On 19/03/16 21:47, @lbutlr wrote: > A user has been getting a lot of spam with headers that look something like > this: > > From: bos...@covisp.net, h...@covisp.net, restorat...@covisp.net
> Is it possible that amavisd is hitting an invalid From header like > “Bosely Hair Restoration” and adding a “@covisp.net” to each word? Much more likely it's your postfix trivial-rewrite daemon adding $mydomain during cleanup, either from the reinjection from amavis, or possibly the initial smtp connection. See man trivial-rewrite. It should be harmless, but you can stop it by overriding the value of local_header_rewrite_clients in your smtpd daemon (see appropriate section of postconf man page). If you never accept email from local users on that address:port, you can add "-o local_header_rewrite_clients=" in master.cf. On 19/03/16 22:01, @lbutlr wrote: > One other detail, these are emails that SHOULD be getting > quarantined. Here is one to that same user from a couple of days > ago: > > Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM > {RelayedOpenRelay,Quarantined}, [127.0.0.1] [92.63.96.246] > <cont...@aspmx3.incrustment.com> -> > <bac...@southgaylord.com>,<us...@sqldomain.tld>, quarantine: > spam-lNjPXhL4sHt2.gz, Message-ID: > <4045e937a81af6f206d718e539ed1...@gmx.com>, mail_id: lNjPXhL4sHt2, > Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 1081 ms > > Could it be the always_bcc setting in postfix that is causing Amavisd > to error out? If so, how do I keep both the backup bcc and amavisd > happy? Don't really understand what you mean by "error out", and not sure if it's related to the first question. "RelayedOpenRelay" suggests to me that @local_domains_maps or @local_domains_acl might not include the real value of "sqldomain.tld". What are your settings for $final_spam_destiny and $sa_kill_level_deflt or $spam_kill_level_maps? Does the quarantine object spam-lNjPXhL4sHt2.gz exist (it probably does)? Which of the two destinations does it get delivered to? One guess would be that at least one of those destinations is in your $spam_lovers_maps. CK