mydomain.com>; Thu, 16 Jan 2025 12:43:55 +0500 (+05)
Received: from ip-223-6.dataclub.info (unknown [46.183.223.6])
    by expoburaeuargentina.com (Postfix) with ESMTPSA id 87A10570BF
    for <sales@mydomain.com>; Thu, 16 Jan 2025 06:44:10 +0000 (UTC)
Authentication-Results: expoburaeuargentina.com;
    spf=pass (sender IP is 46.183.223.6) smtp.mailfrom=no-reply@mydomain.com smtp.helo=ip-223-6.dataclub.info
Received-SPF: pass (expoburaeuargentina.com: connection is authenticated)
From:
    =?UTF-8?B?0K3Qu9C10LrRgtGA0L7QvdC90LDRjyDQv9C+0YfRgtCwINCyINGB0LvRg9C20LHRgyDQmNCiLdC/0L7QtNC00LXRgNC20LrQuA==?=
    <no-reply@mydomain.com>
To: <sales@mydomain.com>
Subject: =?UTF-8?B?0J/QntCU0KLQktCV0KDQlNCY0KLQlSDQn9CQ0KDQntCb0Kwg0K3Qm9CV0JrQotCg0J7QndCd0J7QmSDQn9Ce0KfQotCrINCf0J7QktCi0J7QoNCd0J4gLSAg?=sales@mydomain.com
Date: Thu, 16 Jan 2025 08:44:10 +0200
Message-ID: <20250116084410.F506B48A789FF705@mydomain.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.901 Adjusted score from AWL reputation of From: address
    DMARC_NONE                0.1 DMARC none policy
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    NUMERIC_HTTP_ADDR       0.001 Uses a numeric IP address in URL
    RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    T_SPF_PERMERROR          0.01 SPF: test of record failed (permerror)
Return-Path: no-reply@mydomain.com
X-MS-Exchange-Organization-Network-Message-Id: e280746b-4432-48c4-a03e-08dd36018829
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: MailBox.mydomainin.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1991011
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1118.026
 
Last edited:
My SPF is "v=spf1 mx a:mail.mydomain.com include:mydomain.com ~all"
What can be done to make it correct?..
 
~all is softfail, essentially it means "accept the mail but be aware that there might possibly be something wrong with it."

If you know that only mydomain.com and mail.mydomain.com will be sending mail for your domain, change that to -all

Looking at your example spf record, changing to -all would be a more strict instruction of "the IP address or hostname listed in my MX records are allowed to send mail as me, the IP address that correlates with the A record for mail.mydomain.com is allowed to send mail as me, and also include anyone else who is allowed to send mail for mydomain.com, otherwise reject the mail"
 
Last edited:
SteveSteve said:
~all is softfail, essentially it means "accept the mail but be aware that there might possibly be something wrong with it."

If you know that only mydomain.com and mail.mydomain.com will be sending mail for your domain, change that to -all

Looking at your example spf record, changing to -all would be a more strict instruction of "the IP address or hostname listed in my MX records are allowed to send mail as me, the IP address that correlates with the A record for mail.mydomain.com is allowed to send mail as me, and also include anyone else who is allowed to send mail for mydomain.com, otherwise reject the mail"
Click to expand...
I have left my spf record as softfail but I'm considering changing it.
Assuming the OPs txt record above is the spf for mydomain.com, doesn't this recursively include itself?
If so, presumably that's redundant or incorrect.
 
Yes, it's technically redundant but still common, and doesn't actually hurt anything.

If this SPF record is for the domain "mydomain.com" and you use "include:mydomain.com", it's saying "also include anything in the SPF record you're already looking at", but DNS resolvers are (generally) smart enough to not get stuck in an infinite loop of "the SPF record for mydomain.com told me to check the SPF record for mydomain.com, which told me to check the SPF record for mydomain.com, which told me to...."

It could be useful if you had something like mydomain.org and mydomain.net as well, and you had the mail server for mydomain.com handling their mail, you could for the .net and .org records throw "include:mydomain.com" in there.
 
  • Like
Reactions: keeka
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom