From address spoofing my domain
Cedric Knight
cedric at gn.apc.org
Sun Mar 20 21:32:03 CET 2016
On 19/03/16 21:47, @lbutlr wrote:
> A user has been getting a lot of spam with headers that look something like this:
>
> From: Bosley at covisp.net, Hair at covisp.net, Restoration at covisp.net
> Is it possible that amavisd is hitting an invalid From header like
> “Bosely Hair Restoration” and adding a “@covisp.net” to each word?
Much more likely it's your postfix trivial-rewrite daemon adding
$mydomain during cleanup, either from the reinjection from amavis, or
possibly the initial smtp connection. See man trivial-rewrite.
It should be harmless, but you can stop it by overriding the value of
local_header_rewrite_clients in your smtpd daemon (see appropriate
section of postconf man page). If you never accept email from local
users on that address:port, you can add "-o
local_header_rewrite_clients=" in master.cf.
On 19/03/16 22:01, @lbutlr wrote:
> One other detail, these are emails that SHOULD be getting
> quarantined. Here is one to that same user from a couple of days
> ago:
>
> Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM
> {RelayedOpenRelay,Quarantined}, [127.0.0.1] [92.63.96.246]
> <contact at aspmx3.incrustment.com> ->
> <backup at southgaylord.com>,<user1 at sqldomain.tld>, quarantine:
> spam-lNjPXhL4sHt2.gz, Message-ID:
> <4045e937a81af6f206d718e539ed1606 at gmx.com>, mail_id: lNjPXhL4sHt2,
> Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 1081 ms
>
> Could it be the always_bcc setting in postfix that is causing Amavisd
> to error out? If so, how do I keep both the backup bcc and amavisd
> happy?
Don't really understand what you mean by "error out", and not sure if
it's related to the first question. "RelayedOpenRelay" suggests to me
that @local_domains_maps or @local_domains_acl might not include the
real value of "sqldomain.tld".
What are your settings for $final_spam_destiny and $sa_kill_level_deflt
or $spam_kill_level_maps? Does the quarantine object
spam-lNjPXhL4sHt2.gz exist (it probably does)? Which of the two
destinations does it get delivered to? One guess would be that at least
one of those destinations is in your $spam_lovers_maps.
CK
More information about the amavis-users
mailing list