1

Topic: Spam message from a forged address

Hi.

I have some problems with messages from forged addresses from my own domain.

For example, I have an address myself@mydomain.com, and I just received a spam message as if it was coming from my own address. But it was marked as not-spam because of AWL (- 6.969).

X-Spam-Flag: NO
X-Spam-Score: 2.805
X-Spam-Level: **
X-Spam-Status: No, score=2.805 required=4 tests=[AWL=-6.969, BAYES_50=0.001,
    DRUGS_ERECTILE=0.282, DRUG_ED_CAPS=0.322, HTML_IMAGE_ONLY_12=2.46,
    HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.001, MIME_HTML_ONLY=1.457,
    RDNS_NONE=0.1, SPF_FAIL=1.693, SUBJECT_NEEDS_ENCODING=0.001,
    URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501] autolearn=no

Is there anything I can change to stop this from happening? I looked into spamassasin configs, but apparently there is no way to change it's behavior other than totally disabling AWL?

2

Re: Spam message from a forged address

Do you mean recipient address is same as sender address? It's impossible in iRedMail default setting since authenticiation is required for all outgoing emails. Did you change any setting in Postfix?

3 (edited by maxie_ro 2010-06-28 16:02:35)

Re: Spam message from a forged address

Yes, recipient address is same as sender address. Well I've changed some things, here they are...

smtpd_helo_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated, 
    check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = 
    check_sender_access hash:/etc/postfix/accept_unauth,
    reject_unknown_sender_domain, 
    reject_unknown_recipient_domain, 
    reject_non_fqdn_sender, 
    reject_non_fqdn_recipient, 
    reject_unlisted_recipient, 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination, 
    check_recipient_access hash:/etc/postfix/accept_special,  
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client psbl.surriel.com,
    reject_rbl_client cbl.abuseat.org=127.0.0.2,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client bhnc.njabl.org,
    reject_rbl_client zen.spamhaus.org,
    check_policy_service inet:127.0.0.1:10031

Should I check anything else?

4

Re: Spam message from a forged address

Do you have 'smtpd_sender_login_maps' in main.cf?

5

Re: Spam message from a forged address

ZhangHuangbin wrote:

Do you have 'smtpd_sender_login_maps' in main.cf?

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf

6

Re: Spam message from a forged address

It should reject this spam if you have this enabled.

Can you paste whole header of this spam email?

7

Re: Spam message from a forged address

Here it is (addresses and domains obfuscated, of course):

Return-Path: <myaddress@mydomain.tld>
Delivered-To: myaddress@mydomain.tld
Received: from localhost (mx2.mydomain.tld [127.0.0.1])
    by mx2.mydomain.tld (iRedMail) with ESMTP id 8372C3F78002;
    Sun, 27 Jun 2010 19:15:24 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
    mydomain.tld; h=date:date:message-id
    :content-transfer-encoding:content-type:content-type
    :mime-version:subject:subject:to:from:from; s=dkim; t=
    1277655318; x=1280247318; bh=RVFM+RQxsttNhEUXU8gsH3oSh4gH8X/2sT1
    R+ZBdLDs=; b=zjSuZzuRzLCBdGWdxAb3t4W27H0plzvjw34wUP/G0cZfBQtxHoP
    LNMKAIamVT12kHCAygvXejAyeq/+R5uHZ4U5xyGKFLehoCi0dbET3KVE1xj0kBiQ
    W/GNjJDBTle0kZGS0G3mbVNwtupcoDshECDs10kt2V4UfOGQ4oDBcadg=
X-Quarantine-ID: <iGZ3yOHykvgS>
X-Virus-Scanned: amavisd-new at mx2.mydomain.tld
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char AE hex):
    Subject: ...mydomain.tld VIAGRA Official Site -61%
X-Spam-Flag: NO
X-Spam-Score: 2.805
X-Spam-Level: **
X-Spam-Status: No, score=2.805 required=4 tests=[AWL=-6.969, BAYES_50=0.001,
    DRUGS_ERECTILE=0.282, DRUG_ED_CAPS=0.322, HTML_IMAGE_ONLY_12=2.46,
    HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.001, MIME_HTML_ONLY=1.457,
    RDNS_NONE=0.1, SPF_FAIL=1.693, SUBJECT_NEEDS_ENCODING=0.001,
    URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501] autolearn=no
Received: from mx2.mydomain.tld ([127.0.0.1])
    by localhost (mx2.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id iGZ3yOHykvgS; Sun, 27 Jun 2010 19:15:18 +0300 (EEST)
X-Original-Helo: elias (iRedMail: http://code.google.com/p/iredmail/)
Received: from elias (unknown [92.98.134.117])
    by mx2.mydomain.tld (iRedMail) with SMTP id 0A1953F78001
    for <myaddress@mydomain.tld>; Sun, 27 Jun 2010 19:15:15 +0300 (EEST)
From: myaddress@mydomain.tld
To: myaddress@mydomain.tld
Subject: myaddress@mydomain.tld VIAGRA Official Site -61%
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20100627161517.0A1953F78001@mx2.mydomain.tld>
Date: Sun, 27 Jun 2010 19:15:15 +0300 (EEST)

8

Re: Spam message from a forged address

OK, so any clues? The mailbox was not compromised, I didn't see any logins.

9

Re: Spam message from a forged address

I am having the same problem, I am getting emails from users in my domain but when you look at the header it is a forged email address.