Topic: Receiving spam from my own email address

[bosco555]

Hi all,

I have been receiving spam from my own address: from me@domain.com to me@domain.com...I have checked but nothing is infected.  Spoofing?  I have installed the Geoip contrib as most of these emails originate from Brazil, but they still get through..I have changed user passwords, to no avail..

Is there anything else I need to do?

Return-Path: <me@domain.com>
Delivered-To: me@domain.com
Received: (qmail 4129 invoked by alias); 11 Jul 2015 03:46:11 -0000
Delivered-To: alias-localdelivery-me@domain.com
Received: (qmail 4126 invoked by uid 453); 11 Jul 2015 03:46:11 -0000
X-Spam-Level: *
X-Spam-Status: No, hits=-76.3 required=4.0
   tests=BAYES_50,DATE_IN_FUTURE_06_12,HELO_DYNAMIC_DHCP,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL,RCVD_IN_XBL,RDNS_DYNAMIC,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_WS_SURBL,USER_IN_WHITELIST
X-Spam-Check-By: domain.com
Received: from dsl.49.150.233.251.pldt.net (HELO dsl.49.150.233.251.pldt.net) (49.150.233.251)
    by domain.com (qpsmtpd/0.84) with ESMTP; Sat, 11 Jul 2015 11:45:52 +0800
Message-ID: <55A101EA.2060504@me@domain.com>
Date: Sat, 11 Jul 2015 18:45:46 +0700
From: <me@domain.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: <me@domain.com>
Subject: I'd like to make correspondence
Content-Type: multipart/alternative;
 boundary="------------000607010704080600050605"
X-Virus-Checked: Checked by ClamAV on domain.com
X-EsetId: 37303A292035CC66627165

I have replaced the proper domain name with domain.com (obviously)

thank you in advance

[Gary Douglas]

USER_IN_WHITELIST

Do you have your own domain in the whitelist?

[Stefano]

Your own domain is AFAIK always whitelisted
@OP: you'd play with spf

[bosco555]

Hi all..own domain is always whitelisted....the domain has an spf record and can only send from the domain itself...however there was a ~all as a soft fail, which has now been changed to -all...

The above spf record is at the registrar, and only for sending email.  As this is becoming a necessity and for the benefit of new people in here, the simple syntax for this record (TXT) is as follows:

v=spf1 mx ip4:xxx.xxx.xxx.xxx mx:mail.domain.com -all
the xxx.xxx.xxx.xxx is the static IP address of your mail server (External IP).  That says that email can only be sent from that specific IP and from the server mail.domain.com only (-all)..

I had tried the SPF "contrib" but was not successful with it...Time to revisit it

thanks to all again..will keep you posted..

[bosco555]

Update: I had to install the badmailfromto contrib plugin to stop this nonsense. 

Basically disallowed any email coming from say user1 to user1. Had to do this for all the users affected:
http://wiki.contribs.org/Email#How_to_block_email_from_one_address_to_another_address_with_check_badmailfromto_plugin

As usually one doesn't send him/herself emails, unless completely mad, this has stopped the spam in its tracks.

[CharlieBrady]

As usually one doesn't send him/herself emails, unless completely mad, this has stopped the spam in its tracks.

I don't think I'm completely mad, but I sometimes do. I sometimes send email from my work system, using my home email address as the sender, and bcc'ing a copy to my home address, so that I can keep a copy for my records.

[ReetP]

Hi all,

I have been receiving spam from my own address: from me@domain.com to me@domain.com...I have checked but nothing is infected.  Spoofing?  I have installed the Geoip contrib as most of these emails originate from Brazil, but they still get through..I have changed user passwords, to no avail..

Received: from dsl.49.150.233.251.pldt.net (HELO dsl.49.150.233.251.pldt.net) (49.150.233.251)

Not sure what the issue is with geoiplookup ? Have you checked it is working - http://wiki.contribs.org/GeoIP

At the command line try geoiplookup 49.150.233.251

Here that shows :

[root@esmith plugins]# geoiplookup 49.150.233.251
GeoIP Country Edition: PH, Philippines


What have you got in your qpsmtpd config ?

[root@esmith plugins]# config show qpsmtpd

e.g.

qpsmtpd=service
    BadCountries=VN,RU,RS,RO,MY,TR,BO


If you think there is an issue with geoip you need to create a bug so it will get looked at.

B. Rgds
John

[CharlieBrady]

Spoofing?

Spoofing is trivially easy. You can't prevent it. spf is designed to make it ineffective.

I have changed user passwords, to no avail..

Passwords aren't relevant to non-relayed email, i.e. email which is addressed to users on your server/in your domain.