From address spoofing my domain

@lbutlr kremels at kreme.com
Sat Mar 19 22:47:11 CET 2016 

A user has been getting a lot of spam with headers that look something like this:

From: Bosley at covisp.net, Hair at covisp.net, Restoration at covisp.net
From: National at covisp.net, Solar at covisp.net, Network at covisp.net,  
From: ObamacareInformation at covisp.net    
From: OmegaK at covisp.net, Heart at covisp.net, Attack at covisp.net,  
From: Penny at covisp.net, Auction at covisp.net, Deals at covisp.net  
From: Perfect at covisp.net, Water at covisp.net, Purifier at covisp.net  
From: Proactiv at covisp.net, Special at covisp.net, Offer at covisp.net  
From: PCNN at covisp.net, Breaking at covisp.net, Now at covisp.net 

I’m puzzle and wondering if there is something odd in my configuration that may be causing the From to appear this way or if it’s just some new spammer tactic.

I do have:

/covisp\.net$/ REJECT helo Don't spoof my hostname

In postfix’s helo_header_checks, but these are not the helo or From_ addresses.

Is it possible that amavisd is hitting an invalid From header like “Bosely Hair Restoration” and adding a “@covisp.net” to each word?

Here is the most recent one, lightly munged:

Return-Path: <contact at aspmx.rantingly.com>
Delivered-To: *user1*@sqldomain.tld
Received: from mail.covisp.net (localhost [127.0.0.1])
        by mail.covisp.net (Postfix) with ESMTP id 3qMYHl0KP2zpKv0;
        Fri, 11 Mar 2016 22:59:31 -0700 (MST)
X-Virus-Scanned: amavisd-new at covisp.net
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
        expected boundary; ; error: unexpected end of parts before epilogue
Received: from mail.covisp.net ([127.0.0.1])
        by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id dCXNv3ebKRAi; Fri, 11 Mar 2016 22:59:29 -0700 (MST)
Received: from aspmx.rantingly.com (aspmx.rantingly.com [69.12.70.35])
        by mail.covisp.net (Postfix) with ESMTP id 3qMYHj5Rt4zpKts
        for <*user*@sqldomain.tld>; Fri, 11 Mar 2016 22:59:29 -0700 (MST)
Received: from localhost (127.0.0.1) by aspmx.rantingly.com id hseo4616lt0m for <*user*@sqldomain.tld>; Sat, 12 Mar 2016 00:22:44 -0500 (envelope-from <contact at aspmx.rantingly.com>)
From: Reverse at covisp.net, Mortgage at covisp.net, Calculator at covisp.net
To: "*user*@sqldomain.tld" <*user*@sqldomain.tld>
Subject: Are Reverse Mortgages: Too Good To Be True?


(the sqldomain.tld is NOT covisp.net)

-- 
I always take life with a grain of salt, plus a slice of lime and a
shot of tequila.

More information about the amavis-users mailing list