From address spoofing my domain

Cedric Knight cedric at
Sun Mar 20 21:32:03 CET 2016

On 19/03/16 21:47, @lbutlr wrote:
> A user has been getting a lot of spam with headers that look something like this:
> From: Bosley at, Hair at, Restoration at

> Is it possible that amavisd is hitting an invalid From header like
> “Bosely Hair Restoration” and adding a “” to each word?

Much more likely it's your postfix trivial-rewrite daemon adding
$mydomain during cleanup, either from the reinjection from amavis, or
possibly the initial smtp connection.  See man trivial-rewrite.

It should be harmless, but you can stop it by overriding the value of
local_header_rewrite_clients in your smtpd daemon (see appropriate
section of postconf man page).  If you never accept email from local
users on that address:port, you can add "-o
local_header_rewrite_clients=" in

On 19/03/16 22:01, @lbutlr wrote:
> One other detail, these are emails that SHOULD be getting
> quarantined. Here is one to that same user from a couple of days
> ago:
> Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM
> {RelayedOpenRelay,Quarantined}, [] []
> <contact at> ->
> <backup at>,<user1 at sqldomain.tld>, quarantine:
> spam-lNjPXhL4sHt2.gz, Message-ID:
> <4045e937a81af6f206d718e539ed1606 at>, mail_id: lNjPXhL4sHt2,
> Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 1081 ms
> Could it be the always_bcc setting in postfix that is causing Amavisd
> to error out? If so, how do I keep both the backup bcc and amavisd
> happy?

Don't really understand what you mean by "error out", and not sure if
it's related to the first question.  "RelayedOpenRelay" suggests to me
that @local_domains_maps or @local_domains_acl might not include the
real value of "sqldomain.tld".

What are your settings for $final_spam_destiny and $sa_kill_level_deflt
or $spam_kill_level_maps?  Does the quarantine object
spam-lNjPXhL4sHt2.gz exist (it probably does)?  Which of the two
destinations does it get delivered to?  One guess would be that at least
one of those destinations is in your $spam_lovers_maps.


More information about the amavis-users mailing list