Discussion:
From address spoofing my domain
(too old to reply)
@lbutlr
2016-03-19 21:47:11 UTC
Permalink
A user has been getting a lot of spam with headers that look something like this:

From: ***@covisp.net, ***@covisp.net, ***@covisp.net
From: ***@covisp.net, ***@covisp.net, ***@covisp.net,
From: ***@covisp.net
From: ***@covisp.net, ***@covisp.net, ***@covisp.net,
From: ***@covisp.net, ***@covisp.net, ***@covisp.net
From: ***@covisp.net, ***@covisp.net, ***@covisp.net
From: ***@covisp.net, ***@covisp.net, ***@covisp.net
From: ***@covisp.net, ***@covisp.net, ***@covisp.net

I’m puzzle and wondering if there is something odd in my configuration that may be causing the From to appear this way or if it’s just some new spammer tactic.

I do have:

/covisp\.net$/ REJECT helo Don't spoof my hostname

In postfix’s helo_header_checks, but these are not the helo or From_ addresses.

Is it possible that amavisd is hitting an invalid From header like “Bosely Hair Restoration” and adding a “@covisp.net” to each word?

Here is the most recent one, lightly munged:

Return-Path: <***@aspmx.rantingly.com>
Delivered-To: *user1*@sqldomain.tld
Received: from mail.covisp.net (localhost [127.0.0.1])
by mail.covisp.net (Postfix) with ESMTP id 3qMYHl0KP2zpKv0;
Fri, 11 Mar 2016 22:59:31 -0700 (MST)
X-Virus-Scanned: amavisd-new at covisp.net
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
expected boundary; ; error: unexpected end of parts before epilogue
Received: from mail.covisp.net ([127.0.0.1])
by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dCXNv3ebKRAi; Fri, 11 Mar 2016 22:59:29 -0700 (MST)
Received: from aspmx.rantingly.com (aspmx.rantingly.com [69.12.70.35])
by mail.covisp.net (Postfix) with ESMTP id 3qMYHj5Rt4zpKts
for <*user*@sqldomain.tld>; Fri, 11 Mar 2016 22:59:29 -0700 (MST)
Received: from localhost (127.0.0.1) by aspmx.rantingly.com id hseo4616lt0m for <*user*@sqldomain.tld>; Sat, 12 Mar 2016 00:22:44 -0500 (envelope-from <***@aspmx.rantingly.com>)
From: ***@covisp.net, ***@covisp.net, ***@covisp.net
To: "*user*@sqldomain.tld" <*user*@sqldomain.tld>
Subject: Are Reverse Mortgages: Too Good To Be True?


(the sqldomain.tld is NOT covisp.net)
--
I always take life with a grain of salt, plus a slice of lime and a
shot of tequila.
@lbutlr
2016-03-19 22:01:34 UTC
Permalink
One other detail, these are emails that SHOULD be getting quarantined. Here is one to that same user from a couple of days ago:

Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM {RelayedOpenRelay,Quarantined}, [127.0.0.1] [92.63.96.246] <***@aspmx3.incrustment.com> -> <***@southgaylord.com>,<***@sqldomain.tld>, quarantine: spam-lNjPXhL4sHt2.gz, Message-ID: <***@gmx.com>, mail_id: lNjPXhL4sHt2, Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 1081 ms

Could it be the always_bcc setting in postfix that is causing Amavisd to error out? If so, how do I keep both the backup bcc and amavisd happy?
--
The Germans wore gray, you wore blue.
Benny Pedersen
2016-03-19 22:24:13 UTC
Permalink
sender did not add @ in from header, if you remove @forged domain you see
something about mortage
@lbutlr
2016-03-19 23:34:21 UTC
Permalink
This amavisd adding the domain and why is it generating an error that stops the spam from being quarantined and/or tagged?
--
I miss the old days. I haven't killed anyone in years.
That's sad.
Cedric Knight
2016-03-20 20:32:03 UTC
Permalink
Post by @lbutlr
Is it possible that amavisd is hitting an invalid From header like
Much more likely it's your postfix trivial-rewrite daemon adding
$mydomain during cleanup, either from the reinjection from amavis, or
possibly the initial smtp connection. See man trivial-rewrite.

It should be harmless, but you can stop it by overriding the value of
local_header_rewrite_clients in your smtpd daemon (see appropriate
section of postconf man page). If you never accept email from local
users on that address:port, you can add "-o
local_header_rewrite_clients=" in master.cf.
Post by @lbutlr
One other detail, these are emails that SHOULD be getting
quarantined. Here is one to that same user from a couple of days
Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM
{RelayedOpenRelay,Quarantined}, [127.0.0.1] [92.63.96.246]
Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 1081 ms
Could it be the always_bcc setting in postfix that is causing Amavisd
to error out? If so, how do I keep both the backup bcc and amavisd
happy?
Don't really understand what you mean by "error out", and not sure if
it's related to the first question. "RelayedOpenRelay" suggests to me
that @local_domains_maps or @local_domains_acl might not include the
real value of "sqldomain.tld".

What are your settings for $final_spam_destiny and $sa_kill_level_deflt
or $spam_kill_level_maps? Does the quarantine object
spam-lNjPXhL4sHt2.gz exist (it probably does)? Which of the two
destinations does it get delivered to? One guess would be that at least
one of those destinations is in your $spam_lovers_maps.

CK

Loading...