Spams sent from an external email address but email address sender changed to my own email address in my...











up vote
1
down vote

favorite












I recently received some strange spams on my mail server, i'm using zimbra 8.x. bundled with postfix.



I think i've secure postfix enough to avoid receiving spams from my own domain by an external smtp connection without authentication.



Here is the part of zimbra.log when some spammers are trying to send emails from my email address to my email address without smtp authentication. 



Message ID '[reject:NOQUEUE:mail]'

virginie@mydomain.com -->

    virginie@mydomain.com

  Recipient virginie@mydomain.com

  Nov 19 12:24:41 - unknown (91.x.24.x) status reject

    553 5.7.1 <virginie@mydomain.com>: Sender address rejected: not logged in


They all get rejected, so theoretically i shouldn't be able to receive email coming from my own email address from spammers, except if my account has been hacked, which is not the case, i'll show you why in the logs.



The spammer used as sender an external email address, which is usual and then no authentication is needed in that case.



Nov 19 20:39:40 mail postfix/smtpd[4733]: NOQUEUE: filter: RCPT from hackzor.net[185.24.1.1]: <spammer@hackzor.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:100

26; from=<spammer@hackzor.net> to=<virginie@mydomain.com> proto=ESMTP helo=<hackzor.net>


But the weird thing is that email in my inbox, the sender has changed to my own email address, here the header.



Return-Path: spammer@hackzor.net

Received: from mail.mydomain.com (LHLO mail.mydomain.com) (192.168.1.1) by

 mail.mydomain.com with LMTP; Mon, 19 Nov 2018 20:39:45 +0800 (CST)

Received: from localhost (localhost [127.0.0.1])

    by mail.mydomain.com (Postfix) with ESMTP id 60A105B459DE;

    Mon, 19 Nov 2018 20:39:45 +0800 (CST)

X-Virus-Scanned: amavisd-new at mail.mydomain.com

Received: from mail.mydomain.com ([127.0.0.1])

    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)

    with ESMTP id yARN2OhX10-F; Mon, 19 Nov 2018 20:39:41 +0800 (CST)

Received: from hackzor.net (hackzor.net [185.24.1.1])

    by mail.mydomain.com (Postfix) with ESMTPS id 7325D5B459A3

    for <virginie@mydomain.com>; Mon, 19 Nov 2018 20:39:38 +0800 (CST)

Received: by hackzor.net (Postfix, from userid 10000)

    id 28A931650A4; Mon, 19 Nov 2018 07:15:11 -0500 (EST)

To: virginie@mydomain.com

Subject: virginie@mydomain.com was hacked.

X-PHP-Originating-Script: 10000:c.php

MIME-Version: 1.0

Content-type:text/html;charset=UTF-8

From: virginie@mydomain.com <virginie@mydomain.com>

Message-Id: <20181119121513.28A931650A4@hackzor.net>

Date: Mon, 19 Nov 2018 07:15:11 -0500 (EST)


Does someone have a clue on how it's possible and how to avoid this kind of spoofing ?



Bye






email postfix spoofing zimbra







share|improve this question







New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Look up email spoofing. Not uncommon.
    – JakeGould
    Nov 21 at 2:54










  • An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
    – davidgo
    Nov 21 at 6:26










  • Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
    – user3723669
    Nov 21 at 7:29















up vote
1
down vote

favorite












I recently received some strange spams on my mail server, i'm using zimbra 8.x. bundled with postfix.



I think i've secure postfix enough to avoid receiving spams from my own domain by an external smtp connection without authentication.



Here is the part of zimbra.log when some spammers are trying to send emails from my email address to my email address without smtp authentication. 



Message ID '[reject:NOQUEUE:mail]'

virginie@mydomain.com -->

    virginie@mydomain.com

  Recipient virginie@mydomain.com

  Nov 19 12:24:41 - unknown (91.x.24.x) status reject

    553 5.7.1 <virginie@mydomain.com>: Sender address rejected: not logged in


They all get rejected, so theoretically i shouldn't be able to receive email coming from my own email address from spammers, except if my account has been hacked, which is not the case, i'll show you why in the logs.



The spammer used as sender an external email address, which is usual and then no authentication is needed in that case.



Nov 19 20:39:40 mail postfix/smtpd[4733]: NOQUEUE: filter: RCPT from hackzor.net[185.24.1.1]: <spammer@hackzor.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:100

26; from=<spammer@hackzor.net> to=<virginie@mydomain.com> proto=ESMTP helo=<hackzor.net>


But the weird thing is that email in my inbox, the sender has changed to my own email address, here the header.



Return-Path: spammer@hackzor.net

Received: from mail.mydomain.com (LHLO mail.mydomain.com) (192.168.1.1) by

 mail.mydomain.com with LMTP; Mon, 19 Nov 2018 20:39:45 +0800 (CST)

Received: from localhost (localhost [127.0.0.1])

    by mail.mydomain.com (Postfix) with ESMTP id 60A105B459DE;

    Mon, 19 Nov 2018 20:39:45 +0800 (CST)

X-Virus-Scanned: amavisd-new at mail.mydomain.com

Received: from mail.mydomain.com ([127.0.0.1])

    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)

    with ESMTP id yARN2OhX10-F; Mon, 19 Nov 2018 20:39:41 +0800 (CST)

Received: from hackzor.net (hackzor.net [185.24.1.1])

    by mail.mydomain.com (Postfix) with ESMTPS id 7325D5B459A3

    for <virginie@mydomain.com>; Mon, 19 Nov 2018 20:39:38 +0800 (CST)

Received: by hackzor.net (Postfix, from userid 10000)

    id 28A931650A4; Mon, 19 Nov 2018 07:15:11 -0500 (EST)

To: virginie@mydomain.com

Subject: virginie@mydomain.com was hacked.

X-PHP-Originating-Script: 10000:c.php

MIME-Version: 1.0

Content-type:text/html;charset=UTF-8

From: virginie@mydomain.com <virginie@mydomain.com>

Message-Id: <20181119121513.28A931650A4@hackzor.net>

Date: Mon, 19 Nov 2018 07:15:11 -0500 (EST)


Does someone have a clue on how it's possible and how to avoid this kind of spoofing ?



Bye






email postfix spoofing zimbra







share|improve this question







New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Look up email spoofing. Not uncommon.
    – JakeGould
    Nov 21 at 2:54










  • An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
    – davidgo
    Nov 21 at 6:26










  • Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
    – user3723669
    Nov 21 at 7:29













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I recently received some strange spams on my mail server, i'm using zimbra 8.x. bundled with postfix.



I think i've secure postfix enough to avoid receiving spams from my own domain by an external smtp connection without authentication.



Here is the part of zimbra.log when some spammers are trying to send emails from my email address to my email address without smtp authentication. 



Message ID '[reject:NOQUEUE:mail]'

virginie@mydomain.com -->

    virginie@mydomain.com

  Recipient virginie@mydomain.com

  Nov 19 12:24:41 - unknown (91.x.24.x) status reject

    553 5.7.1 <virginie@mydomain.com>: Sender address rejected: not logged in


They all get rejected, so theoretically i shouldn't be able to receive email coming from my own email address from spammers, except if my account has been hacked, which is not the case, i'll show you why in the logs.



The spammer used as sender an external email address, which is usual and then no authentication is needed in that case.



Nov 19 20:39:40 mail postfix/smtpd[4733]: NOQUEUE: filter: RCPT from hackzor.net[185.24.1.1]: <spammer@hackzor.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:100

26; from=<spammer@hackzor.net> to=<virginie@mydomain.com> proto=ESMTP helo=<hackzor.net>


But the weird thing is that email in my inbox, the sender has changed to my own email address, here the header.



Return-Path: spammer@hackzor.net

Received: from mail.mydomain.com (LHLO mail.mydomain.com) (192.168.1.1) by

 mail.mydomain.com with LMTP; Mon, 19 Nov 2018 20:39:45 +0800 (CST)

Received: from localhost (localhost [127.0.0.1])

    by mail.mydomain.com (Postfix) with ESMTP id 60A105B459DE;

    Mon, 19 Nov 2018 20:39:45 +0800 (CST)

X-Virus-Scanned: amavisd-new at mail.mydomain.com

Received: from mail.mydomain.com ([127.0.0.1])

    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)

    with ESMTP id yARN2OhX10-F; Mon, 19 Nov 2018 20:39:41 +0800 (CST)

Received: from hackzor.net (hackzor.net [185.24.1.1])

    by mail.mydomain.com (Postfix) with ESMTPS id 7325D5B459A3

    for <virginie@mydomain.com>; Mon, 19 Nov 2018 20:39:38 +0800 (CST)

Received: by hackzor.net (Postfix, from userid 10000)

    id 28A931650A4; Mon, 19 Nov 2018 07:15:11 -0500 (EST)

To: virginie@mydomain.com

Subject: virginie@mydomain.com was hacked.

X-PHP-Originating-Script: 10000:c.php

MIME-Version: 1.0

Content-type:text/html;charset=UTF-8

From: virginie@mydomain.com <virginie@mydomain.com>

Message-Id: <20181119121513.28A931650A4@hackzor.net>

Date: Mon, 19 Nov 2018 07:15:11 -0500 (EST)


Does someone have a clue on how it's possible and how to avoid this kind of spoofing ?



Bye






email postfix spoofing zimbra







share|improve this question







New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I recently received some strange spams on my mail server, i'm using zimbra 8.x. bundled with postfix.



I think i've secure postfix enough to avoid receiving spams from my own domain by an external smtp connection without authentication.



Here is the part of zimbra.log when some spammers are trying to send emails from my email address to my email address without smtp authentication. 



Message ID '[reject:NOQUEUE:mail]'

virginie@mydomain.com -->

    virginie@mydomain.com

  Recipient virginie@mydomain.com

  Nov 19 12:24:41 - unknown (91.x.24.x) status reject

    553 5.7.1 <virginie@mydomain.com>: Sender address rejected: not logged in


They all get rejected, so theoretically i shouldn't be able to receive email coming from my own email address from spammers, except if my account has been hacked, which is not the case, i'll show you why in the logs.



The spammer used as sender an external email address, which is usual and then no authentication is needed in that case.



Nov 19 20:39:40 mail postfix/smtpd[4733]: NOQUEUE: filter: RCPT from hackzor.net[185.24.1.1]: <spammer@hackzor.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:100

26; from=<spammer@hackzor.net> to=<virginie@mydomain.com> proto=ESMTP helo=<hackzor.net>


But the weird thing is that email in my inbox, the sender has changed to my own email address, here the header.



Return-Path: spammer@hackzor.net

Received: from mail.mydomain.com (LHLO mail.mydomain.com) (192.168.1.1) by

 mail.mydomain.com with LMTP; Mon, 19 Nov 2018 20:39:45 +0800 (CST)

Received: from localhost (localhost [127.0.0.1])

    by mail.mydomain.com (Postfix) with ESMTP id 60A105B459DE;

    Mon, 19 Nov 2018 20:39:45 +0800 (CST)

X-Virus-Scanned: amavisd-new at mail.mydomain.com

Received: from mail.mydomain.com ([127.0.0.1])

    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)

    with ESMTP id yARN2OhX10-F; Mon, 19 Nov 2018 20:39:41 +0800 (CST)

Received: from hackzor.net (hackzor.net [185.24.1.1])

    by mail.mydomain.com (Postfix) with ESMTPS id 7325D5B459A3

    for <virginie@mydomain.com>; Mon, 19 Nov 2018 20:39:38 +0800 (CST)

Received: by hackzor.net (Postfix, from userid 10000)

    id 28A931650A4; Mon, 19 Nov 2018 07:15:11 -0500 (EST)

To: virginie@mydomain.com

Subject: virginie@mydomain.com was hacked.

X-PHP-Originating-Script: 10000:c.php

MIME-Version: 1.0

Content-type:text/html;charset=UTF-8

From: virginie@mydomain.com <virginie@mydomain.com>

Message-Id: <20181119121513.28A931650A4@hackzor.net>

Date: Mon, 19 Nov 2018 07:15:11 -0500 (EST)


Does someone have a clue on how it's possible and how to avoid this kind of spoofing ?



Bye






email postfix spoofing zimbra




email postfix spoofing zimbra






share|improve this question







New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 21 at 2:43









user3723669

61




61




New contributor




user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user3723669 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Look up email spoofing. Not uncommon.
    – JakeGould
    Nov 21 at 2:54










  • An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
    – davidgo
    Nov 21 at 6:26










  • Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
    – user3723669
    Nov 21 at 7:29


















  • Look up email spoofing. Not uncommon.
    – JakeGould
    Nov 21 at 2:54










  • An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
    – davidgo
    Nov 21 at 6:26










  • Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
    – user3723669
    Nov 21 at 7:29
















Look up email spoofing. Not uncommon.
– JakeGould
Nov 21 at 2:54




Look up email spoofing. Not uncommon.
– JakeGould
Nov 21 at 2:54












An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
– davidgo
Nov 21 at 6:26




An SPF record in your DNS is a good start and easy to do. Combine that with DKIM for better protection.
– davidgo
Nov 21 at 6:26












Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
– user3723669
Nov 21 at 7:29




Unfortunately, i cannot implement SPF verification, many of our customers / suppliers doesn't use it. :(((
– user3723669
Nov 21 at 7:29















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user3723669 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377156%2fspams-sent-from-an-external-email-address-but-email-address-sender-changed-to-my%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








user3723669 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















user3723669 is a new contributor. Be nice, and check out our Code of Conduct.













user3723669 is a new contributor. Be nice, and check out our Code of Conduct.












user3723669 is a new contributor. Be nice, and check out our Code of Conduct.















 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377156%2fspams-sent-from-an-external-email-address-but-email-address-sender-changed-to-my%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Paul Cézanne

Image
Pour l’article ayant un titre homophone, voir Sézanne. Paul Cézanne.mw-parser-output .entete.artiste{background-image:url("//upload.wikimedia.org/wikipedia/commons/f/f3/Picto_infobox_artiste.png")} Autoportrait vers 1861 Naissance 19 janvier 1839 Aix-en-Provence (France) Décès 22 octobre 1906 (à 67 ans) Aix-en-Provence (France) Nationalité Française Activité Peintre Formation Académie de Charles Suisse Maître Joseph Gilbert, Antoine Guillemet, Camille Pissarro Mouvement Impressionnisme postimpressionnisme Influencé par Eugène Delacroix, Gustave Courbet, Véronèse A influencé Braque, Picasso, Matisse Conjoint Hortense Fiquet (depuis 1886) Enfant Paul Cézanne  ( d ) Œuvres principales La Montagne Sainte-Victoire, Portrait de madame Cézanne signature modifier - modifier le code - modifier Wikidata Paul Cézanne , né le 19 janvier 1839 à Aix-en-Provence et mort le 22 octobre 1906 dans la mê...
Read more

UIScrollView CustomStickyHeader Resize height generates problems when scroll is too fast

Image
0 I have been trying for a while to create a UIViewController that has a CustomStickyHeader and a UITableView. The idea I have been following is use the UITableView scrolling for changing the header view with the value of the contentOffset. The layout for the ViewController (AlbumsViewController) looks like: The UItableView Scrolling functions from the delegate are implemented like that: func scrollViewDidScroll(_ scrollView: UIScrollView) { let endReached = contentTableView.contentOffset.y >= (contentTableView.contentSize.height - contentTableView.frame.size.height) let isUP = lastContentOffset > scrollView.contentOffset.y if scrollView.contentOffset.y < 0 { headerHeightConstraint.constant += abs(scrollView.contentOffset.y) } else{ if !endReached{ ...
Read more

Angular material date-picker (MatDatepicker) auto completes the date on focus out

Image
3 3 I am using angular material/mat-datepicker in my project and whenever the user enters one digit inside of it, and goes out of focus - the date picker is auto completing with a random date. Example Just enter 1 and go out of focus, or enter 5/5/20 The date picker is adding date automatically Update : Also I am using reactive forms and I'm validating the input with that approach Can I disable this ? angular datepicker angular-material angular6 angular-material-datetimepicker share | improve this question edited Nov 20 '18 at 13:21 ...
Read more