Strange Spam Email..Need Urgent Support

ithelpdesk

ithelpdesk

Member
Proxmox Subscriber
Oct 26, 2019
47
1
8
40
Dear Support,

After adding LDAP verfication for my incoming emails I got a strange issue with my email infrastructure.

Someone then started replying to the genuine emails that we send earlier to our clients on their behalf.Not only ne randomly to random users they are sending those emails and proxmox just allowing this as its only text inside.

My question how does they got our genuine emails to reply on our clients behalf to us.


Regards,
Liju
 
Show the mail.log...
The someone that you refering to is spammers or local internal users?
 
Please see your other threads (please do not use LDAP for verification, just configure receiver verification on SMTP level with 450).
 
ithelpdesk said:
Is this can be because of LDAP Tom????
Click to expand...

I have no idea how do you use LDAP - I just point you to the right configuration for your wanted features - blocking unknown email addresses.
 
tom said:
I have no idea how do you use LDAP - I just point you to the right configuration for your wanted features - blocking unknown email addresses.
Click to expand...


Yes Tom you are right.

However what I did was to add LDAP server (here Zimbra) details in Configuration--> User Management.Then all email accounts got listed there.

Then at WHO objects Added an LDAP group and named it and pointed that to the Zimbra LDAP.

Then created an Action Object ,Notification and set bounce back notification (Bounce Back Unknown Recepient)

After that created a Mail filter rule as ttached in the picture.

All was working fine and unknown users got blocked at the SMTP level itself and then after some days started the above issue..

My doubt is will that zimbra LDAP access in Proxmox will anyway assist spammers to get the inside emails?

Regards,
Liju
 

Attachments

  • Reject Unknown Recepients.jpg
    Reject Unknown Recepients.jpg
    31.4 KB · Views: 8
Following is the one of that type ...


Nov 20 13:43:25 webmail postfix/smtpd[16236]: connect from vps40348.servconfig.com[199.223.114.86]
Nov 20 13:43:26 webmail postfix/smtpd[16236]: Anonymous TLS connection established from vps40348.servconfig.com[199.223.114.86]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 20 13:43:27 webmail postfix/smtpd[16236]: D88411BA14EB: client=vps40348.servconfig.com[199.223.114.86]
Nov 20 13:43:28 webmail postfix/cleanup[16490]: D88411BA14EB: message-id=<>
Nov 20 13:43:29 webmail postfix/qmgr[15925]: D88411BA14EB: from=<maintenance@bestwesternelomazhotel.com>, size=319642, nrcpt=1 (queue active)
Nov 20 13:43:30 webmail pmg-smtp-filter[16448]: 1BA14F15DD4FCB1ECFD5: new mail message-id=
Nov 20 13:43:30 webmail postfix/smtpd[16236]: disconnect from vps40348.servconfig.com[199.223.114.86] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 20 13:43:33 webmail pmg-smtp-filter[16448]: 1BA14F15DD4FCB1ECFD5: SA score=0/5 time=3.721 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),MIME_BOUND_DD_DIGITS(0.349),MISSING_MID(0.14),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Nov 20 13:43:33 webmail postfix/smtpd[16360]: connect from localhost.localdomain[127.0.0.1]
Nov 20 13:43:33 webmail postfix/smtpd[16360]: DDB131BA14F2: client=localhost.localdomain[127.0.0.1], orig_client=vps40348.servconfig.com[199.223.114.86]
Nov 20 13:43:33 webmail postfix/cleanup[16491]: DDB131BA14F2: message-id=<20191120084333.DDB131BA14F2@webmail.sunland.com.mv>
Nov 20 13:43:33 webmail postfix/qmgr[15925]: DDB131BA14F2: from=<maintenance@bestwesternelomazhotel.com>, size=320403, nrcpt=1 (queue active)
Nov 20 13:43:33 webmail postfix/smtpd[16360]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 20 13:43:33 webmail pmg-smtp-filter[16448]: 1BA14F15DD4FCB1ECFD5: accept mail to <xxx@ourdomain.com> (DDB131BA14F2) (rule: default-accept)
Nov 20 13:43:33 webmail pmg-smtp-filter[16448]: 1BA14F15DD4FCB1ECFD5: processing time: 4 seconds (3.721, 0.145, 0)
Nov 20 13:43:33 webmail postfix/lmtp[16339]: D88411BA14EB: to=<ouremail@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7, delays=2.9/0/0.05/4, dsn=2.5.0, status=sent (250 2.5.0 OK (1BA14F15DD4FCB1ECFD5))
Nov 20 13:43:33 webmail postfix/qmgr[15925]: D88411BA14EB: removed
Nov 20 13:43:34 webmail postfix/smtp[16506]: DDB131BA14F2: to=<xxx@ourdomain.com>, relay=192.168.3.23[192.168.3.23]:25, delay=0.21, delays=0.07/0/0.05/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 13A7035A45F2)
Nov 20 13:43:34 webmail postfix/qmgr[15925]: DDB131BA14F2: removed
 
Also the above email contained a doc file which had a virus too which PMG cant find but Immediately when it downloaded to the PC, when Mirosoft Defender and Kaspersky quarantined it.

Hence the default clamav configuration is not reaching to the standards it seems. Do any finetunig/optimizations we have to do for making it near perfect?(CLAMAV)
 
First, it looks like you forgot to configure DNS blacklist? The sender IP is listed on some DNS blacklists, e.g. barracuda.

I highly recommend to block ALL *.doc attachment, regardless of virus or not.

If you are not satisfied with ClamAV, consider adding Avast as a second AV scanner on the Proxmox Mail Gateway.

And last: Please do not mix all topics into one forum thread, this makes it impossible to follow for others.
 
Dear Tom
tom said:
First, it looks like you forgot to configure DNS blacklist? The sender IP is listed on some DNS blacklists, e.g. barracuda.

I highly recommend to block ALL *.doc attachment, regardless of virus or not.

If you are not satisfied with ClamAV, consider adding Avast as a second AV scanner on the Proxmox Mail Gateway.

And last: Please do not mix all topics into one forum thread, this makes it impossible to follow for others.
Click to expand...


Dear Tom,

Sory for the mixing up.Antivirus part I will open a new thread.DNS part only I will respond on this.

Following is my DNS BL configs Anything we need to change.

As Baracuda getting some amount of FP's we removed it.

Also this sender is sending spam with viruses to our internal users from Different addresses & IP's , as a reply to some of our genuine emails. From header he will make as if it looks like our Reservations Department (Email is something else.

1574246472597.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom