spam - headers: from ME to ME, but different anvelope sender
Hello,
I have a postfix server for
many years. The anti-spam filters were ok, I got in general just a
couple of spams per day.
Since a month or so, I start getting
more than 100 spams for every user on a specific account/domain
per
day. These spams look all the same or are very similar.
The
situation is practically unmanageable. I wanted to reject these
emails using postfix but I couldn't. I set up SpamAssassin and it
catch 99% from them.
I want somehow to reject them before
delivery and not after, like SA does. I am not pleased with this
SA
solution.
Maybe you could help, I wrote also on other forums
but with no results. You are my last hope, and I'm not kidding :))
#postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = mail.xxx.ro, ns2.yyy.ro, localhost
myhostname = mail.xxx.ro
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname permit
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_non_fqdn_recipient permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
reject_sender_login_mismatch reject_invalid_hostname
reject_unknown_sender_domain reject_unknown_recipient_domain
reject_unverified_recipient reject_unlisted_recipient
reject_invalid_helo_hostname check_sender_access
hash:/etc/postfix/access_sender check_helo_access
pcre:/etc/postfix/helo_checks reject_unknown_sender_domain
reject_rbl_client zen.spamhaus.org, reject_rbl_client
bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/valias.txt
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /etc/postfix/vhost.txt
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_uid_maps = static:1000
About the spam:
- it comes from a specific sender to me (the anvolope), but the
headers are always from ME to ME.
Original Message
Return-Path:
X-Original-To: off...@mydomain.ro
Delivered-To: off...@mydomain.ro
Received: by mail.mydomain.ro (Postfix, from userid 1018) id
A3E8C10BADF; Thu, 5 Sep 2013 17:10:06 +0300 (EEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
cma.cma.ro
X-Spam-Flag: YES
X-Spam-Level: **
X-Spam-Status: Yes, score=22.8 required=5.0
tests=FILL_THIS_FORM,
FILL_THIS_FORM_LONG,KB_DATE_CONTAINS_TAB,KB_FAKED_THE_BAT,
RCVD_IN_BRBL_LASTEXT,RCVD_IN_XBL,RDNS_NONE,SPF_HELO_SOFTFAIL,TAB_IN_FROM,
URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_WS_SURBL
autolearn=disabled version=3.3.2
X-Spam-Report: * 1.7 URIBL_DBL_SPAM Contains an URL listed in
the DBL blocklist * [URIs: evropa-career.com] * 0.7 RCVD_IN_XBL RBL:
Received via a relay in Spamhaus XBL * [41.66.194.98 listed in
zen.spamhaus.org] * 0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match
SPF record (softfail) * 1.8 URIBL_BLACK Contains an URL listed in
the URIBL blacklist * [URIs: evropa-career.com] * 0.0 URIBL_PH_SURBL
Contains an URL listed in the PH SURBL blocklist * [URIs:
evropa-career.com] * 1.7 URIBL_WS_SURBL Contains an URL listed in
the WS SURBL blocklist * [URIs: evropa-career.com] * 1.9
URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist *
[URIs: evropa-career.com] * 1.6 RCVD_IN_BRBL_LASTEXT RBL:
RCVD_IN_BRBL_LASTEXT * [41.66.194.98 listed in
bb.barracudacentral.org] * 0.5 TAB_IN_FROM From starts with a tab *
3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB * 1.3 RDNS_NONE
Delivered to internal network by a host with no rDNS * 3.4
KB_FAKED_THE_BAT KB_FAKED_THE_BAT * 0.0 FILL_THIS_FORM Fill in a
form with personal information * 3.5 FILL_THIS_FORM_LONG Fill in a
form with personal informatio
Re: spam - headers: from ME to ME, but different anvelope sender
wiseadmin: > I have a postfix server for > many years. The anti-spam filters were ok, I got in general just a > couple of spams per day. > > Since a month or so, I start getting > more than 100 spams for every user on a specific account/domain > per > day. These spams look all the same or are very similar. > The > situation is practically unmanageable. I wanted to reject these > emails using postfix but I couldn't. I set up SpamAssassin and it > catch 99% from them. To block mail during the SMTP session, you need to configure Postfix with a before-queue filter such as amavisd-new which can integrate SpamAssassin into Postfix. http://www.ijs.si/software/amavisd/ Wietse
Re: spam - headers: from ME to ME, but different anvelope sender
On Fri, 06 Sep 2013 16:43:27 +0300 wiseadmin wrote: > and the same message from postfix logs: > > /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: > uid=1018 from= The email came from local user uid 1018 (service pickup). -- WUP
Re: spam - headers: from ME to ME, but different anvelope sender
And what does it mean? uid 1018 is the user under witch spamd runs. #grep 1018 /etc/passwd spamd:x:1018:1019::/home/spamd:/bin/bash I don't know how to interpret the fact that is comes from pickup service. Is my server compromised? Thanks. On 09/06/2013 04:51 PM, Wijatmoko U. Prayitno wrote: On Fri, 06 Sep 2013 16:43:27 +0300 wiseadmin wrote: and the same message from postfix logs: /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from= The email came from local user uid 1018 (service pickup).
Re: spam - headers: from ME to ME, but different anvelope sender
Ok, this is a solution. I tried to avoid this because it consumes some resources. I have problems ONLY with this specific spam. I try to find out if there is something like this: - reject all emails that come from a different server to my server and have the From: header a local address (on my server). In /etc/posfix/access_sender I have: mydomainREJECT Illegal domain I doesn't work. On 09/06/2013 04:51 PM, Wietse Venema wrote: wiseadmin: I have a postfix server for many years. The anti-spam filters were ok, I got in general just a couple of spams per day. Since a month or so, I start getting more than 100 spams for every user on a specific account/domain per day. These spams look all the same or are very similar. The situation is practically unmanageable. I wanted to reject these emails using postfix but I couldn't. I set up SpamAssassin and it catch 99% from them. To block mail during the SMTP session, you need to configure Postfix with a before-queue filter such as amavisd-new which can integrate SpamAssassin into Postfix. http://www.ijs.si/software/amavisd/ Wietse
Re: spam - headers: from ME to ME, but different anvelope sender
Wijatmoko U. Prayitno: > On Fri, 06 Sep 2013 16:43:27 +0300 > wiseadmin wrote: > > > and the same message from postfix logs: > > > > /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: > > uid=1018 from= > The email came from local user uid 1018 (service pickup). Good observation. This message did not come via SMTP. You have a buggy web application. Wietse
Re: spam - headers: from ME to ME, but different anvelope sender
On Fri, 2013-09-06 at 21:10 +0700, Wijatmoko U. Prayitno wrote: > On Fri, 6 Sep 2013 10:05:49 -0400 (EDT) > wie...@porcupine.org (Wietse Venema) wrote: > > >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: > >>> A3E8C10BADF: uid=1018 from= > >> The email came from local user uid 1018 (service pickup). > > > > Good observation. This message did not come via SMTP. You have > > a buggy web application. > > > Maybe the spamd are listen on all interface, so it opened > to the whole internet. > spamd deserves his name this time :) Tõnu
Re: spam - headers: from ME to ME, but different anvelope sender
I installed SA last week and I started to reveive these spams 1-2 months ago. # netstat -tupan | grep spam tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN 27752/spamd.pid What tests should I do next? This is a production server, I'am starting to become afraid. What was the email received if not via SMTP?? On 09/06/2013 05:10 PM, Wijatmoko U. Prayitno wrote: On Fri, 6 Sep 2013 10:05:49 -0400 (EDT) wie...@porcupine.org (Wietse Venema) wrote: /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from= The email came from local user uid 1018 (service pickup). Good observation. This message did not come via SMTP. You have a buggy web application. Maybe the spamd are listen on all interface, so it opened to the whole internet.
Re: spam - headers: from ME to ME, but different anvelope sender
On Fri, 6 Sep 2013 10:05:49 -0400 (EDT) wie...@porcupine.org (Wietse Venema) wrote: >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: >>> uid=1018 from= >> The email came from local user uid 1018 (service pickup). > > Good observation. This message did not come via SMTP. You have > a buggy web application. > Maybe the spamd are listen on all interface, so it opened to the whole internet. -- WUP
Re: spam - headers: from ME to ME, but different anvelope sender
All emails are reveived through smtp and then they are passed to spamd, inspected and delivered. If I say something stupid, please excuse me, I am experienced with linux and networking in general bun not to postfix and email servers. I sent an email to myself and grep in the logs. yadmin@cma:~$ egrep '718D9116266|A792B105AF0' /var/log/mail.log Sep 6 17:35:22 cma postfix/smtpd[28457]: A792B105AF0: client=mail-ea0-f182.google.com[209.85.215.182] Sep 6 17:35:22 cma postfix/cleanup[1067]: A792B105AF0: message-id=<5229e81c.6010...@gmail.com> Sep 6 17:35:22 cma postfix/qmgr[19671]: A792B105AF0: from=, size=1808, nrcpt=1 (queue active) Sep 6 17:35:28 cma postfix/pickup[810]: 718D9116266: uid=1018 from= Sep 6 17:35:28 cma postfix/cleanup[1067]: 718D9116266: message-id=<5229e81c.6010...@gmail.com> Sep 6 17:35:28 cma postfix/pipe[1069]: A792B105AF0: to=, relay=spamassassin, delay=8.3, delays=2.7/0/0/5.6, dsn=2.0.0, status=sent (delivered via spamassassin service) Sep 6 17:35:28 cma postfix/qmgr[19671]: A792B105AF0: removed Sep 6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: from=, size=2169, nrcpt=1 (queue active) Sep 6 17:35:28 cma postfix/virtual[1068]: 718D9116266: to=, relay=virtual, delay=0.34, delays=0.29/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir) Sep 6 17:35:28 cma postfix/qmgr[19671]: 718D9116266: removed On 09/06/2013 05:10 PM, Wijatmoko U. Prayitno wrote: On Fri, 6 Sep 2013 10:05:49 -0400 (EDT) wie...@porcupine.org (Wietse Venema) wrote: /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from= The email came from local user uid 1018 (service pickup). Good observation. This message did not come via SMTP. You have a buggy web application. Maybe the spamd are listen on all interface, so it opened to the whole internet.
Re: spam - headers: from ME to ME, but different anvelope sender
On 9/6/2013 9:05 AM, Wietse Venema wrote: > Wijatmoko U. Prayitno: >> On Fri, 06 Sep 2013 16:43:27 +0300 >> wiseadmin wrote: >> >>> and the same message from postfix logs: >>> >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: >>> uid=1018 from= >> The email came from local user uid 1018 (service pickup). > > Good observation. This message did not come via SMTP. You have > a buggy web application. The default spamassassin spamc/spamd install on many OSes defaults to reinjecting via pickup. I have the same setup. This isn't the problem. The problem is "Nigerian 419" from 41.0.0.0/8. Block this class A net in a CIDR table and this problem is solved, unless you are in Africa and need to accept email from Africa. I've been blocking this /8 basically forever. I also take the extra step of rejecting any connection that has 41/8 in the headers. -- Stan
Re: spam - headers: from ME to ME, but different anvelope sender
Just a thought, In order to block more incoming spam you could add more rbl's to your main.cf file. I have spamassassin, but it's turned off in favor of the following smtpd restrictions and domain blocking in the plesk user interface, or filtering in the Cpanel interface. I have 2 servers which both use these restrictions: smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net I ended up choosing these over time as I get a lot of spam emails, (because I send a lot of emails). I started with a couple, but when one email got thru I would check the dbl listings to see who might be blocking the one that got thru. I would then add a rbl client that I found was blocking the sender who had just spammed me. Here is a large MultiRbl List <http://multirbl.valli.org> if you want to test any email IP's that are sending emails to domains on your server. And if your not very concerned about blocking incoming emails but want to block more try: reject_rbl_client blackholes.five-ten-sg.com It seems to be ok with the large domain ISP's, but it's bullish on everything else. - Free English & Spanish Ecards for Birthdays, Christmas , holidays, Valentines , Love , & just because! -- View this message in context: http://postfix.1071664.n5.nabble.com/spam-headers-from-ME-to-ME-but-different-anvelope-sender-tp61232p61250.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: spam - headers: from ME to ME, but different anvelope sender
On 09/07/2013 05:19 AM, FliedRice wrote: Just a thought, In order to block more incoming spam you could add more rbl's to your main.cf file. I have spamassassin, but it's turned off in favor of the following smtpd restrictions and domain blocking in the plesk user interface, or filtering in the Cpanel interface. I have 2 servers which both use these restrictions: smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, That's all zen now. reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net You would want to use postscreen(8) for that. For starters, it does parallel lookups (which is faster) and maintains its own cache (which is faster still.) It also allows you to do weighted scoring for multiple DNSBLs (which smtpd_client_restrictions does not.) Available in postfix 2.8+ (which is over 2 years old) -- J.
