skip to Main Content

Short version: What can be done to prevent emails being sent from our SMTP mail server using fake accounts that do not really exist in the domain?

Longer version: We use Plesk to manage our site hosted on a Windows VPS. By enabling SMTP logging on MailEnable, I notice that a lot of emails are being sent with accounts that do not exist in the domain. I reproduce below a small portion of the log. Here [email protected], [email protected] are accounts that do not exist in our domain. What can be done to prevent such emails from being sent?

Things I have already tried and haven’t stopped these:

  • I already have set the SPF record entry. The entry is: v=spf1 a mx -all
  • I have changed all the passwords. That hasn’t helped.
  • I have enabled DKIM
  • I ran the following virus/malware detectors and they found nothing: VirusTotal Website Check, MSERT.exe from Microsoft, MSRT.exe from Microsoft
2021-02-17 06:00:02 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 38 [email protected]
2021-02-17 06:00:03 212.70.149.71 SMTP-IN - 104.128.234.235 1296 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:03 212.70.149.85 SMTP-IN - 104.128.234.235 1448 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 [email protected]
2021-02-17 06:00:04 87.246.7.242 SMTP-IN - our.ip.address.here 1876 EHLO EHLO+User 250-ourDomain.com+[87.246.7.242],+this+server+offers+5+extensions WIN-DFQOE4PNR36 242 11 -
2021-02-17 06:00:04 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 34 [email protected]
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH c3RvbGF2LWd3NEAxMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34 22 [email protected]
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - 104.128.234.235 1296 AUTH AUTH+LOGIN 334+VXNlcm5hbWU6 WIN-DFQOE4PNR36 18 12 -
2021-02-17 06:00:05 87.246.7.242 SMTP-IN - our.ip.address.here 1876 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:05 212.70.149.71 SMTP-IN - our.ip.address.here 1228 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 [email protected]
2021-02-17 06:00:05 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH Y3Zibm0xMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34 

2

Answers


  1. Start using a proper DMARC record in your DNS: https://www.linuxbabe.com/mail-server/create-dmarc-record
    You would probably want the reject policy probably reject: tells receiving email servers to reject the email if DMARC check fails

    Might want to read all the parts on that site. I used it once to setup my mail server and it’s very informative.
    That IP that abuses your mail is known for doing that. My logs:

    Mar 25 04:34:12 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
    Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
    Mar 25 04:35:27 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
    Mar 25 04:35:37 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    Mar 25 04:36:05 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
    Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
    Mar 25 04:37:20 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
    Mar 25 04:37:30 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    Mar 25 04:37:58 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    

    Which is repeated many, many times. No e-mails are sent from that IP, though.
    Tried blocking that IP in the firewall but that didn’t seem to work 😕 – Would like to know why, though, so if anyone knows, would like to know!

    Information about it may be on one of those pages. Not sure because it’s been a while, and don’t have the time myself at this precise moment to check it out.

    Login or Signup to reply.
  2. You can use 3rd party programs;

    • RdpGuard detects and blocks invalid connection attempts (RDP, SMTP, POP …) using Windows firewall
    • gykkSPAM (antispam filter) filters incoming and outgoing emails using local postoffices and authentication types
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search