A2I Communications

Mystery email reports on aqua-new.rahul.net + fix

You might have been periodically receiving a mystery email containing an indecipherable attachment from some well-known sites such as Google and Yahoo.

Many accounts when created on aqua-new.rahul.net were configured by default to get such reports. The default was later changed to not cause such reports. You can find an explanation, and instructions for switching off (or on) these emailed reports, on this page:

See the paragraph that begins with Send aggregate feedback to.

I’ve figured out this DMARC record is maintained not by my domain registrar, but by the domain name server [virtually] at rahul.net. On Virtualmin I’ve found my _dmarc record under Server Configuration : DNS Records. It shows me the first n characters of this record’s value followed by “…” I can see how to Delete my _dmarc record. However I’m not seeing how to edit it, or even how to view its entire value. I also note the Create Record of Type: function does not include DMARC among its options. So it doesn’t seem this DMARC record is [yet?] under control of the domain’s owner.

To edit your DMARC record, try a different menu path:

Webmin => Servers => BIND DNS Server

Then click on DMARC, then on the next screen click on _dmarc..

However, I am going to enable a Virtualmin feature shortly that will make this even easier. Will post a response when that has been done.

Alternate menu path as promised to update DMARC record options:

Virtualmin => Server Configuration => DNS Options

If you are already logged in, you may have to click on other things first, or maybe log out and log back in, to make the above visible.

However, I now realize that this alternate this menu path will let you change everything except the automatic email reports. So to disable or enable those the only menu path is still as before, i.e.:

Webmin => Servers => BIND DNS Server

The DNS Options menu also lets you adjust the SPF record for your domain. As always, if you want to make changes, it’s a good idea to save a screenshot or a screen print etc. so you can revert to the original if needed.

hmm. I’ve not tried editing any of this yet but I see that my DMARC’s “Send aggregate/forensic” options are already set to “Don’t send”. Yet I’ve received these .gz files sent to my postmaster@ as recently as January 29th. Did you recently change this on my behalf? If not, why have I been getting these reports for the past month while my DMARC is “Don’t send”?

Actually there is a DMARC for each of your domains. So you have to adjust each one separately.

My only domains are my custom doudna.com and the default ddoudna.onthisweb.com. Each of those - according to Webmin’s BIND DNS Server - have DMARC’s “Send aggregate feedback to” and “Send forensic information to” options configured as “Don’t send.” Yet as recently as 3am this morning, google sent four “Report domain” emails to postmaster@doudna.com. Perhaps one of the other options also needs to be reconfigured? I haven’t tried editing any of them yet.

Try these commands from the Linux shell:

host -t txt _dmarc.doudna.com aqua-new.rahul.net
host -t txt _dmarc.doudna.com 8.8.8.8

The first one queries aqua-new.rahul.net for a DMARC record. The second queries Google.

I think you have become the victim of the Apply Zone gremlins. These are documented here:

After making any DNS updates, be sure to look for a tiny icon in the top right. When you hover your mouse over it, you should see a little pop-up hint that says Apply zone. Click on this icon to apply your DNS changes. if you forget this little icon (it’s easy to miss it), DNS changes will never become visible.

I was misinterpreting the Webmin GUI; I thought all the fields above represented the current setting and an opportunity to edit them. Now I understand that interface always starts with the same default template, is used to create a new DNS record from scratch, and then you delete the old DNS record. This became clear when I tried the command line query. Which I also used to confirm it’s all good now. Thanks.

Indeed, the Webmin DNS user interface can be quite confusing the first few times you use it.

At the top is the form to let you create a new DNS record. Only after you click on one of the existing DNS records listed lower down do you get the opportunity to modify that existing DNS record.

I have noticed miscellaneous spam arriving since the migration began.
These look like informational messages about something that I might encounter in a new environment. The coincidence of timeing makes me wonder if something about the migration seeded a set of spam.

Today,

From: rahul.net Support

You have {10} undelivered mails clustered on your cloud due to mail storage capacity is full and awaiting approval from you to deliver messages and restore cloud storage. :

And a clickie that goes to
https:// everlasting-enormous-petalite . glitch. me / #dold @ rahul.net

That is an example of phishing, where somebody wants you to try to log in on a fake web page. Even experts will sometimes absent-mindedly do this, so I advise always using the strongest possible two-factor authentication everywhere. On websites that support FIDO aka U2F, using such a device is highly advisable.

So far as I can tell, only Google has figured out how to kill almost all spam and phishing without any noticeable false hits. And they do it with a neural network running on a large cluster of machines. I have a number of email accounts here and there, and all of them either kill almost all spam but also trap legitimate email, or they let quite a bit of spam through. Even Microsoft with all its resources doesn’t get anywhere near Google’s accuracy.

In the Classic Linux environment, we reject about 80–85% of all incoming mail during SMTP, so that it is never accepted, and then the 15–20% that is permitted in then gets further filtered by SpamAsassin. Factoring all this in, rate of uncaught spam and phishing is probably 0.5–1.0%.

You can get the benefit of Google’s technology by using Gmail’s ability to retrieve mail via POP. (Provided you don’t mind the possible privacy implications of using Google, which I know many people do.)

I’m working on better solutions. The hard part is not killing spam and phishing per se, but rather, doing it without false positives.

1 Like

I got a copy of the same message, and it was classified as spam with a high degree of confidence.

X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on aqua-new.rahul.net
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.2 required=5.0 tests=FROM_MISSP_EH_MATCH,
    HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,
    RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,
    RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_HELO_NONE,SPF_NONE,
    TO_NO_BRKTS_FROM_MSSP,TO_NO_BRKTS_NORDNS_HTML,URIBL_BLOCKED
    autolearn=no autolearn_force=no version=3.4.4

If your spam settings are optimally configured, this should either go into a spam folder or be automatically deleted.

I got another, but I only have five trapped mails today :wink:

It seems that “support” is now in Latvia.

From: “rahul.net Support” <dold @ rahul.net>

SMTP from 46.183.221.21
Rigal, Latvia
ISP DataClub S.A.
Domain dataclub.biz

I have .forward set to a recognizable account on GMail.
GMail delivered it to my normal inbox, but today it had an orange banner suggesting that it had been reported by others as phishing.

I clicked a box that confirmed that it was phishing and a message flashed by that Google was noting that it came from a compromised account.
I presume that Google will recognize that it is the smtp that is that is bad, and not dold at rahul.net.