jonatitom Posted September 15, 2023 Share Posted September 15, 2023 (edited) dear Sandeep B. how are you ? I have had a problem for a few days with my emails. I am receiving an email from my own email account I have configured My host has: rDns Ok dkim: ok spf: ok Dmarc: Ok Ip: Ok when looking at the headers I noticed that the ip is not from my server. I don't know what I should do to stop these scam emails from arriving. Thank You. the scam email is the following ----------------------------------------------------------------------------------------- **Message removed** Edited September 15, 2023 by Sandeep B. Email Message body removed Link to comment Share on other sites More sharing options...
Sandeep B. Posted September 15, 2023 Share Posted September 15, 2023 HI change your server root password and email passwords, if you're using email client most likely your pc is infected scan the server with maldet : Link to comment Share on other sites More sharing options...
jonatitom Posted September 15, 2023 Author Share Posted September 15, 2023 (edited) The first thing I did was change passwords and scan for viruses. For caution but I think this is not due to malware, but due to configuration It will be necessary to deactivate php mail because these emails are Phishing. Email Spoofing Edited September 15, 2023 by jonatitom Link to comment Share on other sites More sharing options...
Sandeep B. Posted September 15, 2023 Share Posted September 15, 2023 You can check email headers where the message is sent/originated from, disabling php mail function is a good idea Link to comment Share on other sites More sharing options...
jonatitom Posted September 16, 2023 Author Share Posted September 16, 2023 Email headers Return-Path: <violated@my-business.com> Delivered-To: contact@my-business.com Received: from sv11.my-business.com by sv11.my-business.com with LMTP id wGeNBKFjA2VjQgAA7dXWpA for <contact@my-business.com>; Thu, 14 Sep 2023 16:48:49 -0300 Received: from localhost (unknown [127.0.0.1]) by sv11.my-business.com (Postfix) with ESMTP id 01D0663A72 for <contact@my-business.com>; Thu, 14 Sep 2023 19:48:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=my-business.com; s=default; t=1694720929; bh=tU9vg9RxGclAz8+zuxWsGSOe8VjO2S+LNvV8MVem7Nk=; h=Reply-To:From:To:Subject:Date; b=PEdJhu9GMvk8pZHoVPIGjMqZx8rKQH/DsXPmzvYIYmqNW3Fh/Skt+1vC1kfKfenrv o3oCkltiWOmfgL0QVoVIVeg48pCzEItXXSXRdSHfyyDu86OPJRqqtir1/QTJ2il2AL wjZsk1O+S8T/rbU+ZShG7txg7Ut72O9Yl5ay6t6s= X-Virus-Scanned: amavisd-new at my-business.com X-Spam-Flag: NO X-Spam-Score: 5.674 X-Spam-Level: ***** X-Spam-Status: No, score=5.674 tagged_above=2 required=6.2 tests=[FORGED_SPF_HELO=1, KHOP_HELO_FCRDNS=0.001, OBFU_BITCOIN=1, PDS_BTC_ID=0.001, RCVD_IN_PSBL=2.7, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.972, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from sv11.my-business.com ([127.0.0.1]) by localhost (sv11.my-business.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM3323HKmlVf for <contact@my-business.com>; Thu, 14 Sep 2023 16:48:47 -0300 (-03) Received: from x9.theworkpc.com (mta0.x9.theworkpc.com [213.142.149.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv11.my-business.com (Postfix) with ESMTPS id 2F6C663A34 for <contact@my-business.com>; Thu, 14 Sep 2023 16:48:47 -0300 (-03) Received: by x9.theworkpc.com for <contact@my-business.com>; Thu, 14 Sep 2023 14:48:45 -0500 (envelope-from <violated@my-business.com>) Reply-To: contact@my-business.com From: violated@my-business.com To: contact@my-business.com Subject: Waiting for payment Date: 14 Sep 2023 13:48:43 -0600 Message-ID: <20230914134843.9E895AA123FB7CA3@my-business.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Link to comment Share on other sites More sharing options...
Sandeep B. Posted September 16, 2023 Share Posted September 16, 2023 Seems its originated from the server, check if user account from where it is originated seems you've some security holes in your script. Link to comment Share on other sites More sharing options...
Solution jonatitom Posted October 2, 2023 Author Solution Share Posted October 2, 2023 These days I was finding out about spoofing and why these emails were arriving in my inbox and I realized that in Postfix I was missing some configurations and I added this configuration /main.cf # Sender restrictions: smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain Now these spoofing emails reach SPAM I wish this thread could be left open for future errors. And if you could help us, what configurations are recommended for Postfix? Thank You Sandeep B. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now