Anyone else see many connections denied due to "Mail from domain <domain> is not allowed from your host" repeatedly from spammy IPs?

d19dotca

I keep seeing this message recently (a bit ago it was several different attempts in less than 10 minutes for the same domain, image below) and it seems to be growing in popularity in the logs over the past month or so, today in particular seems extra bad. I know the SPF record for the domain in question is correct.

The IP addresses are different but similar in range, and I see them on the blacklists check too so they're definitely spammy IPs.

Here is the top example:

{
  "ts": 1617145926606,
  "type": "denied",
  "direction": "inbound",
  "uuid": "5D744873-5B50-49C7-A471-8E4DCFB5961B.1",
  "remote": {
    "ip": "114.99.130.140",
    "port": 57217,
    "host": "NXDOMAIN",
    "info": "NXDOMAIN",
    "closed": false,
    "is_private": false,
    "is_local": false
  },
  "authUser": null,
  "mailFrom": "<{username}@{MyClientsHostedDomainOnCloudronServer}>",
  "rcptTo": [],
  "details": {
    "relaying": false,
    "pluginName": "rcpt_to.in_host_list",
    "errorCode": 902,
    "message": "Mail from domain 'drjaver.com' is not allowed from your host",
    "rejectionCountLastHour": 0
  }
}

I found this in the Haraka docs: https://github.com/haraka/Haraka/blob/master/docs/plugins/rcpt_to.in_host_list.md

I just want to make sure I understand the workflow here. I believe the issue here is somebody is trying to spoof the email address of an email address I host on my mail server, coming from some spammy IP. Is that correct?

I guess if that's correct then there's not much I can do though here except try and report the spam to the abuse@ contacts for the network, which doesn't really do anything in most cases anyways. Or I guess just outright block the IPs from my server completely.

I'm curious though too why there's no value for rcptTo, is that expected behaviour? It almost makes it look like there's an email address sent to no particular email address, which can't be right.

I ultimately am wanting to understand:

1. If others have seen an increase in this type of spam caught by Haraka in Cloudron
2. If I understand the workflow correctly in that it's an incoming spam message pretending to be from an email address domain I host which means per the SPF record it cannot possibly come from the originating IP so gets denied... right? The lack of a rcptTo in particular confuses me though.

d19dotca

To give a better idea of the extent of this for my mail server... this is how much of this I've seen just in the last hour for the same domain. Almost every IP I looked up is coming from the same ASN #4134 - Asia Pacific Network Information Centre. This is far from the usual (I'll maybe see this between 2 and 10 times a day, not almost 40 in a single hour). Looks like the "attack" started about 3 hours ago when I go further back in the logs. Seems the Haraka engine is doing fine though, I hope this doesn't impact my other clients on the same server email-wise. Should be okay, plenty of memory available anyways.

I'd normally try to just revoke the IP CIDR range, but when I look it up the one has over 2 million IPs in the CIDR and since about 20% of the traffic to three different client's websites comes from China for business (COVID-19 testing for essential travel), I don't think I can outright block the ASN (yet) unfortunately.

---

EDIT: I decided to block at the IP level for now but did some CIDR calculations to have less false-positives. Blocked the following ranges temporarily (I'll remove them tomorrow and see if the issue continues):

60.167.0.0/17
114.99.128.0/21
223.241.48.0/20

girish

@d19dotca said in Anyone else see many connections denied due to "Mail from domain <domain> is not allowed from your host" repeatedly from spammy IPs?:

I just want to make sure I understand the workflow here. I believe the issue here is somebody is trying to spoof the email address of an email address I host on my mail server, coming from some spammy IP. Is that correct?

I think your analysis is correct. Someone is trying to send mails to Cloudron, with FROM address set to a domain that you host. Cloudron then rejects it saying this is not allowed because after all only itself and other SPF listed servers can send mail with that FROM address.

A bit of a wild guess: mail from is usually <> for bounce mail. So, this seems like some poor denial of service or maybe those IPs know that some mail software misbehaves with such carefully crafted mail.

d19dotca

@girish said in Anyone else see many connections denied due to "Mail from domain <domain> is not allowed from your host" repeatedly from spammy IPs?:

A bit of a wild guess: mail from is usually <> for bounce mail. So, this seems like some poor denial of service or maybe those IPs know that some mail software misbehaves with such carefully crafted mail.

Ah very interesting, I appreciate that insight. It was definitely strange when I saw it happening - so many requests at once. I'll keep an eye out for it. Sounds like it's all good then as far as Cloudron is concerned. Thanks Girish.