[Mimedefang] How can I block spam mail addressed FROM me TO me if not HELO match of my SMTP server?
Andre Doles
andre at doles.com
Tue Feb 23 18:03:56 EST 2010
Hi all. Newbie to your list. Ive searched and searched your archives to
no avail.
I'm having a large amount of spam mail hitting all my mail accounts, with
forged addresses FROM myaccount TO myaccount, but coming from an SMTP
server that isnt mine.
Is there a rule that will allow me to block any incoming mail FROM a list
of legit email addresses, but where the HELO does not match the
address/name of my SMTP server?
Below is an example where I get a HELO from 77.211.243.157, which is NOT
my SMTP server or any other server in my subnet. The spammers are saying
MAIL FROM: <paypal at mymailserver.com> which is an actual local mail account
we send/receive for, but the HELO from has no authority to send mail on
behalf of that user and they are sending RCPT
TO:<paypal at mymailserver.com>. I've also found numerous other examples
where they send MAIL FROM: <realuser1> with receipt to RCT TO:
<realuser2>. Tons and tons of these.
What am I missing or doing wrong? ?
Much appreciation in advance for a rule filter that would block these.
Andre
--------------------------------------------------------------
Example session:
Feb 23 00:50:12 mydns1 sendmail[8854]: o1N8oCiO008854: --- 220
mydns1.mymailserver.com ESMTP Sendmail; Tue, 23 Feb 2010 00:50:12 -0800
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- EHLO
[77.211.243.157]
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: ---
250-mydns1.mymailserver.com Hello [77.211.243.157], pleased to meet you
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: ---
250-ENHANCEDSTATUSCODES
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-PIPELINING
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-8BITMIME
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-SIZE
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DSN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-ETRN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-AUTH LOGIN
PLAIN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DELIVERBY
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 HELP
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- MAIL
FROM:<paypal at mymailserver.com> SIZE=1722
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.0
<paypal at mymailserver.com>... Sender ok
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- RCPT
TO:<paypal at mymailserver.com>
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.5
<paypal at mymailserver.com>... Recipient ok
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: <-- DATA
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 354 Enter mail,
end with "." on a line by itself
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854:
from=<paypal at mymailserver.com>, size=1664, class=0, nrcpts=1,
msgid=<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com>, proto=ESMTP,
daemon=MTA, relay=[77.211.243.157]
Feb 23 00:50:14 mydns1 mimedefang.pl[32469]:
MDLOG,o1N8oCiO008854,mail_in,,,<paypal at mymailserver.com>,<paypal at mymailserver.com>,Exclusively
for paypal%2C -80%25
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.0.0
o1N8oCiO008854 Message accepted for delivery
Feb 23 00:50:14 mydns1 sendmail[8857]: o1N8oCiO008854: alias
<paypal at mymailserver.com> => andre
Feb 23 00:50:21 mydns1 spamd[3106]: spamd: processing message
<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com> for andre:500
Feb 23 00:50:25 mydns1 spamd[3106]: spamd: result: . -78 -
AWL,BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URI_HEX,USER_IN_WHITELIST
scantime=3.8,size=2659,user=andre,uid=500,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=44412,mid=<201002230850.o1N8oCiO008854 at mydns1.mymailserver.com>,bayes=0.999959,autolearn=no
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: to=andre,
delay=00:00:12, xdelay=00:00:11, mailer=local, pri=31992, dsn=2.0.0,
stat=Sent
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: done;
delay=00:00:12, ntries=1
More information about the MIMEDefang
mailing list