I have seen what appears to be a couple outgoing spam mails being attempted to be sent from my, quite newly setup mailcow instance. I am trying to figure out where the come from and how I can avoid similar mails from being sent.
Some interesting bits from rspamd in the screenshot above:
- IP address is the mailcow docker networks gateway
- From addresses are not registered in mailcow anywhere
- To addresses are mostly gmail/outlook addresses
- Authenticated user is unknown
Two of the e-mails are stuck in the mail queue due to being temporarily rate limited. I have put these on hold so they should not be sent. Headers from one of those:
message_arrival_time: Mon Jul 6 22:03:46 2020
create_time: Mon Jul 6 22:03:46 2020
warning_message_time: Thu Jan 1 00:59:59 1970
*** MESSAGE CONTENTS hold/B565563A7C ***
Received: from [192.168.1.154] (unknown [172.22.1.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by <MYDOMAIN> (Postcow) with ESMTPS id B565563A7C;
Mon, 6 Jul 2020 22:03:46 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Content-Description: Mail message body
Subject: Dear Winner , -----<MAILSERVER_PUBLIC_IP>----- BMW LOTTERY DEPARTMENT.
To: Recipients <REMOVED_SENDER_NOT_IN_MAILCOW>
From: "Mrs. Mary Smith" <REMOVED_SENDER_NOT_IN_MAILCOW>
Date: Mon, 06 Jul 2020 17:03:53 -0300
X-Spamd-Result: default: False [7.50 / 15.00];
CLAM_VIRUS_FAIL(0.00)[failed to scan and retransmits exceed];
MSBL_EBL_FAIL(0.00)[<REMOVED_3>@gmail.com:query timed out]
The other e-mail is similar (with a @gmail.com) sender.
It’s been some days now, and seems no more has been sent so perhaps things are OK now, but I wonder if anyone can give some insight into this. I added some additional FW rules etc to the server since then as well.
Does the IP sender IP in rspamd being the docker-gateway indicate that the e-mail was sent from a a docker container and perhaps that way it got through the postfix sasl authentication?