Mail Gateway 7.3-3 + Exchange 2013.
I have been receiving SPAM messages with empty To: field, such as:
Message body:
And the mail was delivered to many people in my company:
With such a log in Tracking Center:
The question is how can i harden SPAM protection to filter such a mail in future?
Thanks.
I have been receiving SPAM messages with empty To: field, such as:
Message body:
Code:
Received: from MAIL04.mydomain.com (172.30.21.112) by MAIL04.mydomain.com
(172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
Transport; Tue, 2 Apr 2024 12:21:17 +0300
Received: from MAIL04.mydomain.com (172.30.21.112) by MAIL04.mydomain.com
(172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 2 Apr
2024 12:21:17 +0300
Received: from smtp40.wwwdomain.com (172.30.21.120) by MAIL04.mydomain.com
(172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Tue, 2 Apr 2024 12:21:17 +0300
Received: from EDGE02.mydomain.com (localhost.localdomain [127.0.0.1])
by EDGE02.mydomain.com (Proxmox) with UTF8SMTP id 12618161A8E
for <itdept@wwwdomain.com>; Tue, 2 Apr 2024 12:21:17 +0300 (MSK)
Received-SPF: Fail (MAIL04.mydomain.com: domain of gibson3514@qq.com does not
designate 172.30.21.120 as permitted sender) receiver=MAIL04.mydomain.com;
client-ip=172.30.21.120; helo=smtp40.wwwdomain.com;
Received-SPF: pass (qq.com: Sender is authorized to use 'gibson3514@qq.com' in 'mfrom' identity (mechanism 'include:spf.mail.qq.com' matched)) receiver=EDGE02.mydomain.com; identity=mailfrom; envelope-from="gibson3514@qq.com"; helo=out203-205-251-85.mail.qq.com; client-ip=203.205.251.85
Received: from out203-205-251-85.mail.qq.com (out203-205-251-85.mail.qq.com [203.205.251.85])
by EDGE02.mydomain.com (Proxmox) with UTF8SMTPS id 2D2E9161A93
for <itdept@wwwdomain.com>; Tue, 2 Apr 2024 12:20:54 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
t=1712049649; bh=Pkm5ZJVtONu6jA/jEMFOhzaZi9PKmnAgdEM1kyD2Jk8=;
h=From:To:Subject:Date;
b=UnG0Qn7DL7+n8Wjz4TV7rPH2t3h+Y9z5kjTIzMgNm90SUWAZPquf2WpQkPrfkd2av
RlEqf4aVpwCRezStuLgBRNKDv6sbM80LLW+Hpie43N68siryRSvWfzBkNqWAhhP6C9
Mm3taw7jz/DFccF7e9yFN4EYXaVZhvOQapCCoYbM=
X-QQ-Fake-P2P: true
X-QQ-FEAT: 3C1WcPM5lQ65subpFZFyl0J1wRQOLCFI
X-QQ-SSF: 0000000000000010000000000000
X-QQ-SPAM: true
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
X-QQ-XMAILINFO: NiHxocYScKI3bOwjXSiy0OTTzOrsOhFBMGu3Yx19LzCoyjBu1ZC3NkOZTk5JH1
oHS98/xzTgN7ACPmTrXFSQ/htWjMOXcMjlzlbLF+t0y6Qys+NXyU0mRFQu/fiWo6LcUf8sCu8894p
AEfCOyC8MgAQxsS3cztSC3USN0NT1a4sqztwpuWITimqFoi+VaLyHy9t56s5CMlnGHc12bhYYZAnl
fEhE9s9n656hyNKEtxkBi1vdwn8oHqrpopaOS6Q2TyZC6O5EX8R99V5p5k7kAiYF4WrItx1X1Y9K2
9LM/pqhQiQigAvvRkr146xaVLMfW1PrvEJ2XIiOJYvqlQlwbB/qyBcx4h31Ew3fiq6Jz3XP/86syD
pp91H003i1WzJkXHHkVu6D7Cqp8JgMASBO5vt/bs/3nrPcawhJ7thYQKfQoVJMgwwCEAsbIa0cCA0
fhDiCgCaw1Pwbli/GEaw/aqhbIbCnuP4i6l0PFo/YfATaz8pRZviUC+05eCrPURFa+MuTGgV1brxn
esLFfYFBWjCQPAWfLrHVVH3mGGj+I+6paImzo92dADimjeGk2WhlAeB1GJnOv1JsRuxSjNPfY8NsY
FuRQChq4CV3fRysnLx2ukZWhxn4g5vhqVJhaHbKlPftdHDgwtiI+wxw3lcomsISWz/mMqP0XDjA53
qh3sulXIH0ycr98nUxY8gRgpk7QzFrSp7emwCsXJ4Rxzf2rh4YCFUhYA3ut8HOlGn6yoBO5sgBRiA
T9z2pqLSjiMHSwcQ8kmPihZVBdYMYVxpLO396MysA2DKWt0Y8IhSLJ7uXRxVqr4r5sRIfZ6+pWLVl
j+TgR7FlE9eAAKM+KdO4p17VqOHdozL61UQENkzVYU75gIRkcaMrXm3u7oHI1Rt5OzINKiivlaxzc
nUcKGLJ80sHRX/JAhaMrKJeGulaTa9nhshIm3AQjrxD0/mEB8hyIuHkk2phHooCVVc3yQDqBVV/KN
p4c7YypqvPRGNNMY3fE7Vcp1zEFrgwGkXAIW9QVHVLhb2HzU9P99s2PCQPuq81J/xRMGbFr3UQLTE
r2tPXqY+88HEjnBU+ib/atHhVzMgG4DiEmwy2exwnknvyqt1r1ICi4uCvAhkZ9E463nTSLxuiW2jy
SbltAVzlUd1zs6543hoS7kexWo9KK/FWMUlPN/qxOlLYeVoigBWPXscubMtGtSyDCa4=
X-HAS-ATTACH: no
X-QQ-BUSINESS-ORIGIN: 2
X-Originating-IP: 121.34.56.191
X-QQ-STYLE:
X-QQ-mid: webmail748t1712049648t9376424
From: "=?gb18030?B?R2lic29u?=" <gibson3514@qq.com>
To:
Subject: Sea freight from China
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_660BCDF0_17CAA110_3A1DDB86"
Content-Transfer-Encoding: 8Bit
Date: Tue, 2 Apr 2024 17:20:47 +0800
X-Priority: 3
Message-ID: <tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
X-SPAM-LEVEL: Spam detection results: 1
AWL 0.000 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
FREEMAIL_ENVFROM_END_DIGIT 0.25 Envelope-from freemail username ends in digit
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
FROM_EXCESS_BASE64 0.001 From: base64 encoded unnecessarily
HELO_DYNAMIC_IPADDR 1.951 Relay HELO'd using suspicious hostname (IP addr 1)
HTML_MESSAGE 0.001 HTML included in message
NO_FM_NAME_IP_HOSTN 0.001 No From name + hostname using IP address
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RDNS_DYNAMIC 0.982 Delivered to internal network by host with dynamic-looking rDNS
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URI_HEX 0.1 URI hostname has long hexadecimal sequence
Return-Path: gibson3514@qq.com
X-MS-Exchange-Organization-PRD: qq.com
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-Network-Message-Id: 08406336-f6e7-4a8c-58aa-08dc52f6404b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.mydomain.com
X-MS-Exchange-Organization-AuthAs: AnonymousAnd the mail was delivered to many people in my company:
With such a log in Tracking Center:
Code:
Apr 2 12:20:50 EDGE02 postfix/smtpd[1092710]: connect from out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:20:53 EDGE02 postfix/smtpd[1092710]: 93B9F161A8D: client=out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:20:54 EDGE02 postfix/cleanup[1092302]: 93B9F161A8D: message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
Apr 2 12:20:56 EDGE02 postfix/qmgr[862]: 93B9F161A8D: from=<gibson3514@qq.com>, size=194231, nrcpt=1 (queue active)
Apr 2 12:20:56 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: new mail message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>#012
Apr 2 12:20:57 EDGE02 postfix/smtpd[1092710]: disconnect from out203-205-251-88.mail.qq.com[203.205.251.88] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: SA score=1/5 time=8.601 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(0.001),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),FROM_EXCESS_BASE64(0.001),HELO_DYNAMIC_IPADDR(1.951),HTML_MESSAGE(0.001),NO_FM_NAME_IP_HOSTN(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RDNS_DYNAMIC(0.982),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URI_HEX(0.1)
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: connect from localhost.localdomain[127.0.0.1]
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: 8A210161A9F: client=localhost.localdomain[127.0.0.1], orig_client=out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:21:05 EDGE02 postfix/cleanup[1092303]: 8A210161A9F: message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
Apr 2 12:21:05 EDGE02 postfix/qmgr[862]: 8A210161A9F: from=<gibson3514@qq.com>, size=195832, nrcpt=1 (queue active)
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: accept mail to <my@wwwdomain.com> (8A210161A9F) (rule: default-accept)
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: processing time: 8.898 seconds (8.601, 0.129, 0)
Apr 2 12:21:05 EDGE02 postfix/lmtp[1092100]: 93B9F161A8D: to=<my@wwwdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=3.7/0/0.05/8.9, dsn=2.5.0, status=sent (250 2.5.0 OK (161A97660BCDF8B2776))
Apr 2 12:21:05 EDGE02 postfix/qmgr[862]: 93B9F161A8D: removed
Apr 2 12:21:06 EDGE02 postfix/smtp[1092754]: 8A210161A9F: to=<my@wwwdomain.com>, relay=MAIL04.domain.com[172.30.21.112]:25, delay=0.71, delays=0.07/0.1/0.07/0.47, dsn=2.6.0, status=sent (250 2.6.0 <tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com> [InternalId=63797444215031, Hostname=MAIL04.domain.com] Queued mail for delivery)
Apr 2 12:21:06 EDGE02 postfix/qmgr[862]: 8A210161A9F: removedThe question is how can i harden SPAM protection to filter such a mail in future?
Thanks.
Last edited:
