I've received an email abuse report from AOL that the following email message was triggered as spam:
Return-Path: <ViagraCialisMD@www.dealbroker.nl>
Received: from my.domain.com (my.domain.com [xxx.xxx.xxx.xxx])
by mtaig-mae04.mx.aol.com (Internet Inbound) with SMTP id AB7CB7000008A
for <redacted>; Mon, 9 Jan 2017 05:08:15 -0500 (EST)
Received: (qmail 8052 invoked by uid 3465); 09 Jan 2017 10:08:12 +0000
Date: 09 Jan 2017 10:08:12 +0000
Message-ID: <20170109100812.8052.qmail@my.domain.com>
Subject: Order Cheap Meds. Save up to 70%. New 12 products. Deliver to your home.
Reply-To: ViagraCialisMD@www.dealbroker.nl
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
From: <ViagraCialisMD@www.dealbroker.nl>
To:
X-Priority: 3
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
spf=none (aol.com: the domain www.dealbroker.nl appears to have no SPF Record.) smtp.mailfrom=www.dealbroker.nl;
x-aol-sid: 3039ac1afe865873610f2eb3
X-AOL-IP: xxx.xxx.xxx.xxx
X-AOL-SPF: domain : www.dealbroker.nl SPF : none
It's easy to see they are correct in their assessment.
I'm on a dedicated Debian 7.11 server with Postfix setup. I don't host the mentioned domain www.dealbroker.nl
I've searched mail.log and phpmail.log (configured in php.ini to log all mail sent through php) for the message ID and "dealbroker" but was unable to find any occurrence.
Every single domain on the server has its mail relayed through Rackspace's mailgun service. I've also gone through their logs and came up empty.
I was confident Postfix's main.cf configuration I had setup would not allow this.
postconf -n
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
bounce_queue_lifetime = 12h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
maximal_queue_lifetime = 12h
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = my.domain.com, localhost, localhost.localdomain
myhostname = my.domain.com
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
policy-spf_time_limit = 3600s
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 50
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 51
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_policy_service unix:private/policy-spf
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_tls_CApath = /etc/postfix
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = maildrop
How do I find out where this email originated?
Might I have something else besides Postfix sending out mails?
Any help is greatly appreciated.
It looks like the spam was sent using qmail and not postfix.
It may have come from your network but are you sure it came from your server? Does your server have a direct internet IP or is it going through a firewall? If you have a firewall then check the logs on that to see if you can tell where the email originated from.
Do you have a WiFi access point on your network? It could be that someone is connecting to your network from a different computer and using it to send spam.
The line:
Authentication-Results: mx.aol.com;
spf=none (aol.com: the domain www.dealbroker.nl appears to have no SPF Record.) smtp.mailfrom=www.dealbroker.nl;
Suggests that the email is being marked as spam because it has no SPF record