How to block mail scam with own domains in it but fake

I

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,558
Location
Netherlands Germany
So only changedtto owndomain.com and ownmailserver.com our domainnames

Rest is original please see how many fake things as random mailadresses @ owndomain

And other maybe to, you can find ip's on abuse ip


But howto where the sfp dkim dmarc owndomain is all the max and on reject , those mail are comming in not blocked

How can you block fake random emailadresses @owndomain.com so where they try to abuse our own domain names.
To real [email protected] adress from us (Envelope-to: [email protected])

If those mails ( same looking) are going to other domains as gmail we receive a report from gmail and they are blocked because of our owndomain.com spf that is ok and right!

But why not totally blocked if those kind of mails are send to our (real own) [email protected] i don't understand.

All on more of our DA servers with exim dovecot , but not on other servers with postfix dovecot ...


Code: 
Return-Path: <[email protected]>
Received: from ownmailserver.com
    by ownmailserver.com with LMTP
    id kwn4FTtqfWIsAgAALUHJOA
    (envelope-from <[email protected]>); Thu, 12 May 2022 22:12:43 +0200
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 12 May 2022 22:12:43 +0200
Received: from mail.azimuters.gen.tr ([46.19.137.136])
    by ownmailserver.com with esmtp
    (envelope-from <[email protected]>)
    id 1npFAv-000099-1R
    for [email protected];
    Thu, 12 May 2022 22:12:43 +0200
Received: from azimuters.gen.tr (my.popasev.xyz [178.249.70.165])
    by mail.azimuters.gen.tr (Postfix) with ESMTPA id 4AF87FAC0;
    Thu, 12 May 2022 21:57:43 +0300 (EEST)
Message-ID: <[email protected]>
Reply-To: "AMAROK" <[email protected]>
From: "AMAROK" <[email protected]>
To: <[email protected]>
Subject: =?utf-8?B?QU1BUk9LIOKAlCBMSULDiVJFWiBWT1RSRSBCw4pURSBEw4lDSEHDjk7DiUUgQVZFQyBBTUFST0sh?=
Date: Thu, 12 May 2022 21:57:48 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_000F_01D8664B.2B8B7610"
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 46.19.137.136, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
X-Spam-Score: 4.2 (++++)
X-Spam-Report: Spam detection software, running on the system "ownmailserver.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  AMAROK ù LIB&#201;REZ VOTRE B&#202;TE D&#201;CHA&#206;N&#201;E!
    AMAROK VOUS TRANSFORMERA EN UN V&#201;RITABLE M&#194;LE DOMINANT &#201;rection
    longue et stable Sexe brillant et d&#233;brid&#233; jusqu'&#224; 3 heures
    Plaisir maximum du sexe Effet instantan&#233;
 
Last edited:
ikkeben said:
How can you block fake random emailadresses @owndomain.com so where they try to abuse our own domain names.
To real [email protected] adress from us (Envelope-to: [email protected])
Click to expand...
You might best contact me on PM since we know each other very well, because I have a hard time understanding what you mean.

You are saying something about SPF, DKIM and DMARC, but hat is only checked if mail is send "from" your email address. In the total headers, I don't see any "from" your domain. So the checks are all done for that azimuters.gen.tr domain.
Now they are not on a blacklist.
They pass SPF and also rDNS which both lowers the spam score (if any).

So I don't really understand your issue. The system is working as should be.

Best option is to report this to Spamcop.
 
No it seems all ok
but they come through together with random faking this way a non existent emaildress on the box
SRS0=5+kG1W=VU=azimuters.gen.tr=[email protected]

so the put after their server a = and then [email protected] wich is ourdomain on the box but a random non existent mailadress.
Mailing to a existent mailadress in the box for that ourdomain [email protected]

So i hope there is a way to block this kind of thing they change envelope-from and return-path ??
(envelope-from <SRS0=5+kG1W=VU=azimuters.gen.tr=[email protected]>); Thu, 12 May 2022 22:12:43 +0200
Return-path: <SRS0=5+kG1W=VU=azimuters.gen.tr=[email protected]

Where they use a non existent random (uknehlb@) mailadress from our @owndomain.com

Where the mailadress setup on our server is to forward in DA GUI mailto:[email protected] to mailto:[email protected]

46.19.137.136 | Private Layer Inc | AbuseIPDB

www.abuseipdb.com www.abuseipdb.com

They use this as sort kind of route via the xyz ( sh.t) TLD to have it come through spamblocks
"
Received: from azimuters.gen.tr (my.popasev.xyz [178.249.70.165])
by mail.azimuters.gen.tr (Postfix) with ESMTPA id 4AF87FAC0;"


[46.19.137.136 listed in wl.mailspike.net]
 
Last edited:
ikkeben said:
So i hope there is a way to block this kind of thing they change envelope-from and return-path ??
Click to expand...
Normally not, it's just spoofing. Checks are as from the message id so it's quite normal.
You could try the /etc/virtual/blacklist_senders for the from and the bad_sender_hosts_ip for the ip.
But I would just block the ip. And ofcourse report to Spamcop. This is essential for getting abusers on blacklists. The more people do it, the more chance the abuses will get less chance, and the ip's and hosters loose reputation.

ikkeben said:
[46.19.137.136 listed in wl.mailspike.net]
Click to expand...
That's what spamassassin says. If you manually check this ip then it's not listed on mailspike.net blacklist.
It might even be that wl in wl.mailspike.net means whitelist, because the ip gets no negative score, even positive if I've seen correctly in the pm.
So that is not important here.
 
Yes and no spoofing.

I don't understand why if using false domain information in mails, ( domain) from the / our mailserver send to, that there is no filter to block those?

I know the real from adress sended is not this but somehow it must be possible to protect against such spam?

Was same mail to more emailadresen from us and more domains on 2 servers, but de scammers (from realid) totaly different ip's and domain and country's. So block on that domain or ip is not working.
 
You must log in or register to reply here.
Back
Top