Blocking inbound spam issue
Hi
Our Dedicated Server is exl.example.com and we are facing the same problem.
SPF Check is enabled on our server, still spam mails not originating from our server but spoofing the from field as an address of a domain on our server (support@example.com) are coming in. Both the from and to address are this.
I turned SPF check off, and back on and exim was restarted to makesure the SPF check is enabled.
Any idea why this could be happening and what I can do to reject such mails.
Here is the header of the mail:
From - Fri Mar 4 08:10:03 2016
X-Account-Key: account1
X-UIDL: UID68912-1300251171
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path:
Envelope-to: support@domain.com
Delivery-date: Fri, 04 Mar 2016 15:41:50 +0530
Received: from 122x214x46x194.ap122.ftth.example.com ([122.214.46.194]:60794 helo=example.com)
by exl.exlsystems.com with smtp (Exim 4.86_1)
(envelope-from )
id 1abmi2-0001fA-Gl
for support@domain.com; Fri, 04 Mar 2016 15:41:49 +0530
Message-ID: <000101d17630$71151892$c0a80001@example.com>
To:
Subject:
From:
Importance: High
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-73.5
X-Spam-Score: -734
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "exl.exlsystems.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Welcome to AnastasiaDate! support, You have new messages from
Alla, Olga, Olga and 15 other Ladies. [...]
Content analysis details: (-73.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
DnsBlocklists - Spamassassin Wiki
for more information.
[URIs: domaintoo.com]
4.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
[URIs: domaintoo.com]
0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist
[URIs: domaintoo.com]
1.6 URIBL_SBL Contains an URL's NS IP listed in the SBL blocklist
[URIs: domaintoo.com]
-100 USER_IN_WHITELIST From: address is in the user's white-list
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URIs: domaintoo.com]
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: domaintoo.com]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
[score: 0.3257]
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (Vipul's Razor: home)
1.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
0.3 DIGEST_MULTIPLE Message hits more than one network digest check
3.0 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found
2.1 RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found
2.6 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
2.0 HTML_TITLE_SUBJ_DIFF No description available.
1.4 MISSING_DATE Missing Date: header
0.1 TO_IN_SUBJ To address is in Subject
X-Spam-Flag: NO
-
Hello :) Could you verify that you are referring to the "Reject SPF failures" option in "WHM >> Exim Configuration Manager >> Basic Editor"? Also, what's the entry for one of these messages in /var/log/exim_mainlog when it makes it through? EX: exigrep user@domain /var/log/exim_mainlog
Thank you.0 -
Hello :) Could you verify that you are referring to the "Reject SPF failures" option in "WHM >> Exim Configuration Manager >> Basic Editor"? Also, what's the entry for one of these messages in /var/log/exim_mainlog when it makes it through? EX:
exigrep user@domain /var/log/exim_mainlog
Thank you.
Thanks for looking at this Michael. 1.Yes WHM-EXIM-Exim configuration Manager >> Basic Editor is exactly where I have turned SPF checking on. 2. We received another mail to our domain support@spectral-dt.com[/EMAIL] I think the mails dont get rejected as spam because spam-assasin gives it -100 for spoofing the from address to be from the same local domain. Here is what I found about this in in /var/log/exim_mainlog root@exl [~]# 2016-03-11 21:19:36 [23309] 1aePJj-00063x-BR H=cm-84.211.31.93.getinternet.no [84.211.31.93]:36406 I=[148.251.254.252]:25 Warning: Message has been scanned: no virus or other harmful content was found -bash: 2016-03-11: command not found root@exl [~]# 2016-03-11 21:19:36 [23309] 1aePJj-00063x-BR <= support@cm-84.211.31.93.getinternet.no H=cm-84.211.31.93.getinternet.no [84.211.31.93]:36406 I=[148.251.254.252]:25 P=smtp S=4964 M8S=0 id=000101d17bdf$cbb006f4$c0a80001@cm-84.211.31.93.getinternet.no T="support Your Electricity Bill 1202$" from for support@spectral-dt.com[/EMAIL] -bash: =: No such file or directory Here is the header of this mail that came in: From - Fri Mar 11 10:50:26 2016 X-Account-Key: account1 X-UIDL: UID69308-1300251171 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-path: [EMAIL='support@cm-84.211.31.93.getinternet.no">[/EMAIL] Envelope-to: support@spectral-dt.com[/EMAIL] Delivery-date: Fri, 11 Mar 2016 21:19:36 +0530 Received: from cm-84.211.31.93.getinternet.no ([84.211.31.93]:36406) by exl.exlsystems.com with smtp (Exim 4.86_1) (envelope-from [EMAIL='support@cm-84.211.31.93.getinternet.no">[/EMAIL]) id 1aePJj-00063x-BR for support@spectral-dt.com[/EMAIL]; Fri, 11 Mar 2016 21:19:36 +0530 Message-ID: [EMAIL='000101d17bdf$cbb006f4$c0a80001@cm-84.211.31.93.getinternet.no"><000101d17bdf$cbb006f4$c0a80001@cm-84.211.31.93.getinternet.no>[/EMAIL] From: support@spectral-dt.com[/EMAIL] To: "support" [EMAIL='support@spectral-dt.com">[/EMAIL] Reply-To: support@spectral-dt.com[/EMAIL] Subject: support Your Electricity Bill 1202$ Date: Thu, 11 Mar 2016 21:48:49 0000 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0001_01D17BDF.CBB008A2" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Spam-Status: No, score=-86.0 X-Spam-Score: -859 X-Spam-Bar: --------------------------------------------------- X-Ham-Report: Spam detection software, running on the system "exl.exlsystems.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: [...] Content analysis details: (-86.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list 1.1 INVALID_DATE Invalid Date: header (not RFC 2822) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4994] 1.8 PYZOR_CHECK Listed in Pyzor (0 -
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments