[SOLVED] Blank To: field in SPAM messages. How to block such a thing?

[BiteMyElbow]

Mail Gateway 7.3-3 + Exchange 2013.

I have been receiving SPAM messages with empty To: field, such as:



Message body:

Received: from MAIL04.mydomain.com (172.30.21.112) by MAIL04.mydomain.com
 (172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
 Transport; Tue, 2 Apr 2024 12:21:17 +0300
Received: from MAIL04.mydomain.com (172.30.21.112) by MAIL04.mydomain.com
 (172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 2 Apr
 2024 12:21:17 +0300
Received: from smtp40.wwwdomain.com (172.30.21.120) by MAIL04.mydomain.com
 (172.30.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
 Transport; Tue, 2 Apr 2024 12:21:17 +0300
Received: from EDGE02.mydomain.com (localhost.localdomain [127.0.0.1])
    by EDGE02.mydomain.com (Proxmox) with UTF8SMTP id 12618161A8E
    for <itdept@wwwdomain.com>; Tue,  2 Apr 2024 12:21:17 +0300 (MSK)
Received-SPF: Fail (MAIL04.mydomain.com: domain of gibson3514@qq.com does not
 designate 172.30.21.120 as permitted sender) receiver=MAIL04.mydomain.com;
 client-ip=172.30.21.120; helo=smtp40.wwwdomain.com;
Received-SPF: pass (qq.com: Sender is authorized to use 'gibson3514@qq.com' in 'mfrom' identity (mechanism 'include:spf.mail.qq.com' matched)) receiver=EDGE02.mydomain.com; identity=mailfrom; envelope-from="gibson3514@qq.com"; helo=out203-205-251-85.mail.qq.com; client-ip=203.205.251.85
Received: from out203-205-251-85.mail.qq.com (out203-205-251-85.mail.qq.com [203.205.251.85])
    by EDGE02.mydomain.com (Proxmox) with UTF8SMTPS id 2D2E9161A93
    for <itdept@wwwdomain.com>; Tue,  2 Apr 2024 12:20:54 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
    t=1712049649; bh=Pkm5ZJVtONu6jA/jEMFOhzaZi9PKmnAgdEM1kyD2Jk8=;
    h=From:To:Subject:Date;
    b=UnG0Qn7DL7+n8Wjz4TV7rPH2t3h+Y9z5kjTIzMgNm90SUWAZPquf2WpQkPrfkd2av
     RlEqf4aVpwCRezStuLgBRNKDv6sbM80LLW+Hpie43N68siryRSvWfzBkNqWAhhP6C9
     Mm3taw7jz/DFccF7e9yFN4EYXaVZhvOQapCCoYbM=
X-QQ-Fake-P2P: true
X-QQ-FEAT: 3C1WcPM5lQ65subpFZFyl0J1wRQOLCFI
X-QQ-SSF: 0000000000000010000000000000
X-QQ-SPAM: true
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
X-QQ-XMAILINFO: NiHxocYScKI3bOwjXSiy0OTTzOrsOhFBMGu3Yx19LzCoyjBu1ZC3NkOZTk5JH1
     oHS98/xzTgN7ACPmTrXFSQ/htWjMOXcMjlzlbLF+t0y6Qys+NXyU0mRFQu/fiWo6LcUf8sCu8894p
     AEfCOyC8MgAQxsS3cztSC3USN0NT1a4sqztwpuWITimqFoi+VaLyHy9t56s5CMlnGHc12bhYYZAnl
     fEhE9s9n656hyNKEtxkBi1vdwn8oHqrpopaOS6Q2TyZC6O5EX8R99V5p5k7kAiYF4WrItx1X1Y9K2
     9LM/pqhQiQigAvvRkr146xaVLMfW1PrvEJ2XIiOJYvqlQlwbB/qyBcx4h31Ew3fiq6Jz3XP/86syD
     pp91H003i1WzJkXHHkVu6D7Cqp8JgMASBO5vt/bs/3nrPcawhJ7thYQKfQoVJMgwwCEAsbIa0cCA0
     fhDiCgCaw1Pwbli/GEaw/aqhbIbCnuP4i6l0PFo/YfATaz8pRZviUC+05eCrPURFa+MuTGgV1brxn
     esLFfYFBWjCQPAWfLrHVVH3mGGj+I+6paImzo92dADimjeGk2WhlAeB1GJnOv1JsRuxSjNPfY8NsY
     FuRQChq4CV3fRysnLx2ukZWhxn4g5vhqVJhaHbKlPftdHDgwtiI+wxw3lcomsISWz/mMqP0XDjA53
     qh3sulXIH0ycr98nUxY8gRgpk7QzFrSp7emwCsXJ4Rxzf2rh4YCFUhYA3ut8HOlGn6yoBO5sgBRiA
     T9z2pqLSjiMHSwcQ8kmPihZVBdYMYVxpLO396MysA2DKWt0Y8IhSLJ7uXRxVqr4r5sRIfZ6+pWLVl
     j+TgR7FlE9eAAKM+KdO4p17VqOHdozL61UQENkzVYU75gIRkcaMrXm3u7oHI1Rt5OzINKiivlaxzc
     nUcKGLJ80sHRX/JAhaMrKJeGulaTa9nhshIm3AQjrxD0/mEB8hyIuHkk2phHooCVVc3yQDqBVV/KN
     p4c7YypqvPRGNNMY3fE7Vcp1zEFrgwGkXAIW9QVHVLhb2HzU9P99s2PCQPuq81J/xRMGbFr3UQLTE
     r2tPXqY+88HEjnBU+ib/atHhVzMgG4DiEmwy2exwnknvyqt1r1ICi4uCvAhkZ9E463nTSLxuiW2jy
     SbltAVzlUd1zs6543hoS7kexWo9KK/FWMUlPN/qxOlLYeVoigBWPXscubMtGtSyDCa4=
X-HAS-ATTACH: no
X-QQ-BUSINESS-ORIGIN: 2
X-Originating-IP: 121.34.56.191
X-QQ-STYLE:
X-QQ-mid: webmail748t1712049648t9376424
From: "=?gb18030?B?R2lic29u?=" <gibson3514@qq.com>
To:
Subject: Sea freight from China
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_660BCDF0_17CAA110_3A1DDB86"
Content-Transfer-Encoding: 8Bit
Date: Tue, 2 Apr 2024 17:20:47 +0800
X-Priority: 3
Message-ID: <tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
X-SPAM-LEVEL: Spam detection results:  1
    AWL                     0.000 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_ENVFROM_END_DIGIT   0.25 Envelope-from freemail username ends in digit
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    FROM_EXCESS_BASE64      0.001 From: base64 encoded unnecessarily
    HELO_DYNAMIC_IPADDR     1.951 Relay HELO'd using suspicious hostname (IP addr 1)
    HTML_MESSAGE            0.001 HTML included in message
    NO_FM_NAME_IP_HOSTN     0.001 No From name + hostname using IP address
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RDNS_DYNAMIC            0.982 Delivered to internal network by host with dynamic-looking rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URI_HEX                   0.1 URI hostname has long hexadecimal sequence
Return-Path: gibson3514@qq.com
X-MS-Exchange-Organization-PRD: qq.com
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-Network-Message-Id: 08406336-f6e7-4a8c-58aa-08dc52f6404b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous

And the mail was delivered to many people in my company:

With such a log in Tracking Center:

Apr 2 12:20:50 EDGE02 postfix/smtpd[1092710]: connect from out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:20:53 EDGE02 postfix/smtpd[1092710]: 93B9F161A8D: client=out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:20:54 EDGE02 postfix/cleanup[1092302]: 93B9F161A8D: message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
Apr 2 12:20:56 EDGE02 postfix/qmgr[862]: 93B9F161A8D: from=<gibson3514@qq.com>, size=194231, nrcpt=1 (queue active)
Apr 2 12:20:56 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: new mail message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>#012
Apr 2 12:20:57 EDGE02 postfix/smtpd[1092710]: disconnect from out203-205-251-88.mail.qq.com[203.205.251.88] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: SA score=1/5 time=8.601 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(0.001),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),FROM_EXCESS_BASE64(0.001),HELO_DYNAMIC_IPADDR(1.951),HTML_MESSAGE(0.001),NO_FM_NAME_IP_HOSTN(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RDNS_DYNAMIC(0.982),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URI_HEX(0.1)
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: connect from localhost.localdomain[127.0.0.1]
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: 8A210161A9F: client=localhost.localdomain[127.0.0.1], orig_client=out203-205-251-88.mail.qq.com[203.205.251.88]
Apr 2 12:21:05 EDGE02 postfix/cleanup[1092303]: 8A210161A9F: message-id=<tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com>
Apr 2 12:21:05 EDGE02 postfix/qmgr[862]: 8A210161A9F: from=<gibson3514@qq.com>, size=195832, nrcpt=1 (queue active)
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: accept mail to <my@wwwdomain.com> (8A210161A9F) (rule: default-accept)
Apr 2 12:21:05 EDGE02 postfix/smtpd[1092752]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 2 12:21:05 EDGE02 pmg-smtp-filter[1092467]: 161A97660BCDF8B2776: processing time: 8.898 seconds (8.601, 0.129, 0)
Apr 2 12:21:05 EDGE02 postfix/lmtp[1092100]: 93B9F161A8D: to=<my@wwwdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=3.7/0/0.05/8.9, dsn=2.5.0, status=sent (250 2.5.0 OK (161A97660BCDF8B2776))
Apr 2 12:21:05 EDGE02 postfix/qmgr[862]: 93B9F161A8D: removed
Apr 2 12:21:06 EDGE02 postfix/smtp[1092754]: 8A210161A9F: to=<my@wwwdomain.com>, relay=MAIL04.domain.com[172.30.21.112]:25, delay=0.71, delays=0.07/0.1/0.07/0.47, dsn=2.6.0, status=sent (250 2.6.0 <tencent_F44A7F4B39C7D4D05ABB3E2B422FBF62FA08@qq.com> [InternalId=63797444215031, Hostname=MAIL04.domain.com] Queued mail for delivery)
Apr 2 12:21:06 EDGE02 postfix/qmgr[862]: 8A210161A9F: removed

The question is how can i harden SPAM protection to filter such a mail in future?

Thanks.

 

[Stoiko Ivanov]

An empty to by itself is not a good indication of spam (I know a few ticket systems, which send out mails like that).

However:
* you should disable Bayes (we changed that a while ago), as in this case it reduced the spam-score by 1.9 points
in general see the recommendations on the Getting Started page in our wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!

 

[BiteMyElbow]

An empty to by itself is not a good indication of spam (I know a few ticket systems, which send out mails like that).

However:
* you should disable Bayes (we changed that a while ago), as in this case it reduced the spam-score by 1.9 points
in general see the recommendations on the Getting Started page in our wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!

Did it. Thank you. Hope it will help.

 

[BiteMyElbow]

I have to reopen the topic.

We are still receiving SPAM emails with an empty subject.
Please tell me, what other options are there to block such emails?



Message body:

Received: from MAIL05.mydomain.com (172.30.21.129) by MAIL05.mydomain.com
 (172.30.21.129) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4 via Mailbox
 Transport; Fri, 28 Mar 2025 11:55:33 +0300
Received: from MAIL05.mydomain.com (172.30.21.129) by MAIL05.mydomain.com
 (172.30.21.129) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Fri, 28 Mar
 2025 11:55:32 +0300
Received: from smtp40.wwwdomain.com (172.30.21.120) by MAIL05.mydomain.com
 (172.30.21.129) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4 via Frontend
 Transport; Fri, 28 Mar 2025 11:55:32 +0300
Received: from EDGE02.mydomain.com (localhost.localdomain [127.0.0.1])
    by EDGE02.mydomain.com (Proxmox) with ESMTP id DF95C161335
    for <itdept@wwwdomain.com>; Fri, 28 Mar 2025 11:55:32 +0300 (MSK)
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48])
    by EDGE02.mydomain.com (Proxmox) with ESMTPS id C3CA0161352
    for <itdept@wwwdomain.com>; Fri, 28 Mar 2025 11:55:20 +0300 (MSK)
Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-abf3d64849dso291825366b.3
        for <itdept@wwwdomain.com>; Fri, 28 Mar 2025 01:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1743152119; x=1743756919; darn=wwwdomain.com;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=z97gllRCvd/nCmvhRL1JsuAgItmQd36mNoSIfFMlKM4=;
        b=k3KH/6SGYrxrnZJswnuakITamgtK5X+DCh2dlIYR+BOWNbR5Q+J6HvyeMDmlAMJFLn
         pK8unNsvxRUyAxhfxAHAG+LPwxpFMvCmlvr6mx5jh/MTnNcB77F/wfhJEF4m3NstcDwW
         qTrAkU48yxP3GAkj+HpSpHoNokF79GCXED9NQnEt3dzlsN7TF0TY7vKHENSsEteRrUyp
         b4xnVOC9ILXgsysJ9SxSQF3ZPl9VZF4eYH+F/ylDhZK/dSjk/QdHHldVNc8DwpBQf+qP
         23eSxpcoL/u2p+LIEK5vGanIDsLv8AuWuGEEAxUgi2scg3OhJ9rStWjeEN+paA1DnYGE
         27Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1743152119; x=1743756919;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=z97gllRCvd/nCmvhRL1JsuAgItmQd36mNoSIfFMlKM4=;
        b=i5lZZLLG85tI8uge+cpXHOchQISm4jXaX+IlKVlvGh0OZ1kk5pHQL6ja7qEzVGltYD
         9OVabClikRLxrA0nv9l4mPTFVMOrsaczCFOVIFZoQNeDrTxuXP8XnZsWsW0fvJ7Gmy0p
         oYEVKAX+yRRNf8vsZMP0PzE5tlEAQKg/7l4UZ2AUC97Q+i2zngnGfwmr8pepG+qpdnUW
         AkL5QXuujTX+QlQz8Y5EA531lOcYQgAc1VVOuceeerOoAXzf1JGnV3wge2wgu24/ashy
         1TTKBI7LadKDXnBGJh4QIdi/33rKAh+p2xdAuuYbpZduHY/l9TqxKiQBkKy3ILxiESn7
         RNiA==
X-Forwarded-Encrypted: i=1; AJvYcCVaNZ2o5uBRLbA2/0MgDKjBbVyxKvqH4YGyFVsVBNQnuhmsEpYOMQsXGkGHSeiWodCD4ofOYsg=@wwwdomain.com
X-Gm-Message-State: AOJu0YyaQUHWM8RYClKPwzB6TJ82p2OwC4pcQ7ThGHA9tT33dlhYgAEb
    uNWmvVQRhJdl+977785/ZPzAhrw8jyiYt+dif+szYse7iMbycll9dc2YDu5JpBUnNqm/Iw67ejv
    ZTaRbDLOTxFqCxmG1mIoFOMXkPZI=
X-Gm-Gg: ASbGnctJw9ocZw4ks33EgeqJu2cwHcOgOcbowp/CzWuzD78S8QPWuJeoEWypkFDAIq0
    sEy0nRjMNIhOi4MD/qCngMNqr12D0/j2n0Dk4ENjXFzuBdZRzQUw5uud30X8zQKp5fTlDmRBIKJ
    64Ko2L4cLh8L+Gn2/4a2N3Yw==
X-Google-Smtp-Source: AGHT+IGJvNmyY73oj/iFPq+fxoJVz73bizTMJ2R1tiq4ybPzQR1If1MUXL1w2Rj1LEUWTheAClazE7RzRSRrQnIwSbg=
X-Received: by 2002:a17:906:c115:b0:ac3:121e:f2cb with SMTP id
 a640c23a62f3a-ac6fae50b0bmr656978766b.1.1743152118755; Fri, 28 Mar 2025
 01:55:18 -0700 (PDT)
MIME-Version: 1.0
From: Wyatt <l376511075@gmail.com>
Date: Fri, 28 Mar 2025 16:55:08 +0800
X-Gm-Features: AQ5f1JqghvrAC84tOMitEUgltXnQbDw1T1l4kZCNUfTDQauUoFHgdw9SXnMkJjQ
Message-ID: <CAJJWwuvb+nN5qYLETQPTNX0qrtO3wpZQa236Y_UrjC9k=JcOqg@mail.gmail.com>
Subject: Sea freight service from China to Russia
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary="000000000000d3fd480631633a1c"
X-SPAM-LEVEL: Spam detection results:  1
    AWL                     0.118 Adjusted score from AWL reputation of From: address
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_ENVFROM_END_DIGIT   0.25 Envelope-from freemail username ends in digit
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    GB_FREEMAIL_NUM             1 Freemail spammy address
    HTML_MESSAGE            0.001 HTML included in message
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H2       0.001 Average reputation (+2)
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
Return-Path: l376511075@gmail.com
X-MS-Exchange-Organization-Network-Message-Id: 5148d1ea-cd61-4ede-a17f-08dd6dd64c78
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL05.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2310321
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1544.004

With such a log in Tracking Center:

Mar 28 05:01:16 EDGE02 postfix/smtpd[462861]: connect from mail-ed1-f44.google.com[209.85.208.44]
Mar 28 05:01:17 EDGE02 postfix/smtpd[462861]: 0E4EB16130A: client=mail-ed1-f44.google.com[209.85.208.44]
Mar 28 05:01:17 EDGE02 postfix/cleanup[462342]: 0E4EB16130A: message-id=<CAJJWwus63jSmmf_dM__VcCHWEypAhfOnTX3s+PwxJubUuKchYw@mail.gmail.com>
Mar 28 05:01:17 EDGE02 postfix/qmgr[1111]: 0E4EB16130A: from=<l376511075@gmail.com>, size=48759, nrcpt=1 (queue active)
Mar 28 05:01:17 EDGE02 postfix/smtpd[462861]: disconnect from mail-ed1-f44.google.com[209.85.208.44] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Mar 28 05:01:24 EDGE02 pmg-smtp-filter[462988]: 16135267E602F400F4B: new mail message-id=<CAJJWwus63jSmmf_dM__VcCHWEypAhfOnTX3s+PwxJubUuKchYw@mail.gmail.com>#012
Mar 28 05:01:35 EDGE02 pmg-smtp-filter[462988]: 16135267E602F400F4B: SA score=1/5 time=11.167 bayes=undefined autolearn=disabled hits=AWL(0.028),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),GB_FREEMAIL_NUM(1),HTML_MESSAGE(0.001),POISEN_SPAM_PILL(0.1),POISEN_SPAM_PILL_1(0.1),POISEN_SPAM_PILL_3(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Mar 28 05:01:35 EDGE02 postfix/smtpd[462348]: connect from localhost.localdomain[127.0.0.1]
Mar 28 05:01:35 EDGE02 postfix/smtpd[462348]: 95D14161310: client=localhost.localdomain[127.0.0.1], orig_client=mail-ed1-f44.google.com[209.85.208.44]
Mar 28 05:01:35 EDGE02 postfix/cleanup[462924]: 95D14161310: message-id=<CAJJWwus63jSmmf_dM__VcCHWEypAhfOnTX3s+PwxJubUuKchYw@mail.gmail.com>
Mar 28 05:01:35 EDGE02 postfix/qmgr[1111]: 95D14161310: from=<l376511075@gmail.com>, size=50185, nrcpt=1 (queue active)
Mar 28 05:01:35 EDGE02 postfix/smtpd[462348]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 28 05:01:35 EDGE02 pmg-smtp-filter[462988]: 16135267E602F400F4B: accept mail to <itdept@wwwdomain.com> (95D14161310) (rule: default-accept)
Mar 28 05:01:35 EDGE02 pmg-smtp-filter[462988]: 16135267E602F400F4B: processing time: 11.668 seconds (11.167, 0.213, 0)
Mar 28 05:01:35 EDGE02 postfix/lmtp[462989]: 0E4EB16130A: to=<itdept@wwwdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=19, delays=0.07/6.3/0.54/12, dsn=2.5.0, status=sent (250 2.5.0 OK (16135267E602F400F4B))
Mar 28 05:01:35 EDGE02 postfix/qmgr[1111]: 0E4EB16130A: removed
Mar 28 05:01:35 EDGE02 postfix/smtp[462350]: 95D14161310: to=<itdept@wwwdomain.com>, relay=mail.wwwdomain.com[172.30.21.129]:25, delay=0.2, delays=0.06/0/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <CAJJWwus63jSmmf_dM__VcCHWEypAhfOnTX3s+PwxJubUuKchYw@mail.gmail.com> [InternalId=24386824306714, Hostname=MAIL05.mydomain.com] 51516 bytes in 0.103, 487,055 KB/sec Queued mail for delivery)
Mar 28 05:01:35 EDGE02 postfix/qmgr[1111]: 95D14161310: removed

 

[BiteMyElbow]

Can someone help?

 

[Badej]

Block by header To: undisclosed-recipients:;

 

[Badej]

What Objects -> Create -> Bad Header
Add -> Match Field -> Field: to -> Value: (undisclosed|recipient)

New Rule: Block Header (Direction: IN)
What Objects (Any matches): Bad Header
Action: Quarantine + Add Rule Name (To further understand the reason for blocking)

All emails will be quarantined if 'To: undisclosed-recipients:;'

 

[Badej]

Or add a rule for SpamAssistant in custom.cf:

header      LOCAL_UNDISCLOSED_RECIPIENTS   To =~ /undisclosed-recipients/i
describe  LOCAL_UNDISCLOSED_RECIPIENTS   Letter with hidden list of recipients (undisclosed-recipients)
score     LOCAL_UNDISCLOSED_RECIPIENTS   10.0