How to understand and control a suspcious email forward attempt via an alias...

3 posts / 0 new
Last post
#1 Mon, 12/16/2019 - 17:39
adamjedgar

How to understand and control a suspcious email forward attempt via an alias...

Message ID AB9067D02E Date and time received 12/11/2019 7:23 AM
Sender's address domain.com@host.fqdn Recipient's address HadewychvanKempen@gmail.com
Delivery type Handled by email alias Destination mailbox user None
Message size 859 bytes Final destination Forwarded to HadewychvanKempen@gmail.com
Outgoing email relay alt1.gmail-smtp-in.l.google.com
Mail server delivery status deferred (host alt1.gmail-smtp-in.l.google.com[173.194.202.26] said: 421-4.7.0 [<my server host ip address> 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam

exactly how and what information can i get from webmin about the above logged email message details?

I note that this has been logged in my mail logs quite a large number of times. Is it getting through and relaying or is my system actually blocking it? It seems to be forwarding to itself over and over again. what is the purpose of this exactly and what can i do to stop it?

I also have another from a different source attempting the same thing on a different virtual server...only this one has actually sent which concerns me

Details of single logged message
Message ID 8AC807D034 Date and time received 12/11/2019 6:21 AM
Sender's address info@leadsgames.com Recipient's address info@domain.com.au (one of my virtual servers)
Delivery type Handled by email alias Destination mailbox user None
Message size 15.71 kB Final destination Forwarded to estevessharon@gmail.com
Outgoing email relay gmail-smtp-in.l.google.com
Mail server delivery status sent (250 2.0.0 OK 1576005708 u9si3281646plq.128 - gsmtp)
Mon, 12/16/2019 - 18:05
adamjedgar

here is my postfix main.cf

Is there anything wrong or of concern in this file?

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#Define the domain list as hash file or as list in the config file.
#virtual_alias_domains = hash:/etc/postfix/virtual_domains

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = yes

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_unknown_client_hostname
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_tls_security_level = dane
mynetworks_style = subnet
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_error_sleep_time = 5s
default_process_limit = 3
hash_queue_names = incoming,active,deferred,bounce,defer,flush
ipc_idle = 100s
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward, $user
smtp_skip_quit_response = no
myhostname = host.fqdn
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mydestination = $myhostname, localhost.$mydomain, localhost, host.fqdn, localhost.domain.com
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
recipient_delimiter = +


where host.fqdn = my hosting/email server

domain.com = primary domain for the first virtual server and server itself...

example server name could be

host1.adamswebhosting.com and

first virtual server in list is my business = adamswebhosting.com

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Mon, 12/16/2019 - 19:14
Dibs
Outgoing email relay alt1.gmail-smtp-in.l.google.com
Mail server delivery status deferred (host alt1.gmail-smtp-in.l.google.com[173.194.202.26] said: 421-4.7.0 [<my server host ip address> 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam

That's the reply from Google - so it is getting out & thru to Google.

Do you have websites on both? And forms that allow emails to be sent when the form has been filled in and Submit is pressed (or similar)?

Topic locked