How to block mail to fake mail header from?

H.c.K

Well-Known Member
Oct 16, 2019
68
3
48
33
Hi,
I've been dealing with a problem for days. A lot of spam comes to our mail accounts from different mail servers. The sending mail server is not filtered because it is clean. I can block a rope or domain. But it comes from too many ip addresses and domains.

Summary:
Mail from server: mambrino.ddnet.es [88.87.135.35]
From: =?utf-8?Q?=C3=96me_=C3=87anak_=3Comecanak=40mydomai?==?utf-8?Q?m=3E?= <gambrinusrpino8@ciett.com>
To: <myname@mydomain.com>

It looks like it came from omecanak@mydomain.com in the mailbox. How can we block these emails?

I read:
https://forum.proxmox.com/threads/spam-getting-through.49322/
https://forum.proxmox.com/threads/m...n-data-section-faked-from-address-spam.49685/


Mailenable mail headers:
Received: from ([222.222.222.222]) by mymailserver.com with MailEnable IMAP; Wed, 12 Aug 2020
19:21:45 +0300
Received: from mambrino.ddnet.es (mambrino.ddnet.es [88.87.135.35]) by pmg5.mypmg.com
(Proxmox) with ESMTPS id 44C94201B38 for <myname@mydomain.com>; Wed, 12
Aug 2020 19:21:42 +0300 (+03)
Received: from pmg5.mypmg.com (localhost.localdomain [127.0.0.1]) by pmg5.mypmg.com
(Proxmox) with ESMTP id CAE75201870 for <myname@mydomain.com>; Wed, 12
Aug 2020 19:21:44 +0300 (+03)
Received: from pap004-8878.mylan.co.za (HELO ?154.68.163.15?)
(gambrinusrpino8@ciett.com) by mambrino.ddnet.es with ESMTPA; 12 Aug 2020
17:53:36 +0200
Received: (qmail 28718 invoked by uid 514); 12 Aug 2020 17:53:39 +0200
Received: from pmg5.mypmg.com ([xxx.xxx.xxx.xxx]) by mymailserver.com with MailEnable ESMTP;
Wed, 12 Aug 2020 19:21:45 +0300
From: =?utf-8?Q?=C3=96me_=C3=87anak_=3Comecanak=40mydomai?==?utf-8?Q?m=3E?= <gambrinusrpino8@ciett.com>
To: <myname@mydomain.com>
Date: Wed, 12 Aug 2020 18:53:36 +0300
Message-ID: <1597247619105428687@mambrino.ddnet.es>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_00A0_01D67172.7AE95210"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHklhIOSYBynSatX7FxSmKIUy4Csw==
X-Envelope-Sender: gambrinusrpino8@ciett.com
X-ME-Bayesian: 0.000000
X-SPAM-LEVEL: Spam detection results: 2 BAYES_20 -0.001 Bayes spam
probability is 5 to 20% KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does
not have any anti-forgery methods MIME_BOUND_DD_DIGITS 1.373 Spam tool
pattern in MIME boundary RCVD_IN_MSPIKE_H2 -0.001 Average reputation
(+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF
Record SPF_NONE 0.001 SPF: sender does not publish an SPF
Record
X-Qmail-Scanner-Diagnostics: from pap004-8878.mylan.co.za
(gambrinusrpino8@ciett.com@pap004-8878.mylan.co.za) by mambrino.ddnet.es
(envelope-from <gambrinusrpino8@ciett.com>, uid 513) with
qmail-scanner-2.11st (mhr: 1.0. spamassassin: 3.4.1. perlscan: 2.11st.
Clear:RC:1(154.68.163.15):. Processed in 0.016854 secs); 12 Aug 2020
15:53:39 -0000
X-OlkEid: 00000000321DA0EFAF231740B4578B5A016D71040700D9539C2261A6BB45B9DAB62C7081B3C101002100FFFF0000E397401C134767438013636D184988C30000000094DC00006BA9E57DE43AC14C8AEFABBCF687E91C
X-Read: 1

PMG Tracking Center Log:
Aug 12 16:21:42 pmg5 postfix/smtpd[24837]: connect from mambrino.ddnet.es[88.87.135.35]
Aug 12 16:21:43 pmg5 postfix/smtpd[24837]: 44C94201B38: client=mambrino.ddnet.es[88.87.135.35]
Aug 12 16:21:43 pmg5 postfix/cleanup[21094]: 44C94201B38: message-id=<1597247619105428687@mambrino.ddnet.es>
Aug 12 16:21:43 pmg5 postfix/qmgr[3256]: 44C94201B38: from=<gambrinusrpino8@ciett.com>, size=322723, nrcpt=1 (queue active)
Aug 12 16:21:43 pmg5 pmg-smtp-filter[24980]: 201AA15F341717D60DB: new mail message-id=<1597247619105428687@mambrino.ddnet.es>#012
Aug 12 16:21:43 pmg5 postfix/smtpd[24837]: disconnect from mambrino.ddnet.es[88.87.135.35] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 12 16:21:44 pmg5 pmg-smtp-filter[24980]: 201AA15F341717D60DB: SA score=2/5 time=0.861 bayes=0.20 autolearn=no autolearn_force=no hits=BAYES_20(-0.001),KAM_LAZY_DOMAIN_SECURITY(1),MIME_BOUND_DD_DIGITS(1.373),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_NONE(0.001)
Aug 12 16:21:44 pmg5 postfix/smtpd[24719]: connect from localhost.localdomain[127.0.0.1]
Aug 12 16:21:44 pmg5 postfix/smtpd[24719]: CAE75201870: client=localhost.localdomain[127.0.0.1], orig_client=mambrino.ddnet.es[88.87.135.35]
Aug 12 16:21:44 pmg5 postfix/cleanup[20977]: CAE75201870: message-id=<1597247619105428687@mambrino.ddnet.es>
Aug 12 16:21:44 pmg5 postfix/qmgr[3256]: CAE75201870: from=<gambrinusrpino8@ciett.com>, size=323389, nrcpt=1 (queue active)
Aug 12 16:21:44 pmg5 postfix/smtpd[24719]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 12 16:21:44 pmg5 pmg-smtp-filter[24980]: 201AA15F341717D60DB: accept mail to <myname@mydomain.com> (CAE75201870) (rule: default-accept)
Aug 12 16:21:44 pmg5 pmg-smtp-filter[24980]: 201AA15F341717D60DB: processing time: 1.014 seconds (0.861, 0.064, 0)
Aug 12 16:21:44 pmg5 postfix/lmtp[22844]: 44C94201B38: to=<myname@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=1/0/0/1, dsn=2.5.0, status=sent (250 2.5.0 OK (201AA15F341717D60DB))
Aug 12 16:21:44 pmg5 postfix/qmgr[3256]: 44C94201B38: removed
Aug 12 16:21:45 pmg5 postfix/smtp[23253]: CAE75201870: to=<myname@mydomain.com>, relay=mail.mymailserver.com[11.111.111.111]:587, delay=0.39, delays=0.07/0/0.26/0.07, dsn=2.0.0, status=sent (250 Requested mail action okay, completed)
Aug 12 16:21:45 pmg5 postfix/qmgr[3256]: CAE75201870: removed
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!