I have seen what appears to be a couple outgoing spam mails being attempted to be sent from my, quite newly setup mailcow instance. I am trying to figure out where the come from and how I can avoid similar mails from being sent.
Some interesting bits from rspamd in the screenshot above:
- IP address is the mailcow docker networks gateway
- From addresses are not registered in mailcow anywhere
- To addresses are mostly gmail/outlook addresses
- Authenticated user is unknown
Two of the e-mails are stuck in the mail queue due to being temporarily rate limited. I have put these on hold so they should not be sent. Headers from one of those:
message_arrival_time: Mon Jul 6 22:03:46 2020
create_time: Mon Jul 6 22:03:46 2020
named_attribute: log_ident=B565563A7C
named_attribute: rewrite_context=remote
sender: <REMOVED_SENDER_NOT_IN_MAILCOW>
named_attribute: log_client_name=unknown
named_attribute: log_client_address=172.22.1.1
named_attribute: log_client_port=44148
named_attribute: log_message_origin=unknown[172.22.1.1]
named_attribute: log_helo_name=[192.168.1.154]
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=172.22.1.1
named_attribute: client_port=44148
named_attribute: server_address=172.22.1.11
named_attribute: server_port=25
named_attribute: helo_name=[192.168.1.154]
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
warning_message_time: Thu Jan 1 00:59:59 1970
named_attribute: dsn_orig_rcpt=rfc822;<REMOVED_1>@yahoo.com
original_recipient: <REMOVED_1>@yahoo.com
done_recipient: <REMOVED_1>@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;<REMOVED_2>@outlook.com
original_recipient: <REMOVED_2>@outlook.com
done_recipient: <REMOVED_2>@outlook.com
named_attribute: dsn_orig_rcpt=rfc822;<REMOVED_3>@gmail.com
original_recipient: <REMOVED_3>@gmail.com
recipient: <REMOVED_3>@gmail.com
*** MESSAGE CONTENTS hold/B565563A7C ***
Received: from [192.168.1.154] (unknown [172.22.1.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by <MYDOMAIN> (Postcow) with ESMTPS id B565563A7C;
Mon, 6 Jul 2020 22:03:46 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Dear Winner , -----<MAILSERVER_PUBLIC_IP>----- BMW LOTTERY DEPARTMENT.
To: Recipients <REMOVED_SENDER_NOT_IN_MAILCOW>
From: "Mrs. Mary Smith" <REMOVED_SENDER_NOT_IN_MAILCOW>
Date: Mon, 06 Jul 2020 17:03:53 -0300
Reply-To: <REMOVED_3>@gmail.com
X-Last-TLS-Session-Version: TLSv1
Authentication-Results: <MYDOMAIN>
none
X-Spamd-Result: default: False [7.50 / 15.00];
ARC_NA(0.00)[];
HAS_REPLYTO(0.00)[<REMOVED_3>@gmail.com];
FROM_HAS_DN(0.00)[];
FREEMAIL_ENVRCPT(0.00)[yahoo.com,outlook.com,gmail.com];
MIME_GOOD(-0.10)[text/plain];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
FREEMAIL_REPLYTO(0.00)[gmail.com];
TO_DN_RECIPIENTS(2.00)[];
RCPT_COUNT_ONE(0.00)[1];
CLAM_VIRUS_FAIL(0.00)[failed to scan and retransmits exceed];
MISSING_MID(2.50)[];
TO_DN_ALL(0.00)[];
BAD_WORDS(0.10)[];
FROM_NAME_HAS_TITLE(1.00)[mrs];
RCVD_COUNT_ZERO(0.00)[0];
FROM_EQ_ENVFROM(0.00)[];
TO_EQ_FROM(0.00)[];
MIME_TRACE(0.00)[0:+];
FORGED_RECIPIENTS(2.00)[<REMOVED_SENDER_NOT_IN_MAILCOW>,<REMOVED_1>@yahoo.com ...];
MSBL_EBL_FAIL(0.00)[<REMOVED_3>@gmail.com:query timed out]
X-Rspamd-Queue-Id: B565563A7C
The other e-mail is similar (with a @gmail.com) sender.
It’s been some days now, and seems no more has been sent so perhaps things are OK now, but I wonder if anyone can give some insight into this. I added some additional FW rules etc to the server since then as well.
Does the IP sender IP in rspamd being the docker-gateway indicate that the e-mail was sent from a a docker container and perhaps that way it got through the postfix sasl authentication?
Thanks !