Loading ...
Sorry, an error occurred while loading the content.
 

spam - headers: from ME to ME, but different anvelope sender

Expand Messages
  • wiseadmin
    Hello, I have a postfix server for many years. The anti-spam filters were ok, I got in general just a couple of spams per day. Since a month or so, I start
    Message 1 of 14 , Sep 6, 2013

      Hello,
      I have a postfix server for many years. The anti-spam filters were ok, I got in general just a couple of spams per day.

      Since a month or so, I start getting more than 100 spams for every user on a specific account/domain per day.  These spams look all the same or are very similar.
      The situation is practically unmanageable. I wanted to reject these emails using postfix but I couldn't. I set up SpamAssassin and it catch 99% from them.

      I want somehow to reject them before delivery and not after, like SA does. I am not pleased with this SA solution.

      Maybe you could help, I wrote also on other forums but with no results. You are my last hope, and I'm not kidding :))



      #postconf -n

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      config_directory = /etc/postfix
      inet_interfaces = all
      mailbox_size_limit = 0
      mydestination = mail.xxx.ro, ns2.yyy.ro, localhost
      myhostname = mail.xxx.ro
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      myorigin = /etc/mailname
      readme_directory = no
      recipient_delimiter = +
      relayhost =
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_helo_required = yes
      smtpd_helo_restrictions = reject_invalid_hostname permit
      smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_sender_domain  reject_unknown_recipient_domain reject_unverified_recipient reject_unlisted_recipient reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/access_sender check_helo_access pcre:/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit
      smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      virtual_alias_maps = hash:/etc/postfix/valias.txt
      virtual_gid_maps = static:1000
      virtual_mailbox_base = /var/spool/vmail
      virtual_mailbox_domains = /etc/postfix/vhost.txt
      virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
      virtual_uid_maps = static:1000


      About the spam:
      - it comes from a specific sender to me (the anvolope), but the headers are always from ME to ME.


      -------- Original Message --------
      Return-Path:     <strongestv0@...>
      X-Original-To:     office@...
      Delivered-To:     office@...
      Received:     by mail.mydomain.ro (Postfix, from userid 1018) id A3E8C10BADF; Thu, 5 Sep 2013 17:10:06 +0300 (EEST)
      X-Spam-Checker-Version:     SpamAssassin 3.3.2 (2011-06-06) on cma.cma.ro
      X-Spam-Flag:     YES
      X-Spam-Level:     **********************
      X-Spam-Status:     Yes, score=22.8 required=5.0 tests=FILL_THIS_FORM, FILL_THIS_FORM_LONG,KB_DATE_CONTAINS_TAB,KB_FAKED_THE_BAT, RCVD_IN_BRBL_LASTEXT,RCVD_IN_XBL,RDNS_NONE,SPF_HELO_SOFTFAIL,TAB_IN_FROM, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.3.2
      X-Spam-Report:     * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: evropa-career.com] * 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [41.66.194.98 listed in zen.spamhaus.org] * 0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: evropa-career.com] * 0.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist * [URIs: evropa-career.com] * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: evropa-career.com] * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: evropa-career.com] * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [41.66.194.98 listed in bb.barracudacentral.org] * 0.5 TAB_IN_FROM From starts with a tab * 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS * 3.4 KB_FAKED_THE_BAT KB_FAKED_THE_BAT * 0.0 FILL_THIS_FORM Fill in a form with personal information * 3.5 FILL_THIS_FORM_LONG Fill in a form with personal information
      Received:     from google.com (unknown [41.66.194.98]) by mail.mydomain.ro (Postfix) with ESMTP id ECD2310B6C4 for <office@...>; Thu, 5 Sep 2013 17:10:00 +0300 (EEST)
      Received:     from [221.194.175.146] (account goitreth@... HELO qhnmo.acswumaysrwvf.ua) by (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 126849276 for office@...; Thu, 5 Sep 2013 14:09:51 +0000
      Date:     Thu, 5 Sep 2013 14:09:51 +0000
      From:     <office@...>
      X-Mailer:     The Bat! (v2.00.18) Business
      X-Priority:     3 (Normal)
      Message-ID:     <0415780157.LBFIG8J2962186@...>
      To:     <office@...>
      Subject:     ***SPAM*** Job opportunity - hurry to apply!
      MIME-Version:     1.0
      Content-Type:     text/plain; charset=iso-8859-2
      Content-Transfer-Encoding:     7bit
      X-Spam-Prev-Subject:     Job opportunity - hurry to apply!


      and the same message from postfix logs:

      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/cleanup[17702]: A3E8C10BADF: message-id=<0415780157.LBFIG8J2962186@...>
      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/qmgr[19671]: A3E8C10BADF: from=<strongestv0@...>, size=3912, nrcpt=1 (queue active)
      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/virtual[17708]: A3E8C10BADF: to=<office@...>, relay=virtual, delay=0.3, delays=0.17/0/0/0.12, dsn=2.0.0, status=sent (delivered to maildir)
      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/qmgr[19671]: A3E8C10BADF: removed


      Thank you

    • Wietse Venema
      ... To block mail during the SMTP session, you need to configure Postfix with a before-queue filter such as amavisd-new which can integrate SpamAssassin into
      Message 2 of 14 , Sep 6, 2013
        wiseadmin:
        > I have a postfix server for
        > many years. The anti-spam filters were ok, I got in general just a
        > couple of spams per day.<br>
        > <br>
        > Since a month or so, I start getting
        > more than 100 spams for every user on a specific account/domain
        > per
        > day.  These spams look all the same or are very similar. <br>
        > The
        > situation is practically unmanageable. I wanted to reject these
        > emails using postfix but I couldn't. I set up SpamAssassin and it
        > catch 99% from them.<br>

        To block mail during the SMTP session, you need to configure Postfix
        with a before-queue filter such as amavisd-new which can integrate
        SpamAssassin into Postfix.

        http://www.ijs.si/software/amavisd/

        Wietse
      • Wijatmoko U. Prayitno
        On Fri, 06 Sep 2013 16:43:27 +0300 ... The email came from local user uid 1018 (service pickup). -- WUP
        Message 3 of 14 , Sep 6, 2013
          On Fri, 06 Sep 2013 16:43:27 +0300
          wiseadmin <wiseadmin@...> wrote:

          > and the same message from postfix logs:
          >
          > /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
          The email came from local user uid 1018 (service pickup).

          --
          WUP
        • wiseadmin
          And what does it mean? uid 1018 is the user under witch spamd runs. #grep 1018 /etc/passwd spamd:x:1018:1019::/home/spamd:/bin/bash I don t know how to
          Message 4 of 14 , Sep 6, 2013
            And what does it mean?

            uid 1018 is the user under witch spamd runs.

            #grep 1018 /etc/passwd
            spamd:x:1018:1019::/home/spamd:/bin/bash

            I don't know how to interpret the fact that is comes from pickup
            service. Is my server compromised?

            Thanks.

            On 09/06/2013 04:51 PM, Wijatmoko U. Prayitno wrote:
            > On Fri, 06 Sep 2013 16:43:27 +0300
            > wiseadmin <wiseadmin@...> wrote:
            >
            >> and the same message from postfix logs:
            >>
            >> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
            > The email came from local user uid 1018 (service pickup).
            >
          • wiseadmin
            Ok, this is a solution. I tried to avoid this because it consumes some resources. I have problems ONLY with this specific spam. I try to find out if there is
            Message 5 of 14 , Sep 6, 2013
              Ok, this is a solution. I tried to avoid this because it consumes some
              resources.

              I have problems ONLY with this specific spam.

              I try to find out if there is something like this:
              - reject all emails that come from a different server to my server and
              have the From: header a local address (on my server).

              In /etc/posfix/access_sender I have:

              mydomain REJECT Illegal domain

              I doesn't work.



              On 09/06/2013 04:51 PM, Wietse Venema wrote:
              > wiseadmin:
              >> I have a postfix server for
              >> many years. The anti-spam filters were ok, I got in general just a
              >> couple of spams per day.<br>
              >> <br>
              >> Since a month or so, I start getting
              >> more than 100 spams for every user on a specific account/domain
              >> per
              >> day.  These spams look all the same or are very similar. <br>
              >> The
              >> situation is practically unmanageable. I wanted to reject these
              >> emails using postfix but I couldn't. I set up SpamAssassin and it
              >> catch 99% from them.<br>
              > To block mail during the SMTP session, you need to configure Postfix
              > with a before-queue filter such as amavisd-new which can integrate
              > SpamAssassin into Postfix.
              >
              > http://www.ijs.si/software/amavisd/
              >
              > Wietse
              >
            • Wietse Venema
              ... Good observation. This message did not come via SMTP. You have a buggy web application. Wietse
              Message 6 of 14 , Sep 6, 2013
                Wijatmoko U. Prayitno:
                > On Fri, 06 Sep 2013 16:43:27 +0300
                > wiseadmin <wiseadmin@...> wrote:
                >
                > > and the same message from postfix logs:
                > >
                > > /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                > The email came from local user uid 1018 (service pickup).

                Good observation. This message did not come via SMTP. You have
                a buggy web application.

                Wietse
              • Wijatmoko U. Prayitno
                On Fri, 6 Sep 2013 10:05:49 -0400 (EDT) ... Maybe the spamd are listen on all interface, so it opened to the whole internet. -- WUP
                Message 7 of 14 , Sep 6, 2013
                  On Fri, 6 Sep 2013 10:05:49 -0400 (EDT)
                  wietse@... (Wietse Venema) wrote:

                  >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                  >> The email came from local user uid 1018 (service pickup).
                  >
                  > Good observation. This message did not come via SMTP. You have
                  > a buggy web application.
                  >
                  Maybe the spamd are listen on all interface, so it opened
                  to the whole internet.

                  --
                  WUP
                • Tonu Samuel
                  ... spamd deserves his name this time :) Tõnu
                  Message 8 of 14 , Sep 6, 2013
                    On Fri, 2013-09-06 at 21:10 +0700, Wijatmoko U. Prayitno wrote:
                    > On Fri, 6 Sep 2013 10:05:49 -0400 (EDT)
                    > wietse@... (Wietse Venema) wrote:
                    >
                    > >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                    > >> The email came from local user uid 1018 (service pickup).
                    > >
                    > > Good observation. This message did not come via SMTP. You have
                    > > a buggy web application.
                    > >
                    > Maybe the spamd are listen on all interface, so it opened
                    > to the whole internet.
                    >

                    spamd deserves his name this time :)

                    Tõnu
                  • wiseadmin
                    I installed SA last week and I started to reveive these spams 1-2 months ago. # netstat -tupan | grep spam tcp 0 0 127.0.0.1:783
                    Message 9 of 14 , Sep 6, 2013
                      I installed SA last week and I started to reveive these spams 1-2 months
                      ago.

                      # netstat -tupan | grep spam
                      tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
                      27752/spamd.pid


                      What tests should I do next?

                      This is a production server, I'am starting to become afraid.


                      What was the email received if not via SMTP??


                      On 09/06/2013 05:10 PM, Wijatmoko U. Prayitno wrote:
                      > On Fri, 6 Sep 2013 10:05:49 -0400 (EDT)
                      > wietse@... (Wietse Venema) wrote:
                      >
                      >>>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                      >>> The email came from local user uid 1018 (service pickup).
                      >> Good observation. This message did not come via SMTP. You have
                      >> a buggy web application.
                      >>
                      > Maybe the spamd are listen on all interface, so it opened
                      > to the whole internet.
                      >
                    • wiseadmin
                      All emails are reveived through smtp and then they are passed to spamd, inspected and delivered. If I say something stupid, please excuse me, I am experienced
                      Message 10 of 14 , Sep 6, 2013
                        All emails are reveived through smtp and then they are passed to spamd, inspected and delivered.
                        If I say something stupid, please excuse me, I am experienced with linux and networking in general bun not to postfix and email servers.

                        I sent an email to myself and grep in the logs.

                        yadmin@cma:~$ egrep '718D9116266|A792B105AF0' /var/log/mail.log
                        Sep  6 17:35:22 cma postfix/smtpd[28457]: A792B105AF0: client=mail-ea0-f182.google.com[209.85.215.182]
                        Sep  6 17:35:22 cma postfix/cleanup[1067]: A792B105AF0: message-id=<5229E81C.6010202@...>
                        Sep  6 17:35:22 cma postfix/qmgr[19671]: A792B105AF0: from=<wiseadmin@...>, size=1808, nrcpt=1 (queue active)
                        Sep  6 17:35:28 cma postfix/pickup[810]: 718D9116266: uid=1018 from=<wiseadmin@...>
                        Sep  6 17:35:28 cma postfix/cleanup[1067]: 718D9116266: message-id=<5229E81C.6010202@...>
                        Sep  6 17:35:28 cma postfix/pipe[1069]: A792B105AF0: to=<user1@...>, relay=spamassassin, delay=8.3, delays=2.7/0/0/5.6, dsn=2.0.0, status=sent (delivered via spamassassin service)
                        Sep  6 17:35:28 cma postfix/qmgr[19671]: A792B105AF0: removed
                        Sep  6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: from=<wiseadmin@...>, size=2169, nrcpt=1 (queue active)
                        Sep  6 17:35:28 cma postfix/virtual[1068]: 718D9116266: to=<user1@...>, relay=virtual, delay=0.34, delays=0.29/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
                        Sep  6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: removed

                        On 09/06/2013 05:10 PM, Wijatmoko U. Prayitno wrote:
                        On Fri, 6 Sep 2013 10:05:49 -0400 (EDT)
                        wietse@... (Wietse Venema) wrote:
                        
                        
                        /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                        
                        The email came from local user uid 1018 (service pickup).
                        
                        Good observation. This message did not come via SMTP. You have
                        a buggy web application.
                        
                        
                        Maybe the spamd are listen on all interface, so it opened
                        to the whole internet.
                        
                        

                      • Noel Jones
                        ... The OP has a basic content filter the passes through spamd then back to postfix via the sendmail interface. He s only shown us the post-filter logging.
                        Message 11 of 14 , Sep 6, 2013
                          On 9/6/2013 9:05 AM, Wietse Venema wrote:
                          > Wijatmoko U. Prayitno:
                          >> On Fri, 06 Sep 2013 16:43:27 +0300
                          >> wiseadmin <wiseadmin@...> wrote:
                          >>
                          >>> and the same message from postfix logs:
                          >>>
                          >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                          >> The email came from local user uid 1018 (service pickup).
                          >
                          > Good observation. This message did not come via SMTP. You have
                          > a buggy web application.
                          >
                          > Wietse
                          >


                          The OP has a basic content filter the passes through spamd then back
                          to postfix via the sendmail interface. He's only shown us the
                          post-filter logging.

                          Wijatmoko, could you put a sample of the spam, including all
                          headers, on pastebin.com or similar where we can see it?



                          -- Noel Jones
                        • Stan Hoeppner
                          ... The default spamassassin spamc/spamd install on many OSes defaults to reinjecting via pickup. I have the same setup. This isn t the problem. The problem
                          Message 12 of 14 , Sep 6, 2013
                            On 9/6/2013 9:05 AM, Wietse Venema wrote:
                            > Wijatmoko U. Prayitno:
                            >> On Fri, 06 Sep 2013 16:43:27 +0300
                            >> wiseadmin <wiseadmin@...> wrote:
                            >>
                            >>> and the same message from postfix logs:
                            >>>
                            >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
                            >> The email came from local user uid 1018 (service pickup).
                            >
                            > Good observation. This message did not come via SMTP. You have
                            > a buggy web application.

                            The default spamassassin spamc/spamd install on many OSes defaults to
                            reinjecting via pickup. I have the same setup. This isn't the problem.

                            The problem is "Nigerian 419" from 41.0.0.0/8. Block this class A net
                            in a CIDR table and this problem is solved, unless you are in Africa and
                            need to accept email from Africa. I've been blocking this /8 basically
                            forever. I also take the extra step of rejecting any connection that
                            has 41/8 in the headers.

                            --
                            Stan
                          • FliedRice
                            Just a thought, In order to block more incoming spam you could add more rbl s to your main.cf file. I have spamassassin, but it s turned off in favor of the
                            Message 13 of 14 , Sep 6, 2013
                              Just a thought, In order to block more incoming spam you could add more rbl's
                              to your main.cf file.
                              I have spamassassin, but it's turned off in favor of the following smtpd
                              restrictions and domain blocking
                              in the plesk user interface, or filtering in the Cpanel interface. I have 2
                              servers which both use these restrictions:

                              smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
                              sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client
                              bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
                              dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
                              l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
                              niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

                              I ended up choosing these over time as I get a lot of spam emails, (because
                              I send a lot of emails).
                              I started with a couple, but when one email got thru I would check the dbl
                              listings to see who might be
                              blocking the one that got thru. I would then add a rbl client that I found
                              was blocking the sender
                              who had just spammed me.

                              Here is a large MultiRbl List <http://multirbl.valli.org> if you want to
                              test any email IP's that are sending emails to domains on your server.

                              And if your not very concerned about blocking incoming emails but want to
                              block more try:
                              reject_rbl_client blackholes.five-ten-sg.com
                              It seems to be ok with the large domain ISP's, but it's bullish on
                              everything else.



                              -----
                              Free English
                              & Spanish
                              Ecards for Birthdays, Christmas , holidays, Valentines , Love , & just because!
                              --
                              View this message in context: http://postfix.1071664.n5.nabble.com/spam-headers-from-ME-to-ME-but-different-anvelope-sender-tp61232p61250.html
                              Sent from the Postfix Users mailing list archive at Nabble.com.
                            • Jeroen Geilman
                              ... That s all zen now. ... You would want to use postscreen(8) for that. For starters, it does parallel lookups (which is faster) and maintains its own cache
                              Message 14 of 14 , Sep 11, 2013
                                On 09/07/2013 05:19 AM, FliedRice wrote:
                                > Just a thought, In order to block more incoming spam you could add more rbl's
                                > to your main.cf file.
                                > I have spamassassin, but it's turned off in favor of the following smtpd
                                > restrictions and domain blocking
                                > in the plesk user interface, or filtering in the Cpanel interface. I have 2
                                > servers which both use these restrictions:
                                >
                                > smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
                                > sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org,

                                That's all zen now.
                                > reject_rbl_client
                                > bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
                                > dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
                                > l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
                                > niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

                                You would want to use postscreen(8) for that.
                                For starters, it does parallel lookups (which is faster) and maintains
                                its own cache (which is faster still.)
                                It also allows you to do weighted scoring for multiple DNSBLs (which
                                smtpd_client_restrictions does not.)

                                Available in postfix 2.8+ (which is over 2 years old)


                                --
                                J.
                              Your message has been successfully submitted and would be delivered to recipients shortly.