@necrevistonnezr Ah, sorry! I misread. In my case, the sender is just spamming the hell out of me for video content. Sender is not trying to spoof. I guess you have to block by IP in the network firewall.

Yeah, well, those IPs are never the same (see above) and even ranges are difficult to ascertain. Maybe an easy way to subscribe to a blocklist would help? (as suggested in my old topic linked above…)

You can block by sender name. In my case, i have this advid guy who is really really persistent.

The addresses you listed: Are those the ones the sender is trying to send as (i.e. the one showing up as “mailFrom:“ in the mail event log entry?

Yes, there is a "network block"/filter in the UI. Just paste the networks and IPs like you have in that list.

There are other forum posts with that " " search term above.

I know, I even linked my topic on the matter.

But currently, we don’t have a way to subscribe to- regularly updated- IP blocklists; and manually going through each blocked sending attempt and then copy&paste some IP (fruitless) or figuring out the relevant IP range doesn’t seem „comfortable“ or „sensible“ (to quote myself)…
And I thought there might even be some other way I‘m not aware of (e.g. spam filter rule)

There are other forum posts with that " " search term above.

2.133.95.174 
2.135.199.137

5.126.117.216

31.169.30.190

89.237.194.133

91.98.60.233

103.234.25.66
103.71.59.198

113.185.92.35

125.212.159.28
125.212.158.246

149.54.6.150

178.217.173.123

195.158.14.27

213.230.96.66
213.230.92.146
213.230.126.9
213.230.80.33
213.230.93.109

217.29.22.198

Is there any „comfortable“ or sensible way to block this?

In this context I just remembered: https://forum.cloudron.io/topic/3795/

A bit of a wild guess: mail from is usually <> for bounce mail. So, this seems like some poor denial of service or maybe those IPs know that some mail software misbehaves with such carefully crafted mail.

Ah very interesting, I appreciate that insight. It was definitely strange when I saw it happening - so many requests at once. I'll keep an eye out for it. Sounds like it's all good then as far as Cloudron is concerned. Thanks Girish.

I just want to make sure I understand the workflow here. I believe the issue here is somebody is trying to spoof the email address of an email address I host on my mail server, coming from some spammy IP. Is that correct?

I think your analysis is correct. Someone is trying to send mails to Cloudron, with FROM address set to a domain that you host. Cloudron then rejects it saying this is not allowed because after all only itself and other SPF listed servers can send mail with that FROM address.

A bit of a wild guess: mail from is usually <> for bounce mail. So, this seems like some poor denial of service or maybe those IPs know that some mail software misbehaves with such carefully crafted mail.

I'd normally try to just revoke the IP CIDR range, but when I look it up the one has over 2 million IPs in the CIDR and since about 20% of the traffic to three different client's websites comes from China for business (COVID-19 testing for essential travel), I don't think I can outright block the ASN (yet) unfortunately.

EDIT: I decided to block at the IP level for now but did some CIDR calculations to have less false-positives. Blocked the following ranges temporarily (I'll remove them tomorrow and see if the issue continues):

60.167.0.0/17
114.99.128.0/21
223.241.48.0/20