2

OK, so last night I started getting a lot of "undelivered" bounce messages on my mail server (postfix+dovecot+mysql).

What confuses me is that they've spoofed my domain, but I have SPF records set up that say only my mail host can send and that receiving servers should be strict about it.

EDIT: my SPF record - 

example.org.       TXT  "v=spf1 a mx ptr -all"

Only consistency through 100+ messages are my domain.

Should I assume that things are OK (on my end) and that these bounces are real bounces, and that the SPF records will flag any mail actually delivered as being spoofed?

Here's complete headers from one message - I've replaced my internal hostname with srvr1 and my domain with example.org - all other names/addresses are real. What is bothersome is that it seems the original receiving server isn't flagging this message as spam, even though I have SPF records setup...

Suggestions on this? 

Return-Path: <>
Delivered-To: [email protected]
Received: from mail.example.org
    by srvr1 (Dovecot) with LMTP id +m3lJVxxkVocZgAAa5pXxw
    for <[email protected]>; Sat, 24 Feb 2018 14:06:20 +0000
Received: by mail.example.org (Postfix)
    id 95F85462B3; Sat, 24 Feb 2018 14:06:20 +0000 (UTC)
Date: Sat, 24 Feb 2018 14:06:20 +0000 (UTC)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="5CA7D462B1.1519481180/mail.example.org"
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>

This is a MIME-encapsulated message.

--5CA7D462B1.1519481180/mail.example.org
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

This is the mail system at host mail.example.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<[email protected]>: host mx1.free.fr[212.27.48.6] said: 550 spam detected
    (in reply to end of DATA command)

--5CA7D462B1.1519481180/mail.example.org
Content-Description: Delivery report
Content-Type: message/delivery-status
Content-Transfer-Encoding: 8bit

Reporting-MTA: dns; mail.example.org
X-Postfix-Queue-ID: 5CA7D462B1
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Sat, 24 Feb 2018 14:06:18 +0000 (UTC)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx1.free.fr
Diagnostic-Code: smtp; 550 spam detected

--5CA7D462B1.1519481180/mail.example.org
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <[email protected]>
Received: from sinovapaint.com (unknown [85.255.199.39])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.example.org (Postfix) with ESMTPSA id 5CA7D462B1
    for <[email protected]>; Sat, 24 Feb 2018 14:06:18 +0000 (UTC)
Date: Sat, 24 Feb 2018 15:06:16 +0100
To: [email protected]
From: "Annabel A." <[email protected]>
Reply-To: "Annabel A." <[email protected]>
Subject: =?utf-8?Q?Y_a-t-il_d'autres_bons_=C3=A9talons_au_lit_=3F?=
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_15f058ce5dc516426d9dc772f549682f"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE,
    URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on srvr1
Improve this question
5
  • If you are talking a "mysterious" SPF, add it to the question.
    – Rui F Ribeiro
    Commented Feb 24, 2018 at 14:58
  • 1
    Need lots context for this sort of problem, and unfortunately replacing your server name doesn't help. Is sinovapaint.com you? What about [email protected]? Or [email protected]? What about 85.255.199.39? Or mail.example.org? Why does the bounced message appear to have gone through your SpamAssassin?
    – Chris Davies
    Commented Feb 24, 2018 at 15:40
  • Oh, and if [email protected] isn't someone you tried to email, then surely their mailer has done a reasonable job at detecting that the forged email is spam? In which case is it just the back-scatter that you're objecting to?
    – Chris Davies
    Commented Feb 24, 2018 at 15:42
  • @RuiFRibeiro - added
    – ivanivan
    Commented Feb 24, 2018 at 16:10
  • @roaima - anything referencing srvr1 or example.org is my stuff, everything else is copy/paste as-is from the headers. As to why the bounce appears to have gone through my system, etc. - that is what I am asking. Online checkers (like mxtoolbox.com) all report that everything is OK and good and not allowing relaying, etc. I'm just trying to be a good netizen and find out what is going on so I can fix whatever I need to on my end!
    – ivanivan
    Commented Feb 24, 2018 at 16:13

1 Answer 1

Reset to default
1
  • Not all receiving servers implement SPF checks.
  • Bounce notifications may be easily spoofed

Have you checked hosts sending bounce notifications in RBLs?
AFAIR some RBLs list servers/IP-addresses sending unnecessary bounces.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .