Loading ...
Sorry, an error occurred while loading the content.

Re: spam - headers: from ME to ME, but different anvelope sender

Expand Messages
  • wiseadmin
    All emails are reveived through smtp and then they are passed to spamd, inspected and delivered. If I say something stupid, please excuse me, I am experienced
    Message 1 of 14 , Sep 6 7:43 AM
    • 0 Attachment
      All emails are reveived through smtp and then they are passed to spamd, inspected and delivered.
      If I say something stupid, please excuse me, I am experienced with linux and networking in general bun not to postfix and email servers.

      I sent an email to myself and grep in the logs.

      yadmin@cma:~$ egrep '718D9116266|A792B105AF0' /var/log/mail.log
      Sep  6 17:35:22 cma postfix/smtpd[28457]: A792B105AF0: client=mail-ea0-f182.google.com[209.85.215.182]
      Sep  6 17:35:22 cma postfix/cleanup[1067]: A792B105AF0: message-id=<5229E81C.6010202@...>
      Sep  6 17:35:22 cma postfix/qmgr[19671]: A792B105AF0: from=<wiseadmin@...>, size=1808, nrcpt=1 (queue active)
      Sep  6 17:35:28 cma postfix/pickup[810]: 718D9116266: uid=1018 from=<wiseadmin@...>
      Sep  6 17:35:28 cma postfix/cleanup[1067]: 718D9116266: message-id=<5229E81C.6010202@...>
      Sep  6 17:35:28 cma postfix/pipe[1069]: A792B105AF0: to=<user1@...>, relay=spamassassin, delay=8.3, delays=2.7/0/0/5.6, dsn=2.0.0, status=sent (delivered via spamassassin service)
      Sep  6 17:35:28 cma postfix/qmgr[19671]: A792B105AF0: removed
      Sep  6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: from=<wiseadmin@...>, size=2169, nrcpt=1 (queue active)
      Sep  6 17:35:28 cma postfix/virtual[1068]: 718D9116266: to=<user1@...>, relay=virtual, delay=0.34, delays=0.29/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
      Sep  6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: removed

      On 09/06/2013 05:10 PM, Wijatmoko U. Prayitno wrote:
      On Fri, 6 Sep 2013 10:05:49 -0400 (EDT)
      wietse@... (Wietse Venema) wrote:
      
      
      /var/log/mail.log.1:Sep  5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
      
      The email came from local user uid 1018 (service pickup).
      
      Good observation. This message did not come via SMTP. You have
      a buggy web application.
      
      
      Maybe the spamd are listen on all interface, so it opened
      to the whole internet.
      
      

    • Noel Jones
      ... The OP has a basic content filter the passes through spamd then back to postfix via the sendmail interface. He s only shown us the post-filter logging.
      Message 2 of 14 , Sep 6 8:10 AM
      • 0 Attachment
        On 9/6/2013 9:05 AM, Wietse Venema wrote:
        > Wijatmoko U. Prayitno:
        >> On Fri, 06 Sep 2013 16:43:27 +0300
        >> wiseadmin <wiseadmin@...> wrote:
        >>
        >>> and the same message from postfix logs:
        >>>
        >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
        >> The email came from local user uid 1018 (service pickup).
        >
        > Good observation. This message did not come via SMTP. You have
        > a buggy web application.
        >
        > Wietse
        >


        The OP has a basic content filter the passes through spamd then back
        to postfix via the sendmail interface. He's only shown us the
        post-filter logging.

        Wijatmoko, could you put a sample of the spam, including all
        headers, on pastebin.com or similar where we can see it?



        -- Noel Jones
      • Stan Hoeppner
        ... The default spamassassin spamc/spamd install on many OSes defaults to reinjecting via pickup. I have the same setup. This isn t the problem. The problem
        Message 3 of 14 , Sep 6 9:33 AM
        • 0 Attachment
          On 9/6/2013 9:05 AM, Wietse Venema wrote:
          > Wijatmoko U. Prayitno:
          >> On Fri, 06 Sep 2013 16:43:27 +0300
          >> wiseadmin <wiseadmin@...> wrote:
          >>
          >>> and the same message from postfix logs:
          >>>
          >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
          >> The email came from local user uid 1018 (service pickup).
          >
          > Good observation. This message did not come via SMTP. You have
          > a buggy web application.

          The default spamassassin spamc/spamd install on many OSes defaults to
          reinjecting via pickup. I have the same setup. This isn't the problem.

          The problem is "Nigerian 419" from 41.0.0.0/8. Block this class A net
          in a CIDR table and this problem is solved, unless you are in Africa and
          need to accept email from Africa. I've been blocking this /8 basically
          forever. I also take the extra step of rejecting any connection that
          has 41/8 in the headers.

          --
          Stan
        • FliedRice
          Just a thought, In order to block more incoming spam you could add more rbl s to your main.cf file. I have spamassassin, but it s turned off in favor of the
          Message 4 of 14 , Sep 6 8:19 PM
          • 0 Attachment
            Just a thought, In order to block more incoming spam you could add more rbl's
            to your main.cf file.
            I have spamassassin, but it's turned off in favor of the following smtpd
            restrictions and domain blocking
            in the plesk user interface, or filtering in the Cpanel interface. I have 2
            servers which both use these restrictions:

            smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
            sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client
            bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
            dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
            l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
            niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

            I ended up choosing these over time as I get a lot of spam emails, (because
            I send a lot of emails).
            I started with a couple, but when one email got thru I would check the dbl
            listings to see who might be
            blocking the one that got thru. I would then add a rbl client that I found
            was blocking the sender
            who had just spammed me.

            Here is a large MultiRbl List <http://multirbl.valli.org> if you want to
            test any email IP's that are sending emails to domains on your server.

            And if your not very concerned about blocking incoming emails but want to
            block more try:
            reject_rbl_client blackholes.five-ten-sg.com
            It seems to be ok with the large domain ISP's, but it's bullish on
            everything else.



            -----
            Free English
            & Spanish
            Ecards for Birthdays, Christmas , holidays, Valentines , Love , & just because!
            --
            View this message in context: http://postfix.1071664.n5.nabble.com/spam-headers-from-ME-to-ME-but-different-anvelope-sender-tp61232p61250.html
            Sent from the Postfix Users mailing list archive at Nabble.com.
          • Jeroen Geilman
            ... That s all zen now. ... You would want to use postscreen(8) for that. For starters, it does parallel lookups (which is faster) and maintains its own cache
            Message 5 of 14 , Sep 11 11:08 AM
            • 0 Attachment
              On 09/07/2013 05:19 AM, FliedRice wrote:
              > Just a thought, In order to block more incoming spam you could add more rbl's
              > to your main.cf file.
              > I have spamassassin, but it's turned off in favor of the following smtpd
              > restrictions and domain blocking
              > in the plesk user interface, or filtering in the Cpanel interface. I have 2
              > servers which both use these restrictions:
              >
              > smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
              > sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org,

              That's all zen now.
              > reject_rbl_client
              > bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
              > dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
              > l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
              > niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

              You would want to use postscreen(8) for that.
              For starters, it does parallel lookups (which is faster) and maintains
              its own cache (which is faster still.)
              It also allows you to do weighted scoring for multiple DNSBLs (which
              smtpd_client_restrictions does not.)

              Available in postfix 2.8+ (which is over 2 years old)


              --
              J.
            Your message has been successfully submitted and would be delivered to recipients shortly.