Unauthorized emails being sent by the server

[SemiGlassFace]

Support guidelines

• I've read the support guidelines

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

Today I received Abuse noticed. Since Addy is the only mail server I run the issue must have come from it. I did a little investigation unfortunately the logs were flooded by postfix trying to deliver spam so the only thing I managed to get is that the issue is with addy and not the postfix itself. I got that from postfix logs where client is denoted as addy.

I am using mostly default env variables and did not change the docker image in any way

Expected behaviour

Emails from domains not connected to Addy should not be sent

Actual behaviour

My server started sending emails from unccpayment@nic.ad.jp which is not a domain that was connected to my addy instance.

Steps to reproduce

Docker info

host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 86.56
    systemPercent: 5.32
    userPercent: 8.12
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    version: "40"
  eventLogger: journald
  freeLocks: 2002
  hostname: xxxxxxxxxxx
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.11.3-200.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 176291840
  memTotal: 3997028352
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240906.g6b38f07-1.fc40.x86_64
    version: |
      pasta 0^20240906.g6b38f07-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 173h 57m 13.00s (Approximately 7.21 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
... (Pozostałe wiersze: 48)
Zwiń
message.txt
4 KB

host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 86.56
    systemPercent: 5.32
    userPercent: 8.12
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    version: "40"
  eventLogger: journald
  freeLocks: 2002
  hostname: xxxxxxxxxxx
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.11.3-200.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 176291840
  memTotal: 3997028352
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240906.g6b38f07-1.fc40.x86_64
    version: |
      pasta 0^20240906.g6b38f07-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 173h 57m 13.00s (Approximately 7.21 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/xxxxxxxxxx/.config/containers/storage.conf
  containerStore:
    number: 25
    paused: 0
    running: 24
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/xxxxxxxxxxxx/.local/share/containers/storage
  graphRootAllocated: 40165670912
  graphRootUsed: 17843048448
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 26
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/xxxxxxxxxxx/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.3
  Built: 1727136000
  BuiltTime: Tue Sep 24 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

Docker Compose config

Logs

Jan 24 17:09:34 XXXXXXXXXXXXX addy[2517]: Jan 24 18:09:34 XXXXX postfix/smtpd[60330]: 8A4395A1C6: client=addy[10.90.0.2]
Jan 24 17:09:40 XXXXXXXXXXXXX addy[2517]: Jan 24 18:09:40 XXXXX postfix/cleanup[61520]: 8A4395A1C6: message-id=<20250124170934.8A4395A1C6@XXXXX.org>
Jan 24 17:09:44 XXXXXXXXXXXXX addy[2517]: Jan 24 18:09:44 XXXXX postfix/qmgr[954]: 8A4395A1C6: from=<unccpayment@nic.ad.jp>, size=1257, nrcpt=20 (queue active)

Additional info

I am using Podman instead of Docker. Below is attached the abuse complaint.

Feedback-Type: abuse
User-Agent: USGOabuse
Version: 0.1
Received-Date: Fri, 24 Jan 2025 09:52:18 -0600 (CST)
Source-IP: 167.235.60.53

Return-Path: <unccpayment@nic.ad.jp>
Received: from [xxxxxxxxx] by usgo.net
          (USGO MTA v5/:PHVuY2NwYXltZW50QG5pYy5hZC5qcD48ZGRldHRtYW5uQHVzZmFtaWx5Lm5ldD4-)
          with SMTP id <20250124095218000555300011> for <ddettmann@usfamily.net>;
          Fri, 24 Jan 2025 09:52:18 -0600 (CST)
          (envelope-from unccpayment@nic.ad.jp)
Received: from [192.168.8.103] (addy [10.90.0.2])
    by xxxxxxx.org (Postfix) with ESMTP id 5B8804CCC4;
    Fri, 24 Jan 2025 15:00:27 +0100 (CET)
X-AnonAddy-Authentication-Results: xxxxxxx.org;
    dkim=none;
    dmarc=fail reason="No valid SPF, No valid DKIM" header.from=nic.ad.jp (policy=none);
    spf=fail (XXXXXX: domain of unccpayment@nic.ad.jp does not designate 10.90.0.2 as permitted sender) smtp.mailfrom=unccpayment@nic.ad.jp
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Re: Your compensation!
To: Recipients <unccpayment@nic.ad.jp>
From: Financial Services <unccpayment@nic.ad.jp >
Date: Fri, 24 Jan 2025 15:00:22 +0100
Reply-To: veronknightley@outlook.com
Message-Id: <20250124140027.5B8804CCC4@xxxxx.org>
X-AnonAddy-Spam: Yes
X-Spam: Yes

Good Morning,
 =

We are not sure you received our previous message but once again we wish to=
 use this medium to officially congratulate and inform you that following t=
he review of all unclaimed, pending, delayed inheritance, contract and lott=
ery funds transfers, before and around the corona virus pandemic, you have =
been selected to receive a compensation amount of with US$3,200,000.00

 =

For details to immediately receive your, kindly reply back US$3,200,000.00 =
with your direct telephone number to enable our Payment Director, Veronica =
Knightley, contact you directly.
 =

 =

Yours Sincerely,
Mrs.Alison Balsom
Financial Services,UK

[RichyHBM]

Might be worth checking #290 as it sounds similar