I believe I am seeing this same issue as reported in this issue:
mailcow/mailcow-dockerized2458
I run an email server for a few domains at, e.g., host.domain3.com. This email host has at least two domains: domain2.com, which is my personal domain, and domain.com, which is my friend’s domain. My domains already had -all
in the SPF record.
I can’t find another source of spam.
My friend has been receiving several emails like the below. Here are part of the full email headers.
Any suggestions on how to resolve this or at least harden the server?
dkim=pass header.i=@domain.com header.s=dkim header.b="UNIQUE";
spf=pass (google.com: domain of webmaster@domain.com designates IP.AD.DR.ESS as permitted sender) smtp.mailfrom=webmaster@domain.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=domain2.com
…
Return-Path: <webmaster@domain.com>
Received: from host.domain3.com (host.domain3.com. [IP.AD.DR.ESS])
…
Received-SPF: pass (google.com: domain of webmaster@domain.com designates IP.AD.DR.ESS as permitted sender) client-ip=IP.AD.DR.ESS;
Authentication-Results: mx.google.com;
dkim=pass header.i=@domain.com header.s=dkim header.b="UNIQUE";
spf=pass (google.com: domain of webmaster@domain.com designates IP.AD.DR.ESS as permitted sender) smtp.mailfrom=webmaster@domain.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=domain2.com
Received: from host.domain3.com (unknown [172.22.1.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
…
Authentication-Results: host.domain3.com; none
Received: (from domain@localhost) by host.domain3.com (8.15.2/8.15.2/Submit) id 3ATJL2mK3752503; Wed, 29 Nov 2023 14:21:02 -0500
X-Authentication-Warning: host.domain3.com: domain set sender to webmaster@domain.com using -f
…
X-Last-TLS-Session-Version: TLSv1.3
X-Rspamd-Queue-Id: AA6AD41B62
X-Rspamd-Fuzzy: 558467f2bb824c569e80bc1f4b448ace36cfe3b9541d9b36a7cd8670718e1acb2e74d87fb271c830c47a0e6e7044bc24eb5ed2c3c326cda1984110ce10a16c6c
X-Spamd-Result: default: False [2.41 / 15.00]; MAILCOW_FUZZY_DENIED(1.71)[11:558467f2bb:0.84:txt]; MID_RHS_WWW(0.50)[]; FORGED_SENDER(0.30)[user@domain2.com,webmaster@domain.com]; MIME_GOOD(-0.10)[text/plain]; BAYES_SPAM(0.00)[16.87%]; MAILCOW_DOMAIN_HEADER_FROM(0.00)[domain2.com]; DKIM_SIGNED(0.00)[domain.com:s=dkim]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; TO_DN_NONE(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]; HAS_XAW(0.00)[]; BCC(0.00)[]; HAS_REPLYTO(0.00)[spammer@googlemail.com]; FROM_NEQ_ENVFROM(0.00)[user@domain2.com,webmaster@domain.com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; FREEMAIL_REPLYTO(0.00)[googlemail.com]; ARC_NA(0.00)[]