Postfix identify the true sender

John

10/24/22, 11:16 AM

Recently my server has many spam emails generated. I looked for information in an example message but the sender is apparently faked, and there is no postfix user ID in the message header as well. Below is the complete header of a sample message:

root@server:~# postcat -qv 400CB848E9
postcat: name_mask: all
postcat: inet_addr_local: configured 4 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS hold/400CB848E9 ***
message_size:            2333             670               1               0            2333               0
message_arrival_time: Thu Jun 24 06:44:46 2021
create_time: Thu Jun 24 06:44:46 2021
named_attribute: log_ident=400CB848E9
named_attribute: rewrite_context=local
sender: [email protected]
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=40070
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=40070
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
*** MESSAGE CONTENTS hold/400CB848E9 ***
regular_text: Received: from localhost (localhost.localdomain [127.0.0.1])
regular_text:   by dallas.mylocalhostdomain.com (Postfix) with ESMTP id 400CB848E9
regular_text:   for <[email protected]>; Thu, 24 Jun 2021 06:44:46 -0400 (EDT)
regular_text: From: Google Drive Storage <[email protected]>
regular_text: To: [email protected]
regular_text: MIME-Version: 1.0
regular_text: Message-ID: <[email protected]>
regular_text: Date: Thu, 24 Jun 2021 06:44:46 +0000
regular_text: Content-Type: text/html; charset=UTF-8
regular_text: Content-Transfer-Encoding: 7bit
regular_text: Subject: File is damaged and could not be repaired

As can be seen in the header, the sender of the message is [email protected], but this domain name / user does not exist on the server. I am confusing as from what I know, the user must exist on the server before SMTP can be authenticated. In addition, there is also no authentication information in the mail.log file.

I hope someone can help point out how to identify the real user which generated this message?

Thank you!

101

1 + 0

postfix

spam

Score:2

Server

Nikita Kipriyanov

10/24/22, 12:49 PM

Look carefully at these:

sender: [email protected]
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=40070
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: helo_name=localhost

This means, some process from localhost (i.e. the server machine itself) made a ESMTP transaction to this server. It began with EHLO localhost and then, without any authentication, it was accepted for delivery. I can guess you have 127.0.0.1 in mynetworks. The "Received" header it added has the same information (that's no wonder).

That's all Postfix had seen and could tell you. Seek the answer to "who is the real sender" in some other place. That might be web mail, so read webserver access logs; that might be server is compromised (oh!) or just there is some hole in PHP script which allows to send a mail. Check wtmp (last and so on). Look for logs near Thu, 24 Jun 2021 06:44:46 -0400 (EDT).

I'll reiterate this for you to not ask the same question in another words: Postfix was done all it could to disclose you where it got this mail. The only thing it knows that mail came from localhost. That rings the bell: "check your localhost" (the server).

0 + 3

John

10/24/22, 3:06 PM

Thanks for your thorough answer. It is very helpful for me. Apparently the server was compromised. I see a POST request to a weird php file on the server at that time.

Nikita Kipriyanov

10/24/22, 5:33 PM

It could be only the web service was compromised or even just the single web application. There might be other POSTs which could explain where this PHP file came from. But in general, search SF for "what to do with a compromised server".

Esa Jokinen

10/24/22, 7:14 PM

Excellent answer. Removing the `localhost` from `mynetworks` forces the local processes to either use Sendmail or authenticate. In both cases you'll get more details on the origin.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Postfix identify the true sender

TH: Postfix ระบุผู้ส่งที่แท้จริง

RO: Postfix identifică adevăratul expeditor

RU: Postfix идентифицирует истинного отправителя

VI: Postfix xác định người gửi thực sự

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.