[Mimedefang] How can I block spam mail addressed FROM me TO me if not HELO match of my SMTP server?

Andre Doles andre at doles.com
Tue Feb 23 18:03:56 EST 2010


Hi all.  Newbie to your list.  Ive searched and searched your archives to 
no avail.

I'm having a large amount of spam mail hitting all my mail accounts, with 
forged addresses FROM myaccount TO myaccount, but coming from an SMTP 
server that isnt mine.

Is there a rule that will allow me to block any incoming mail FROM a list 
of legit email addresses, but where the HELO does not match the 
address/name of my SMTP server?

Below is an example where I get a HELO from 77.211.243.157, which is NOT 
my SMTP server or any other server in my subnet.  The spammers are saying 
MAIL FROM: <paypal at mymailserver.com> which is an actual local mail account 
we send/receive for, but the HELO from has no authority to send mail on 
behalf of that user and they are sending RCPT 
TO:<paypal at mymailserver.com>.  I've also found numerous other examples 
where they send MAIL FROM: <realuser1> with receipt to RCT TO: 
<realuser2>.  Tons and tons of these.

What am I missing or doing wrong?  ?

Much appreciation in advance for a rule filter that would block these.

Andre
--------------------------------------------------------------
Example session:

Feb 23 00:50:12 mydns1 sendmail[8854]: o1N8oCiO008854: --- 220 
mydns1.mymailserver.com ESMTP Sendmail; Tue, 23 Feb 2010 00:50:12 -0800
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- EHLO 
[77.211.243.157]
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 
250-mydns1.mymailserver.com Hello [77.211.243.157], pleased to meet you
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 
250-ENHANCEDSTATUSCODES
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-PIPELINING
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-8BITMIME
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-SIZE
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DSN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-ETRN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-AUTH LOGIN 
PLAIN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DELIVERBY
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 HELP
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- MAIL 
FROM:<paypal at mymailserver.com> SIZE=1722
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.0 
<paypal at mymailserver.com>... Sender ok
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- RCPT 
TO:<paypal at mymailserver.com>
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.5 
<paypal at mymailserver.com>... Recipient ok
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: <-- DATA
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 354 Enter mail, 
end with "." on a line by itself
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: 
from=<paypal at mymailserver.com>, size=1664, class=0, nrcpts=1, 
msgid=<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com>, proto=ESMTP, 
daemon=MTA, relay=[77.211.243.157]
Feb 23 00:50:14 mydns1 mimedefang.pl[32469]: 
MDLOG,o1N8oCiO008854,mail_in,,,<paypal at mymailserver.com>,<paypal at mymailserver.com>,Exclusively 
for paypal%2C -80%25
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.0.0 
o1N8oCiO008854 Message accepted for delivery
Feb 23 00:50:14 mydns1 sendmail[8857]: o1N8oCiO008854: alias 
<paypal at mymailserver.com> => andre
Feb 23 00:50:21 mydns1 spamd[3106]: spamd: processing message 
<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com> for andre:500
Feb 23 00:50:25 mydns1 spamd[3106]: spamd: result: . -78 - 
AWL,BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URI_HEX,USER_IN_WHITELIST 
scantime=3.8,size=2659,user=andre,uid=500,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=44412,mid=<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com>,bayes=0.999959,autolearn=no
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: to=andre, 
delay=00:00:12, xdelay=00:00:11, mailer=local, pri=31992, dsn=2.0.0, 
stat=Sent
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: done; 
delay=00:00:12, ntries=1




More information about the MIMEDefang mailing list