Author Topic: I received email from my own email account  (Read 1337 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
I received email from my own email account
« on: June 02, 2023, 07:10:08 PM »
Hello, I have another problem.

Friends would like to understand how this is possible and how to prevent this from happening.
It's as if I had sent an email to myself, when looking at the headers I noticed that the ip is not from my server.

Ip: 210.86.179.238 (unknown)
Domain: travelyamu.com (unknown)

My host has:
rDns Ok
dkim: ok
spf: ok
Dmarc: Ok
Ip: Ok (not blacklisted)

I just think that Spamassassin is not working well, because this email ended up in the inbox, ignoring the spam box

I don't understand how this still happens...
I would like to understand these headers, and solve this problem.


Code: [Select]
Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - xxxxxxxxxx.xxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:

Offline
*****
Re: I received email from my own email account
« Reply #1 on: June 03, 2023, 02:14:25 AM »
Do you need a generic e-mail address like "contact@yourdomain.com"? That is easily guessed and likely on many spammer e-mail lists, so you're better off with something more specialized to avoid high volumes of generic spam. Or you could implement an obfuscated e-mail like the DuckDuckGo @duck.com forwarders.

That IP resolves to Thailand. Do you (or anyone on your server) do business with Thailand? If not, consider blocking that country via the CSF firewall. Also consider blocking the other top 10 spam source countries if you don't need to communicate with them.

Do you have proper UCE (unsolicited commercial e-mail) settings on your postfix config? Consider implementing zen.spamhaus.org RBL, if not many more RBLs to shut down a large percentage of spam. SpamAssassin is farther down the chain so it is best to stop spam at the gate if it fails various helo or FQDN checks or is RBL-listed.

Another option I use on a high traffic mail server is ASSP (Anti-Spam SMTP Proxy). It sits on the edge as a dedicated anti-spam solution, running on ports 25, 465, and 587. It is HIGHLY configurable and not so resource intensive. I have trained its corpus and block about 75% of incoming, non-local mail. Then it passes mail onto Postfix which runs on an alternate SMTP port (1025 or whatever). And Postfix can still be set up to use RBLs and do HELO and FQDN and other checks, so you effectively have 2 high hurdles for spam to pass.

Offline
*
Re: I received email from my own email account
« Reply #2 on: June 05, 2023, 01:23:21 PM »
Hello overseer!

About generic contact, I think it is difficult to hide any e-mail, because in some sites you need to print the independent contact e-mail as it is.

We do not do business with Thailand Our e-mail server already has all the standard CWP RBLs in place, including the reject option.

Although I noticed that spamassassin is not working properly, because it rejects some things and lets pass others that are blacklisted and without spf and dkim.

I'll look into the ASSP.


Thank you for the contact.