1 (edited by intellest 2012-02-22 20:03:47)

Topic: My spamfilter doesn't work because of spoofing of the to-address

==== Provide required information to help troubleshoot and get quick answer ====
- Linux/BSD distribution name and version:
- iRedMail version and backend (LDAP/MySQL):
- Any related log? Log is helpful for troubleshooting.
====

I use iRedMail 0.7.3 with MySQL on an Ubuntu server 10.04.3 LTS.

For about halv a year ago, I set up my mail server on a fresh install of Ubuntu. I have many email addresses to my email account. Some of the addresses act as spam traps, in such a way that I am surtain that I just receive spam to those addresses.

The problem is that for about a month ago, some of the emails to 2 of the spam traps began bypassing the spamfilter. One of those two email addresses I have only provided once, so I know exactly who has sold the address to spammers. The bypassing happens because no one of the emails have my email address in the to-field and "copy to"-field. It happens to be written something in both the to-field and "copy to"-field, by which the addresses may exist (I don't know), but I would say that they are spoofed because non of them are mine.

Now it has gone a couple of weeks, so I have receive some emails. I have received between 1 and 4 per day. As I now look through the heads of all these emails, I see the common feature that all of them (via both spam traps) have @yahoo.com-addresses in the from-field. All the emails was received by my mail server, from mail servers at different subdomains to bullet.mail.ird.yahoo.com. They have a DKIM signature with d=yahoo.com, and a DomainKey signature, where my mail server gave dkim=pass and domainkeys=pass.

I didn't figure why did I receive emails that does not have my email address in the to- and "copy to"-field. As I did turn my head around a couple of times, I found a way in which this is possible. I don't know weither this is a clue to what is the case, but I tell my thoughts anyways. In the first round, A sends an email to B. Then B's address has to be written in the to- or "copy to"-field, for the email to get through. But in the second round, B can forward the email to C, or C can fetch the email from B. If B forward the email to C, then neither B's or C's address has to be written in the to- or "copy to"-field. In the appropriate received-field in the head, there may be a line starting with "for emailaddress@example.com". This is a sign that the email was sent to emailaddress@example.com, but this is not nessessarily related to the to- or "copy to"-field. F ex that the email was forwarded from B to C, where C's email address is written in the appropriate received-field, but C's address is not written in the to- or "copy to"-field. But I don't know weither this is a clue to what is the case.

1. What can I do to filter these emails to the spam folder? Or alternatively that the emails aren't routed to the email account? My primary goal is that I want the spam trap emails, to be routed to the spam folder in my email account.

2. Do Yahoo enable spoofing of the to-field? Or do I misunderstand something? I beleive that Yahoo should not facilitate spamming, and it would surprice me if that is a part of the case.

Hope someone can help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: My spamfilter doesn't work because of spoofing of the to-address

intellest wrote:

I didn't figure why did I receive emails that does not have my email address in the to- and "copy to"-field.

Could you please paste mail header of one of these emails to help troubleshoot? REPLACE sensitive information before posting.