Question posted in 
Short version: What can be done to prevent emails being sent from our SMTP mail server using fake accounts that do not really exist in the domain?
Longer version: We use Plesk to manage our site hosted on a Windows VPS. By enabling SMTP logging on MailEnable, I notice that a lot of emails are being sent with accounts that do not exist in the domain. I reproduce below a small portion of the log. Here [email protected], [email protected] are accounts that do not exist in our domain. What can be done to prevent such emails from being sent?
Things I have already tried and haven’t stopped these:
- I already have set the SPF record entry. The entry is:
v=spf1 a mx -all - I have changed all the passwords. That hasn’t helped.
- I have enabled DKIM
- I ran the following virus/malware detectors and they found nothing: VirusTotal Website Check, MSERT.exe from Microsoft, MSRT.exe from Microsoft
2021-02-17 06:00:02 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 38 [email protected]
2021-02-17 06:00:03 212.70.149.71 SMTP-IN - 104.128.234.235 1296 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:03 212.70.149.85 SMTP-IN - 104.128.234.235 1448 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 [email protected]
2021-02-17 06:00:04 87.246.7.242 SMTP-IN - our.ip.address.here 1876 EHLO EHLO+User 250-ourDomain.com+[87.246.7.242],+this+server+offers+5+extensions WIN-DFQOE4PNR36 242 11 -
2021-02-17 06:00:04 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 34 [email protected]
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH c3RvbGF2LWd3NEAxMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34 22 [email protected]
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - 104.128.234.235 1296 AUTH AUTH+LOGIN 334+VXNlcm5hbWU6 WIN-DFQOE4PNR36 18 12 -
2021-02-17 06:00:05 87.246.7.242 SMTP-IN - our.ip.address.here 1876 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:05 212.70.149.71 SMTP-IN - our.ip.address.here 1228 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 [email protected]
2021-02-17 06:00:05 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH Y3Zibm0xMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34
2
Answers
Start using a proper DMARC record in your DNS: https://www.linuxbabe.com/mail-server/create-dmarc-record
You would probably want the reject policy probably
reject: tells receiving email servers to reject the email if DMARC check failsMight want to read all the parts on that site. I used it once to setup my mail server and it’s very informative.
That IP that abuses your mail is known for doing that. My logs:
Which is repeated many, many times. No e-mails are sent from that IP, though.
Tried blocking that IP in the firewall but that didn’t seem to work 😕 – Would like to know why, though, so if anyone knows, would like to know!
Information about it may be on one of those pages. Not sure because it’s been a while, and don’t have the time myself at this precise moment to check it out.
You can use 3rd party programs;