Sending of disabled accounts, nonexistent accounts and without FROM

[menteinfinita]

3/12/19 14:03:19 SMTP-OU 6372651E6A35457ABD28AF9B9565C797.MAI 1652 173.194.104.28 MAIL MAIL FROM:<20@midominio.com> SIZE=4030 250 2.1.0 OK e196sm512994ite.9 - gsmtp 42 40 👗614733290系xi统核he心
03/12/19 14:03:19 SMTP-OU 6372651E6A35457ABD28AF9B9565C797.MAI 1652 173.194.104.28 RCPT RCPT TO:<614733290@qq.com> 250 2.1.5 OK e196sm512994ite.9 - gsmtp 28 40 👗614733290系xi统核he心
03/12/19 14:03:20 SMTP-OU 6372651E6A35457ABD28AF9B9565C797.MAI 1652 173.194.104.28 DATA DATA 354 Go ahead e196sm512994ite.9 - gsmtp 6 41 👗614733290系xi统核he心
03/12/19 14:03:20 SMTP-OU 6372651E6A35457ABD28AF9B9565C797.MAI 1652 173.194.104.28 DATE . 250 2.0.0 OK 1552420996 e196sm512994ite.9 - gsmtp 4039 52 👗614733290系xi统核he心

How can I block the relay output from accounts that do not exist? like the one seen above.



Spam is also being sent from accounts that I have disabled.

03/12/19 14:58:34 SMTP-OU 382C2DB8B62D4333B35A69048ABCEA41.MAI 276 172.217.197.27 MAIL MAIL FROM:<pnunez@Midominio.com> SIZE=4938 250 2.1.0 OK q190sm1188902vkg.7 - gsmtp 47 41 =?utf-8?Q?=F0=9F=8E=81=E6=A0=B9=E6=9C=AC=E5=88=A9=E7=9B=8A=E5=BD=93=E5=B9=B4=E7=87=95=E5=AD=90=E7=9F=A5=E4=BD=95=E5=A4=84?=
03/12/19 14:58:34 SMTP-OU 382C2DB8B62D4333B35A69048ABCEA41.MAI 276 172.217.197.27 RCPT RCPT TO:<946158656@qq.com> 250 2.1.5 OK q190sm1188902vkg.7 - gsmtp 28 41 =?utf-8?Q?=F0=9F=8E=81=E6=A0=B9=E6=9C=AC=E5=88=A9=E7=9B=8A=E5=BD=93=E5=B9=B4=E7=87=95=E5=AD=90=E7=9F=A5=E4=BD=95=E5=A4=84?=
03/12/19 14:58:35 SMTP-OU 382C2DB8B62D4333B35A69048ABCEA41.MAI 276 172.217.197.27 DATA DATA 354 Go ahead q190sm1188902vkg.7 - gsmtp 6 42 =?utf-8?Q?=F0=9F=8E=81=E6=A0=B9=E6=9C=AC=E5=88=A9=E7=9B=8A=E5=BD=93=E5=B9=B4=E7=87=95=E5=AD=90=E7=9F=A5=E4=BD=95=E5=A4=84?=
03/12/19 14:58:35 SMTP-OU 382C2DB8B62D4333B35A69048ABCEA41.MAI 276 172.217.197.27 DATE . 250 2.0.0 OK 1552424310 q190sm1188902vkg.7 - gsmtp 4947 53 =?utf-8?Q?=F0=9F=8E=81=E6=A0=B9=E6=9C=AC=E5=88=A9=E7=9B=8A=E5=BD=93=E5=B9=B4=E7=87=95=E5=AD=90=E7=9F=A5=E4=BD=95=E5=A4=84?=


Sending accounts without FROM

03/12/19 10:53:58 SMTP-OU 97D092E04F424A1297FDEDF79EC3AE27.MAI 1148 127.0.0.1 MAIL MAIL FROM:<> SIZE=7097 250 [SMTP:adminsrvpb2@OtroDominio.com] OK. 24 46 =?utf-8?B?4pqh77iP5L2V6ZWHNzkzODg4OTU4?=

Gracias por adelantado

[cfdynamics]

Under SMTP service properties > security tab > Select "Authorized connections can spoof sender addresses" This will prevent unauthenticated sessions from sending with your addresses.

[menteinfinita]

Again, thank you very much, cfdynamics, I'm going to configure it and review it.

And do you know how to avoid emails from suspended accounts?

Even after having configured the "Enable Abuse Detection and Prevention" continue to leave emails from the disabled accounts.

Thanks

[cfdynamics]

Pretty sure solving the other problem will solve this one too. If you allowing unauthenticated connections send spoofed email it would probably also allow it to spoof a disabled account.

[menteinfinita]

Hello again, with the configuration set it seems that the problem had been resolved, however, today in the course of the morning again began to leave emails of accounts and disabled accounts non-existent. And the configuration did not move

As always, I appreciate your help. Greetings.

[cfdynamics]

Do you have any IPs whitelisted? A whitelisted IP can spoof anything...

[menteinfinita]

Yes, I had an ip, I already removed it and disabled my white list, wait two minutes and I see that SPAM emails continue to come out.

[cfdynamics]

You'd have to look at the raw logs to see how they are getting it through. From what you have said you have for config, I can't say for sure how they are doing it. You should be able to see how they are authenticating in the SMTP logs.

[menteinfinita]

This is the part of the LOG record where the shipment is made.

03/14/19 14:15:31 SMTP-IN 976325D60E6C433BB0A2F8B6A018C370.MAI 1572 117.68.195.13 EHLO EHLO xres.com 250-home [117.68.195.13], this server offers 6 extensions 273 15
03/14/19 14:15:31 SMTP-IN 976325D60E6C433BB0A2F8B6A018C370.MAI 1572 117.68.195.13 MAIL MAIL FROM:<ventas@midominio.com> 250 [SMTP:ventas@midominio.com] OK. 39 36
03/14/19 14:15:31 SMTP-IN 976325D60E6C433BB0A2F8B6A018C370.MAI 1572 117.68.195.13 RCPT RCPT TO:<953587852@qq.com> 250 Requested mail action okay, completed 43 28
03/14/19 14:15:32 SMTP-IN 976325D60E6C433BB0A2F8B6A018C370.MAI 1572 117.68.195.13 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
03/14/19 14:15:32 SMTP-IN 261E024E4F194A03A4037F7A14F82AEE.MAI 1572 117.68.195.13 QUIT Quit 221 Service closing transmission channel 42 6
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 CONN 220 smtp-relay.gmail.com ESMTP r67sm1694640qkc.8 - gsmtp 0 58 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 EHLO EHLO my-server2.com 250-smtp-relay.gmail.com at your service, [107.110.25.107] 24 177 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 EHLO STARTTLS 220 2.0.0 Ready to start TLS 10 30 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 CONN 220 smtp-relay.gmail.com ESMTP a135sm11686itc.6 - gsmtp 0 57 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 EHLO EHLO my-server2.com 250-smtp-relay.gmail.com at your service, [107.110.25.107] 24 177 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 EHLO EHLO my-server2.com 250-smtp-relay.gmail.com at your service, [107.110.25.107] 24 230 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 EHLO STARTTLS 220 2.0.0 Ready to start TLS 10 30 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 MAIL MAIL FROM:<ventas@midominio.com> SIZE=9661 250 2.1.0 OK r67sm1694640qkc.8 - gsmtp 46 40 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 RCPT RCPT TO:<1027388539@qq.com> 250 2.1.5 OK r67sm1694640qkc.8 - gsmtp 29 40 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 DATA DATA 354 Go ahead r67sm1694640qkc.8 - gsmtp 6 41 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 EHLO EHLO my-server2.com 250-smtp-relay.gmail.com at your service, [107.110.25.107] 24 230 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 MAIL MAIL FROM:<ventas@midominio.com> SIZE=8593 250 2.1.0 OK a135sm11686itc.6 - gsmtp 46 39 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 DATE . 250 2.0.0 OK 1552594486 r67sm1694640qkc.8 - gsmtp 9670 52 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:35 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 RCPT RCPT TO:<953587852@qq.com> 250 2.1.5 OK a135sm11686itc.6 - gsmtp 28 39 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=
03/14/19 14:15:35 SMTP-OU 537A586A2AD54742A3ED4947FAD847D4.MAI 1340 173.190.204.20 QUIT QUIT 221 2.0.0 closing connection r67sm1694640qkc.8 - gsmtp 6 56 =?utf-8?Q?=F0=9F=94=A5=E6=A2=81=E4=B8=96=E4=BD=B31027388539?=
03/14/19 14:15:36 SMTP-OU 27B4ADEE90FB46C5A11602C882CEE15C.MAI 1324 173.190.204.20 DATA DATA 354 Go ahead a135sm11686itc.6 - gsmtp 6 40 =?utf-8?B?8J+UqOmhtuS6pOenjemTnOWxseilv+W0qea0m+mSn+S4nA==?=


And this is the part of the DEBUG record.

03/14/19 14:15:34 ME-I0018: [27E3F659D70642FE84A74583556789BD.MAI] Outbound message from ([SMTP:ventas@midominio.com]) requeued as [537A586A2AD54742A3ED4947FAD847D4.MAI] to the target domain [qq.com]
03/14/19 14:15:34 ME-I0122: [537A586A2AD54742A3ED4947FAD847D4.MAI] SMTP Server is forwarding all mail (directly) to SMTP Hosts [smtp-relay.gmail.com:587].
03/14/19 14:15:34 ME-I0026: [537A586A2AD54742A3ED4947FAD847D4.MAI] Sending message
03/14/19 14:15:34 ME-I0018: [8D1FBBCBD6624D6586F25E4346C1881E.MAI] Outbound message from ([SMTP:ventas@midominio.com]) requeued as [27B4ADEE90FB46C5A11602C882CEE15C.MAI] to the target domain [qq.com]
03/14/19 14:15:34 ME-I0122: [27B4ADEE90FB46C5A11602C882CEE15C.MAI] SMTP Server is forwarding all mail (directly) to SMTP Hosts [smtp-relay.gmail.com:587].
03/14/19 14:15:34 ME-I0026: [27B4ADEE90FB46C5A11602C882CEE15C.MAI] Sending message
03/14/19 14:15:34 ME-IXXXX: [537A586A2AD54742A3ED4947FAD847D4.MAI] DNS resolved to the following record: IP Address=173.194.204.28, Family=2, Type=1, Protocol=6
03/14/19 14:15:34 ME-IXXXX: [27B4ADEE90FB46C5A11602C882CEE15C.MAI] DNS resolved to the following record: IP Address=173.194.204.28, Family=2, Type=1, Protocol=6
03/14/19 14:15:35 ME-I0070: (recv) socket [1544] was gracefully closed during [AUTH] command by the remote client 190.117.200.56.
03/14/19 14:15:35 ME-I0074: [1544] (Debug) End of conversation

Does that information help you or do you need to see?

Thanks

[cfdynamics]

do you really have smart host enabled globally?

03/14/19 14:15:34 ME-I0122: [537A586A2AD54742A3ED4947FAD847D4.MAI] SMTP Server is forwarding all mail (directly) to SMTP Hosts [smtp-relay.gmail.com:587].

this setting is under smtp service properties "Smart Host" tab.

Not sure but that may override the controls we have already talked about.

[menteinfinita]

Yes, I send the output of my mail for a "relay" of google. This is bad?

[cfdynamics]

much better to process your mail locally. let mailenable handle sending things outside that need to go. Also... if your server is sending SPAM out through GMail you will end up being blacklisted.

[cfdynamics]

Not seeing anything in the documentation confirming but I suspect that setting the server to relay ALL mail to Gmail may be overriding the security lookups allowing these messages to get through.

[menteinfinita]

"much better to process your mail locally. let mailenable handle sending things outside that need to go"

How can I do this?

It seems to me that what is local processes it locally malleable without relay, and the external addresses process it by means of the google relay.

[menteinfinita]

This is my smart host configuration