2

We have a mailbox that receives thousands of bounces from spam messages a day (for 2 weeks now).

The spam is send with the from and reply address of the our mailbox in the headers. The spam is mostly send to aol and yahoo addresses. We set up the spf record already with ~all and i changed it 2 weeks ago to -all.

Received    from localhost (localhost.localdomain [127.0.0.1])  by my.mailserver.com (Postfix) with ESMTP id DD45CAC5A1 for <[email protected]>; Mon, 3 Apr 2017 11:17:37 +0200 (CEST)
X-Spam-Flag NO
X-Spam-Score    -2.898
X-Spam-Level    
X-Spam-Status   No, score=-2.898 tagged_above=-5 required=6.31  tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, HTML_MESSAGE=0.001,   URIBL_BLOCKED=0.001] autolearn=ham
Received    from my.mailserver.com ([127.0.0.1])    by localhost (my.mailserver.com [127.0.0.1]) (amavisd-new, port 10024)  with LMTP id O1fVwS1XHyh8 for <[email protected]>; Mon, 3 Apr 2017 11:17:37 +0200 (CEST)
Received    from galadevelopers.com (ip-203-124-105-72.ip.secureserver.net [203.124.105.72])    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))   (Client did not present a certificate)  by my.mailserver.com (Postfix) with ESMTPSA id C0C47AC59F   for <[email protected]>; Mon, 3 Apr 2017 11:17:36 +0200 (CEST)
Date    Mon, 3 Apr 2017 09:17:34 +0000
To  [email protected]
From    Florence <[email protected]>
Reply-To    Florence <[email protected]>
Subject See you every day at work
Message-ID  <[email protected]>
X-Mailer    PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
MIME-Version    1.0
Content-Type    multipart/alternative;  boundary="b1_4c86072817afbfc8e1af7586638808ff"
Content-Transfer-Encoding   8bit

([email protected] = our mailbox that receives the spam bounces) (my.mailserver.com = our mailserver that receivers the bounces (but didnt send the spam)) ([email protected] = is the initial receiver of the spam)

It look likes the spam is send from hacked websites/webservers because there is an x-mailer 'phpmailer' header.

I know that anyone can spoof the headers and send spam using our email address as sender.

Is there anything i can do about this to stop flooding the mailbox? Can i reject these bounces? Or delete them right away?

im working with postfix

edit: is it possible that my mailserver receives the bounce and try to send it again?

Improve this question
2
  • If you can find some common denominator between all these fake emails, you could set up a rule in your server to delete them on reception. Maybe, for example, if the From is always [email protected].
    – harrymc
    Commented Apr 3, 2017 at 9:46
  • 1
    You are probably seeing email backscatter.
    – user
    Commented Apr 5, 2017 at 8:30

1 Answer 1

Reset to default
0

Cause: user activated a script that has stolen your account password, then tried to send thousands of e-mails.

Effect: you get thousands of bounces on the problem accounts and get blacklisted on RBLs.

Countermeasures:

1. Change the affected e-mail account password.

  1. Ban the destination domains both on outgoing and incoming.

  2. Ban the IP addresses the script activated from.

  3. Train users not to click on links that come via e-mail.

Server-side:

  1. Add reject_unknown_sender_domain to the smtpd_sender_restrictions

  2. Add reject_unauth_destination to smtpd_recipient_restrictions .

Improve this answer
5
  • It may also be helpful to mention that most email headers can be faked in one way or another, and a security review of the files on the server itself is also in order. We often see scripts on the server itself that can cause spamming like this.
    – FCTW
    Commented Apr 3, 2017 at 14:11
  • 1
    i think the e-mail account password is not stolen because the spam is send from different servers than our own SMTP server.. It must be spoofing.
    – Bo Pennings
    Commented Apr 4, 2017 at 11:23
  • For your server, set or add smtpd_sender_restrictions = reject_unknown_sender_domain . add to smtpd_recipient_restrictions = reject_unauth_destination. Make an open relay test here: spamhelp.org/shopenrelay . You should not be an open relay.
    – Overmind
    Commented Apr 5, 2017 at 8:19
  • 1
    "user activated a script that has stolen your account password, then tried to send thousands of e-mails" You can't conclude that. Anyone can put any sender e-mail address into the envelope sender or message headers. SPF only goes so far (not everyone checks those, and some systems only use them as one part to scoring, not for blocking outright even if the policy says -all).
    – user
    Commented Apr 5, 2017 at 8:29
  • It's an often encountered situation for outlook users. Practically it's click and done.
    – Overmind
    Commented Apr 5, 2017 at 10:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .