for 2 weeks now I keep receiving spam emails sent from my own address.
Here's an example :
Apr 2 10:15:13 hostname postfix/smtpd[28874]: warning: hostname 212.156.246.74.static.turktelekom.com.tr does not resolve to address 212.156.246.74
Apr 2 10:15:13 hostname postfix/smtpd[28874]: connect from unknown[212.156.246.74]
Apr 2 10:15:14 hostname postfix/smtpd[28874]: 750991E018: client=unknown[212.156.246.74]
Apr 2 10:15:16 hostname postfix/cleanup[28880]: 750991E018: message-id=<003d01d3ca72$01abe830$217c6793$@mydomain.tld>
Apr 2 10:15:17 hostname opendkim[14624]: 750991E018: [212.156.246.74] [212.156.246.74] not internal
Apr 2 10:15:17 hostname opendkim[14624]: 750991E018: not authenticated
Apr 2 10:15:17 hostname opendkim[14624]: 750991E018: no signature data
Apr 2 10:15:17 hostname postfix/qmgr[19733]: 750991E018: from=<me@mydomain.tld>, size=3207, nrcpt=1 (queue active)
Apr 2 10:15:17 hostname dovecot: lda(me@mydomain.tld): msgid=<003d01d3ca72$01abe830$217c6793$@mydomain.tld>: saved mail to INBOX
Apr 2 10:15:17 hostname postfix/pipe[28882]: 750991E018: to=<me@mydomain.tld>, relay=dovecot, delay=2.7, delays=2.7/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 2 10:15:17 hostname postfix/qmgr[19733]: 750991E018: removed
Apr 2 10:15:18 hostname postfix/smtpd[28874]: disconnect from unknown[212.156.246.74]
I have these restictions :
smtpd_helo_required = yes
smtpd_client_restrictions = reject_rbl_client all.spam-rbl.fr
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unlisted_sender
permit_mynetworks
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated
reject_unauth_destination
reject_unauth_pipelining
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_invalid_hostname
what should I add more to block these emails ?
Is it safe to block mails coming from unknown hostnames ?
One more thing that I've seen : according to my inbox, the above email has been received today at 12:40 pm even though I received it at 10:15 am. Is it also possible to forge the received time in the email ?
Thanks for your answers !
Best Answer
As we can see, this message uses your address as the envelope sender:
This means you have methods for rejecting such messages right after
MAIL FROM
(orRCPT TO
, as I do). Regarding the headers likeFrom:
andDate:
, they can be spoofed and contain anything. Additional spam filters like Spamassassin can perform tests against these, but that's another story.Your email client is showing the time and date provided by the
Date:
header rather than the time the server has actually received the mail. You can look at theReceived
headers to see the dates added by the servers the message has gone through, but the email client trusts theDate:
header.METHOD 1: Blacklisting the domain from external sources
The methods aren't in order: the first one is easy to add, but the second one is better in every way.
If this server is the only legitimate source for email from your domain
example.com
, you could simply block all messages using from the domain, unless from own networks or an authenticated user, usingcheck_sender_access
. I personally put everything insmtpd_recipient_restrictions
to get more details in the logs before rejecting the connection. Formain.cf
:The
/etc/postfix/access/sender_access
is a lookup table (remember topostmap
) of white- and blacklistedMAIL FROM
addresses, domains etc. For blacklisting mail from this domain, e.g.METHOD 2: Implementing SPF for your domain and testing sender SPF in Postfix
If you have other sources for mail, you can't use the previous method. Also, SPF is something you should really implement to prevent your domain to be used for sending spam. First you add a
TXT
record for your domain listing all the authorized senders. See SPF Introduction and Record Syntax.After that, configure your Postfix to check for SPF (see How To Implement SPF In Postfix). E.g.
Mail::SPF
andNetAddr::IP
modules.Install
postfix-policyd-spf-perl
main.cf
:master.cf
: