Hi , I have a situation a little complicated, I have emails from spammers that come with the name of one of my users, but the email address is not from my domain , they send it from a valid domain, which complies with spf, DKIM etc etc, some idea that could help me to adjust my spamassassin and stop this kind of post, someone has had experience in this type of evasion?
my user is lvelasquez attached the trace Nov 27 03:21:07 scmspam postfix/smtpd[30321]: warning: hostname cloud.casasponty.com does not resolve to address 206.189.74.145: Name or service not known Nov 27 03:21:07 scmspam postfix/smtpd[30321]: connect from unknown[206.189.74.145] Nov 27 03:21:07 scmspam policyd-spf[30325]: None; identity=helo; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com Nov 27 03:21:07 scmspam policyd-spf[30325]: Pass; identity=mailfrom; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com Nov 27 03:21:07 scmspam postfix/smtpd[30322]: warning: hostname cloud.casasponty.com does not resolve to address 206.189.74.145: Name or service not known Nov 27 03:21:07 scmspam postfix/smtpd[30322]: connect from unknown[206.189.74.145] Nov 27 03:21:07 scmspam policyd-spf[30326]: None; identity=helo; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com Nov 27 03:21:07 scmspam policyd-spf[30326]: Pass; identity=mailfrom; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com Nov 27 03:21:08 scmspam postfix/smtpd[30321]: 2D19A1089D: client=unknown[206.189.74.145] Nov 27 03:21:08 scmspam postfix/smtpd[30322]: 32F15108A7: client=unknown[206.189.74.145] Nov 27 03:21:08 scmspam postfix/cleanup[30327]: 2D19A1089D: message-id=<18301625705448019599.084a539583f0b...@mydomain.com> Nov 27 03:21:08 scmspam postfix/cleanup[30351]: 32F15108A7: message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com> Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 2D19A1089D: from=<acha...@casasponty.com>, size=127129, nrcpt=1 (queue active) Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) LMTP:[127.0.0.1]:10024 /var/amavis/tmp/amavis-20181127T031602-30276-giUj8Gm1: <acha...@casasponty.com> -> <lvelasq...@mydomain.com> SIZE=127129 Received: from scmspam.mydomain.com ([127.0.0.1]) by localhost (scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <lvelasq...@mydomain.com>; Tue, 27 Nov 2018 03:21:08 -0600 (CST) Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 32F15108A7: from=<acha...@casasponty.com>, size=127113, nrcpt=1 (queue active) Nov 27 03:21:08 scmspam postfix/smtpd[30321]: disconnect from unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) LMTP:[127.0.0.1]:10024 /var/amavis/tmp/amavis-20181127T031805-30291-C1blwKk0: <acha...@casasponty.com> -> <yr...@mydomain.com> SIZE=127113 Received: from scmspam.mydomain.com ([127.0.0.1]) by localhost (scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <yr...@mydomain.com>; Tue, 27 Nov 2018 03:21:08 -0600 (CST) Nov 27 03:21:08 scmspam postfix/smtpd[30322]: disconnect from unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) dkim: VALID Author+Sender+MailFrom signature by d=casasponty.com, From: <acha...@casasponty.com>, a=rsa-sha256, c=relaxed/relaxed, s=default, i=@casasponty.com Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) Checking: 1SgjFC6nhGVK [206.189.74.145] <acha...@casasponty.com> -> <lvelasq...@mydomain.com> Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) dkim: VALID Author+Sender+MailFrom signature by d=casasponty.com, From: <acha...@casasponty.com>, a=rsa-sha256, c=relaxed/relaxed, s=default, i=@casasponty.com Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p003 1 Content-Type: multipart/mixed Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p001 1/1 Content-Type: text/plain, size: 162 B, name: Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) Checking: 22udI1Q-h9lr [206.189.74.145] <acha...@casasponty.com> -> <yr...@mydomain.com> Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p002 1/2 Content-Type: application/msword, size: 90752 B, name: Contrato.doc Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p003 1 Content-Type: multipart/mixed Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p001 1/1 Content-Type: text/plain, size: 162 B, name: Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p002 1/2 Content-Type: application/msword, size: 90752 B, name: Contrato.doc Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) spam-tag, <acha...@casasponty.com> -> <yr...@mydomain.com>, No, score=4.673 tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3, RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Nov 27 03:21:10 scmspam postfix/smtpd[30334]: connect from localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/smtpd[30334]: B9B79108A8: client=localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/cleanup[30327]: B9B79108A8: message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com> Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) spam-tag, <acha...@casasponty.com> -> <lvelasq...@mydomain.com>, No, score=4.673 tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3, RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Nov 27 03:21:10 scmspam postfix/smtpd[30257]: connect from localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/smtpd[30257]: BF820108A9: client=localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/smtpd[30334]: connect from localhost[127.0.0.1] Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) spam-tag, <acha...@casasponty.com> -> <lvelasq...@mydomain.com>, No, score=4.673 tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3, RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Nov 27 03:21:10 scmspam postfix/smtpd[30257]: connect from localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/smtpd[30257]: BF820108A9: client=localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/cleanup[30351]: BF820108A9: message-id=<18301625705448019599.084a539583f0b...@mydomain.com> Nov 27 03:21:10 scmspam postfix/qmgr[24718]: B9B79108A8: from=<acha...@casasponty.com>, size=127970, nrcpt=1 (queue active) Nov 27 03:21:10 scmspam postfix/smtpd[30334]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) FWD from <acha...@casasponty.com> -> <yr...@mydomain.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B9B79108A8 Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) Passed CLEAN {RelayedInbound}, [206.189.74.145]:50856 [117.20.31.98] <acha...@casasponty.com> -> <yr...@mydomain.com>, Queue-ID: 32F15108A7, Message-ID: <40635101623011819320.2fc59783b4b6f...@mydomain.com>, mail_id: 22udI1Q-h9lr, Hits: 4.673, size: 127112, queued_as: B9B79108A8, dkim_sd=default:casasponty.com, 2342 ms Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) TIMING-SA total 854 ms - parse: 18 (2.1%), extract_message_metadata: 62 (7.3%), get_uri_detail_list: 4.2 (0.5%), tests_pri_-1000: 106 (12.5%), tests_pri_-950: 4.5 (0.5%), tests_pri_-900: 2.1 (0.3%), tests_pri_-90: 4.3 (0.5%), tests_pri_0: 210 (24.6%), check_spf: 9 (1.1%), poll_dns_idle: 5 (0.6%), tests_pri_20: 201 (23.6%), check_razor2: 200 (23.4%), tests_pri_30: 210 (24.7%), check_pyzor: 209 (24.5%), tests_pri_500: 7 (0.8%), get_report: 0.47 (0.1%) Nov 27 03:21:10 scmspam postfix/lmtp[30328]: 32F15108A7: to=<yr...@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.55/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B9B79108A8) Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) size: 127112, TIMING [total 2352 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 0 (0%)0, SMTP pre-MAIL: 0 (0%)0, lookup_sql: 2 (0%)0, SMTP pre-DATA-flush: 1 (0%)0, SMTP DATA: 82 (3%)4, check_init: 1 (0%)4, digest_hdr: 13 (1%)4, digest_body_dkim: 24 (1%)5, gen_mail_id: 10 (0%)6, mime_decode: 38 (2%)7, get-file-type2: 28 (1%)9, parts_decode: 0 (0%)9, check_header: 1 (0%)9, AV-scan-1: 1193 (51%)59, spam-wb-list: 1 (0%)59, SA msg read: 1 (0%)59, SA parse: 18 (1%)60, SA check: 834 (35%)96, lookup_sql: 10 (0%)96, penpals_check: 9 (0%)96, decide_mail_destiny: 1 (0%)96, notif-quar: 4 (0%)97, fwd-connect: 9 (0%)97, fwd-mail-pip: 2 (0%)97, fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0 (0%)97, write-header: 1 (0%)97, fwd-data-contents: 7 (0%)97, fwd-end-chkpnt: 48 (2%)99, prepare-dsn: 1 (0%)99, main_log_entry: 5 (0%)100, sql-update: 5 (0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 1 (0%)100, SMTP response: 0 (0%)100, unlink-3-files: 1 (0%)100, rundown: 1 (0%)100 Nov 27 03:21:10 scmspam postfix/qmgr[24718]: BF820108A9: from=<acha...@casasponty.com>, size=127996, nrcpt=1 (queue active) Nov 27 03:21:10 scmspam postfix/smtpd[30257]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) FWD from <acha...@casasponty.com> -> <lvelasq...@mydomain.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BF820108A9 Nov 27 03:21:10 scmspam postfix/qmgr[24718]: 32F15108A7: removed Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) Passed CLEAN {RelayedInbound}, [206.189.74.145]:50850 [117.20.31.98] <acha...@casasponty.com> -> <lvelasq...@mydomain.com>, Queue-ID: 2D19A1089D, Message-ID: <18301625705448019599.084a539583f0b...@mydomain.com>, mail_id: 1SgjFC6nhGVK, Hits: 4.673, size: 127128, queued_as: BF820108A9, dkim_sd=default:casasponty.com, 2416 ms Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) TIMING-SA total 894 ms - parse: 15 (1.7%), extract_message_metadata: 59 (6.5%), get_uri_detail_list: 0.71 (0.1%), tests_pri_-1000: 107 (12.0%), tests_pri_-950: 4.5 (0.5%), tests_pri_-900: 2.4 (0.3%), tests_pri_-90: 4.3 (0.5%), tests_pri_0: 212 (23.8%), check_spf: 7 (0.8%), poll_dns_idle: 0.67 (0.1%), tests_pri_20: 225 (25.2%), check_razor2: 220 (24.6%), tests_pri_30: 213 (23.8%), check_pyzor: 211 (23.6%), tests_pri_500: 10 (1.2%), get_report: 0.49 (0.1%) Nov 27 03:21:10 scmspam postfix/lmtp[30331]: 2D19A1089D: to=<lvelasq...@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.3, delays=0.89/0/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BF820108A9) regards. -- rickygm http://gnuforever.homelinux.com