Hello,
it seems some spammer find a new way to deliver some potential Spam to your infrastructure. They use bulk mail services or integrated mail function from a CRM Solution. I was wondering why we get an mail from a sender which was already on our Blacklist, so i checked the header and found out, the original mail domain was only a part from the new longer and complicated sender address. I changed the Rule now from "domain" to "regex" and hope they will blocked in the future.
We got another mail from "name@senderdomain.com", but this domain you can't find in the logs of the tracking center, so maybe this could be a problem to block this mail. This is unwanted too, but i don't have any idea to block this sender correctly, if they address are not present in the logs.
For data protection reasons i replaced some informations:
name@domain.de = is my domain
127.1.1.1 = The ip of my PMG
name@senderdomain.com = is the sender domain
This is the log from the tracking center:
Header from mail:
Let me know if you need more Information to check this behaviour.
it seems some spammer find a new way to deliver some potential Spam to your infrastructure. They use bulk mail services or integrated mail function from a CRM Solution. I was wondering why we get an mail from a sender which was already on our Blacklist, so i checked the header and found out, the original mail domain was only a part from the new longer and complicated sender address. I changed the Rule now from "domain" to "regex" and hope they will blocked in the future.
We got another mail from "name@senderdomain.com", but this domain you can't find in the logs of the tracking center, so maybe this could be a problem to block this mail. This is unwanted too, but i don't have any idea to block this sender correctly, if they address are not present in the logs.
For data protection reasons i replaced some informations:
name@domain.de = is my domain
127.1.1.1 = The ip of my PMG
name@senderdomain.com = is the sender domain
This is the log from the tracking center:
Code:
Jun 9 09:22:34 spam01 postfix/smtpd[674]: connect from sendera185.zohocrm.com[135.84.80.185]
Jun 9 09:22:35 spam01 postfix/smtpd[674]: Anonymous TLS connection established from sendera185.zohocrm.com[135.84.80.185]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 9 09:22:36 spam01 postfix/smtpd[674]: NOQUEUE: client=sendera185.zohocrm.com[135.84.80.185]
Jun 9 09:22:36 spam01 pmg-smtp-filter[16492]: 1419995EDF38BC9BA57: new mail message-id=<2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6@mailer1.zohocrm.com>#012
Jun 9 09:22:37 spam01 pmg-smtp-filter[16492]: 1419995EDF38BC9BA57: SA score=0/5 time=0.937 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Jun 9 09:22:37 spam01 postfix/smtpd[2609]: connect from localhost.localdomain[127.0.0.1]
Jun 9 09:22:37 spam01 postfix/smtpd[2609]: 9C8C2141A1A: client=localhost.localdomain[127.0.0.1], orig_client=sendera185.zohocrm.com[135.84.80.185]
Jun 9 09:22:37 spam01 postfix/cleanup[2604]: 9C8C2141A1A: message-id=<2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6@mailer1.zohocrm.com>
Jun 9 09:22:37 spam01 postfix/qmgr[3142]: 9C8C2141A1A: from=<noreply1+f83a1460-aa21-11ea-9322-525400092922_VBCRM@mailer1.zohocrm.com>, size=9159, nrcpt=1 (queue active)
Jun 9 09:22:37 spam01 pmg-smtp-filter[16492]: 1419995EDF38BC9BA57: accept mail to <name@domain.de> (9C8C2141A1A) (rule: default-accept)
Jun 9 09:22:37 spam01 postfix/smtpd[2609]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 9 09:22:37 spam01 pmg-smtp-filter[16492]: 1419995EDF38BC9BA57: processing time: 1.017 seconds (0.937, 0.03, 0)
Jun 9 09:22:37 spam01 postfix/smtpd[674]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (1419995EDF38BC9BA57); from=<noreply1+f83a1460-aa21-11ea-9322-525400092922_VBCRM@mailer1.zohocrm.com> to=<name@domain.de> proto=ESMTP helo=<sendera185.zohocrm.com>
Jun 9 09:22:37 spam01 postfix/smtp[2605]: 9C8C2141A1A: to=<name@domain.de>, relay=127.1.1.1[127.1.1.1]:25, delay=0.14, delays=0.01/0/0.05/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ABEEC22BE5)
Jun 9 09:22:37 spam01 postfix/qmgr[3142]: 9C8C2141A1A: removed
Jun 9 09:22:37 spam01 postfix/smtpd[674]: disconnect from sendera185.zohocrm.com[135.84.80.185] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7Header from mail:
Code:
Return-Path: <noreply1+f83a1460-aa21-11ea-9322-525400092922_VBCRM@mailer1.zohocrm.com>
X-Original-To: name@domain.de
Delivered-To: name@domain.de
Received: from spam01.domain.de (spam01.domain.de [127.1.1.1])
by domain.de (Postfix) with ESMTPS id ABEEC22BE5
for <name@domain.de>; Tue, 9 Jun 2020 09:22:37 +0200 (CEST)
Received: from spam01.domain.de (localhost.localdomain [127.0.0.1])
by spam01.domain.de (Proxmox) with ESMTP id 9C8C2141A1A
for <name@domain.de>; Tue, 9 Jun 2020 09:22:37 +0200 (CEST)
Received-SPF: pass (mailer1.zohocrm.com: Sender is authorized to use 'noreply1@mailer1.zohocrm.com' in 'mfrom' identity (mechanism 'include:transmail.net' matched)) receiver=spam01.domain.de; identity=mailfrom; envelope-from="noreply1@mailer1.zohocrm.com"; helo=sendera185.zohocrm.com; client-ip=135.84.80.185
Received: from sendera185.zohocrm.com (sendera185.zohocrm.com [135.84.80.185])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by spam01.domain.de (Proxmox) with ESMTPS
for <name@domain.de>; Tue, 9 Jun 2020 09:22:35 +0200 (CEST)
Received: from [172.28.242.32] (172.28.242.32) by sendera185.zohocrm.com id hrssbo2546cg for <name@domain.de>; Tue, 9 Jun 2020 00:22:26 -0700 (envelope-from <noreply1+f83a1460-aa21-11ea-9322-525400092922_VBCRM@mailer1.zohocrm.com>)
DKIM-Signature: a=rsa-sha256; b=ghf4HmCeXOdZbt/2dLqJxYSqRY2EuKDkYELKzPg+nt6ze8sY+ZYuK/yrMClD1+fHfj0X++hAFYlUwAmVuXjSbSkIe4XLcl/91O3WLsZhL6fGTZfzF8CqokfOQ6hHJ9Qg4kbskWSOdeM6TLHqIMpPgRt09xmec9dqQNg2jr9hvb8=; c=relaxed/relaxed; s=2511317; d=mailer1.zohocrm.com; v=1; bh=I37tV4fogS/Kl26LBFImJze9SRANnMGcA3ZtoX0ZOQU=; h=date:from:reply-to:to:message-id:subject:mime-version:content-type;
Date: Tue, 9 Jun 2020 00:22:26 -0700 (PDT)
From: Firstname Lastname <name@senderdomain.com>
To: name@domain.de
Message-ID: <2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6@mailer1.zohocrm.com>
Subject: Developers
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_2949913_1291506912.1591687346542"
Original-Envelope-Id: 2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6
X-Report-Abuse: <mailto:abuse+2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6@transmail.com>
TM-MAIL-JID: 2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6
X-JID: 2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6
X-App-Message-ID: 2d6f.327230a.m1.f83a1460-aa21-11ea-9322-525400092922.17297f578a6
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different
HTML_MESSAGE 0.001 HTML included in message
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF recordLet me know if you need more Information to check this behaviour.
