The Attack — What Happened
Every email account across every domain on a Webuzo-managed dedicated server was being flooded with sextortion spam. The same message — "YOU PERVERT, I RECORDED YOU!" — was hitting every mailbox, hundreds of times. The attacker was spoofing the sender address so it appeared the emails came from the victim's own address.
The email demanded $800 in Bitcoin, claiming to have recorded the recipient through their webcam. The attack was automated and hit all domains hosted on the server.
Root Cause Analysis
Examining the email headers revealed the full attack chain. The attacker at IP 203.0.113.50 was sending email as info@charity-example.org to info@charity-example.org. The server accepted it because of five compounding failures:
- SPF failed but mail delivered anyway
- DKIM verification disabled in Exim
- DMARC policy set to p=none
- No RBL rejection rules configured
- SpamAssassin tagged but didn't reject
SpamAssassin did detect the spam (score 6.0, threshold 5.0), but the server was configured to tag spam rather than reject it. The attacker's IP was already listed on Spamhaus PBL and XBL, but no RBL rejection rules existed.
Fix 1 — Webuzo ACLs Tab
The ACLs tab controls the core access control rules for incoming SMTP connections. This is where the biggest misconfigurations were hiding.
| Setting | Was | Changed To | Why |
|---|---|---|---|
| SpamAssassin ratelimit threshold | No ratelimiting | 5 | Rate-limits IPs that sent high-scoring spam |
| SMTP delay for unknown hosts | OFF | ON | Tarpitting slows automated spam bots |
| Require remote HELO (hostname) | OFF | ON | Rejects connections without a valid hostname |
| Require remote HELO (domain) | OFF | ON | Forces connecting servers to identify with a real domain |
| Disable DKIM verify | ON | OFF | CRITICAL — Was disabling all DKIM checking |
| Max message recipients (soft) | No limit | 50 | Legitimate emails rarely exceed 50 recipients |
| Max recipients before disconnect | No limit | 100 | Hard-cuts mass-recipient connections |
When it says "Disable DKIM verify: ON" — that means DKIM verification is disabled. Turning it OFF is what enables verification. Combined with "Reject DKIM failures: ON", spoofed emails with invalid DKIM signatures will now be rejected at the SMTP level.
Fix 2 — Webuzo Filters Tab (Anti-Spoofing Rule)
The Custom Filter box accepts Exim system filter syntax. This anti-spoofing rule rejects any unauthenticated external email that claims to be from a local domain:
if "$authenticated_id" is "" and "$sender_host_address" is not "" and "$sender_host_address" is not "127.0.0.1" and "${if match_domain{${domain:$h_from:}}{+local_domains}{yes}{no}}" is "yes"
then
fail text "Rejected: you are not authorized to send from this domain"
endifThe attacker was sending as info@charity-example.org from an external IP without authentication. This filter catches exactly that pattern.
Fix 3 — Webuzo Mail Tab
| Setting | Was | Changed To | Why |
|---|---|---|---|
| Log sender rates in mainlog | OFF | ON | Essential for detecting compromised accounts |
| Allow delivery if scanner fails | ON | OFF | If SpamAssassin crashes, mail is deferred not delivered unscanned |
| Delivery for suspended accounts | Accept and queue | Reject at SMTP time | Stop wasting resources on dead accounts |
| Default/catch-all destination | System default | Fail | Catch-alls are a spam magnet |
Fix 4 — Webuzo RBLs Tab
The Exim configuration had # BEGIN RBL and # END of RBL markers but nothing between them. SpamAssassin was scoring against RBLs (headers showed Spamhaus PBL/XBL hits), but the server wasn't rejecting at the SMTP level.
The existing SpamAssassin RBL scoring combined with the reject threshold of 4 provides equivalent protection through the GUI alone — since the attacker's IP was already scoring 3.6 from Spamhaus hits before any content analysis.
Fix 5 — Webuzo SpamAssassin Tab
| Setting | Was | Changed To | Why |
|---|---|---|---|
| Scan outgoing messages | OFF | ON | Catches outbound spam from compromised accounts |
| Outbound scan score | Disabled | 5 | Blocks outbound emails scoring above 5 |
| Don't forward if matches spam score | OFF | ON | Prevents server from forwarding spam externally |
| Don't forward defined score | Disabled | 5 | Protects server IP reputation |
Fix 6 — DNS Authentication (SPF, DKIM, DMARC)
SPF — Sender Policy Framework
SPF tells receiving servers which IPs are authorized to send email for your domain. Use -all (hard fail), not ~all (soft fail):
v=spf1 a mx ip4:198.51.100.25 -allOne domain had two SPF TXT records, which causes a PermError — effectively breaking SPF entirely. Only one SPF record per domain is allowed.
DMARC — The most important fix
DMARC tells receiving servers what to do when SPF and DKIM both fail. Most domains had p=none — which literally means "do nothing when someone spoofs this domain."
| Domain | DMARC Was | Changed To |
|---|---|---|
| charity-example.org | p=none (vulnerable) | p=reject |
| consulting-example.org | p=none (vulnerable) | p=reject |
| hosting.example.com | p=quarantine | p=reject |
| example.com | p=none (vulnerable) | p=reject |
# TXT record at _dmarc.yourdomain.org
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.org; fo=1Fix 7 — PTR / Reverse DNS
The server hostname was mail.example.com, but reverse DNS returned 198-51-100-25.rev.example-isp.net — Scaleway's generic hostname. Gmail penalizes this mismatch. Fixed via Scaleway console to point PTR to mail.example.com.
mail.example.com → 198.51.100.25 (forward A record) and 198.51.100.25 → mail.example.com (reverse PTR) must agree. Any mismatch tanks deliverability.
Fix 8 — Cloudflare Proxy & Email Client Connectivity
Users couldn't connect Outlook, Gmail, or Thunderbird to their email accounts. The reason: the mail subdomain on every domain was proxied through Cloudflare's orange cloud. Cloudflare can only proxy HTTP/HTTPS — not IMAP (993), POP3 (995), or SMTP (465/587).
| Domain | mail. resolved to | Problem |
|---|---|---|
| mail.hosting.example.com | 198.51.100.25 | Grey cloud — OK |
| mail.example.com | 198.51.100.80 (Cloudflare) | Orange cloud — BLOCKED |
| mail.charity-example.org | 198.51.100.81 (Cloudflare) | Orange cloud — BLOCKED |
| mail.consulting-example.org | 198.51.100.92 (Cloudflare) | Orange cloud — BLOCKED |
The rule: Grey cloud (DNS only) for anything email-related: mail, autodiscover, autoconfig, hostname. Orange cloud (proxied) for web: root, www.
Email client connection settings (after fix)
Incoming Server: mail.example.com
Protocol: IMAP
Port: 993 (SSL/TLS)
Outgoing Server: mail.example.com
Port: 465 (SSL/TLS)
Username: full email addressUsing mail.example.com as the mail server for all domains avoids SSL certificate mismatches.
Fix 9 — SSL Certificate Issues
ZeroSSL certificates were failing to issue for several domains. Two causes:
charity-example.org — HTTP validation timeout
The domain was behind Cloudflare's proxy, so the ACME validation request went to Cloudflare — not the origin server. Fix: temporarily grey-cloud during SSL issuance, or use Cloudflare Origin Certificates.
www.hosting.example.com — Pointed to localhost
The www subdomain resolved to 127.0.0.1, so ACME self-verification failed. After fixing the DNS to the correct IP, re-issuing the certificate resolved it.
Verification & Results
After applying all fixes:
=== PTR (Reverse DNS) ===
198.51.100.25 → mail.example.com ✅
=== SPF ===
All domains: v=spf1 a mx ip4:198.51.100.25 -all ✅
=== DKIM ===
All domains: key present, selector x ✅
=== DMARC ===
All domains: p=reject ✅Verification tools
| Tool | URL | What it checks |
|---|---|---|
| MXToolbox | mxtoolbox.com | SPF, DKIM, DMARC, blacklists, SMTP diagnostics |
| Mail-Tester | mail-tester.com | Send a test email, get a deliverability score |
| DMARC Analyzer | dmarcanalyzer.com | Validates DMARC record format and policy |
TL;DR
A Webuzo-managed server was under mass sextortion spoofing. Five compounding failures allowed it: disabled DKIM verification in Exim, DMARC set to p=none, no RBL rejection rules, SPF softfail or missing, and SpamAssassin configured to tag rather than reject. The fix involved hardening the Webuzo Exim Configuration Manager across six tabs, adding anti-spoofing system filters, correcting DMARC to p=reject for all domains, fixing the PTR record, and switching all mail. subdomains from Cloudflare's orange cloud proxy to grey cloud DNS-only — since Cloudflare cannot proxy IMAP/SMTP traffic.