# Stopping spam from hijacked email address

## audiodef

How can I report or block spam when it was sent from an address on your own domain, and no one but you has access to the email account that was used?

```

From - Wed May 23 16:59:58 2012

X-Account-Key: account3

X-UIDL: 1310481700.25

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:                                                                                 

Return-Path: <bigfat@email.address>

Received: from stupiddomain.com ([unix socket])

    by stupiddomain.com (Cyrus v2.3.16) with LMTPA;

    Wed, 23 May 2012 16:38:42 +0000

X-Sieve: CMU Sieve 2.3

Received: from stupiddomain.com (localhost [127.0.0.1])

   by stupiddomain.com (Postfix) with ESMTP id EE7393C746

   for <bigfat@email.address>; Wed, 23 May 2012 16:38:41 +0000 (GMT)

Received: from adsl.viettel.vn (unknown [115.78.120.190])

   by stupiddomain.com (Postfix) with SMTP id 145AC3C744

   for <bigfat@email.address>; Wed, 23 May 2012 16:38:40 +0000 (GMT)

To: <bigfat@email.address>

Subject: bigfat@email.address X ROLEX Inc X Discount-89046573

From: <bigfat@email.address>

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

X-Virus-Scanned: ClamAV using ClamSMTP

Message-ID: <cmu-lmtpd-1424-1337791122-0@stupiddomain.com>

Date: Wed, 23 May 2012 16:38:42 +0000

```

adsl.viettel.vn is the only thing that sticks out, but I don't know what to do with that. 

In the source of the body, there is this:

Link deleted.  — JRG

----------

## Jaglover

It was sent from 115.78.120.190 - is it really your domain? Everyone can forge from and reply-to fields. I just sent you a test mail, using a fake address.

I'd disable the link you posted, it tempts to click on it, giving spammer exactly what he wanted.

----------

## audiodef

That's definitely not my domain. I guess I was hoping there'd be a way to put a stop to this. Sometimes I report things to spam servers - maybe the I.P. address is enough. Other times, I send back hundreds of spam messages to annoy them into leaving my address alone.

----------

## Jaglover

Your link is still giving the exposure the spammer wanted.

You can obtain contact information using whois or similar services on web http://whois.domaintools.com/115.78.120.190

Although it's very possible the spammer is simply using a Windows zombie located in Dung, Vietnam.

----------

## audiodef

 *Jaglover wrote:*   

> Your link is still giving the exposure the spammer wanted.
> 
> 

 

Where?   :Shocked: 

----------

## audiodef

 *Jaglover wrote:*   

> 
> 
> Although it's very possible the spammer is simply using a Windows zombie located in Dung, Vietnam.

 

Or East Bahmfuque, Iowa.   :Laughing: 

----------

## Jaglover

Or East Bahmfuque, Iowa. Spoofing an IP address is possible, too. But there is a good chance the IP address is the real one where the spam was sent from.

----------

## cach0rr0

so, two spots where the spammer might forge your address:

-in the SMTP envelope data (i.e. the smtp command 'MAIL FROM:<you@yourdomain.com>'

-in the message header (i.e. after sending the smtp command DATA, adding From: <you@yourdomain.com> or Reply-To: <you@yourdomain.com>

I would start by blocking the first sort, and see what it cuts down on. You may have to add checks for the second type later, but those are a bit more involved. 

For the former, have a gander at:

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

What you'd want to do with the above, is set up a hash table, e.g. /etc/postfix/access which would contain:

```

yourdomain.com REJECT

```

postmap /etc/postfix/access

then have a section in main.cf that reads something like

```

smtpd_sender_restrictions =

      permit_sasl_authenticated

      check_sender_access hash:/etc/postfix/access

```

Basically, the above should say "unless they've authenticated, an external host cannot send a MAIL command from my domain"

I *think* that's the correct syntax. Please test, e.g. via telnet. Make sure after setting that you haven't inadvertently made yourself an open relay (e.g. try issuing a RCPT TO command for an external domain, like yahoo.com or whatever). Telnet tests of course. And to make sure there's no confusion, don't do the test from any IP you have listed in $mynetworks, otherwise it'll be allowed regardless, and youll panic and think youre an open relay  :Smile: 

For header parsing (the second sort of forgery mentioned up above) that's another animal. Probably the best way is to set up a check for SPF/Sender-ID, and to of course set up an SPF record for your domain.

Also worth pointing out, the IP address in the headers you list above, is blacklisted on the CBL

```

$ host 190.120.78.115.cbl.abuseat.org

190.120.78.115.cbl.abuseat.org has address 127.0.0.2

```

(reverse octets, prepend to .cbl.abuseat.org - if IP is blacklisted, you get a response. If it isn't, you get NXDOMAIN)

Do you have any blacklists/RBL's set up at the moment? For reference, this is my current RBL stash

```

smtpd_delay_reject = no

smtpd_client_restrictions =

        permit_mynetworks

        reject_rbl_client ix.dnsbl.manitu.net

        reject_rbl_client cbl.abuseat.org

        reject_rbl_client b.barracudacentral.org

        reject_rbl_client new.spam.dnsbl.sorbs.net

```

(i prefer smtpd_delay_reject = no - means the connection is dropped instantly, without waiting for any smtp commands)

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> Do you have any blacklists/RBL's set up at the moment? For reference, this is my current RBL stash
> 
> ```
> ...

 

Weird - I thought I had some such set up already in main.cf, yet I see that I do not. In the interest of seeing if the simplest solution works first, I've added what you have. Thanks, as usual, for the great information you've provided. I'll definitely try one of the other solutions if simply adding an RBL doesn't help.   :Very Happy: 

----------

