Overrun by spammails coming from *.cloudapp.azure.com with empty sender fields

[Patmo.de]

Hi there, I have a problem and maybe someone on here can help me. I have read a lot of posts on this forum already, but I haven't fount a solution yet. Maybe I have not looked up the correct keywords. So any help is appreciated.

Our PMG receives a lot of spammails from mailservers like these:

astmpdsfsdf-i102telefonica.westeurope.cloudapp.azure.com
adsfsdf-i36p.northeurope.cloudapp.azure.com
akafud-wohj7tip6953gbx.eastus.cloudapp.azure.com
astmpdsfsdf-i53pok.eastus.cloudapp.azure.com
adsfsdf-i62p.northeurope.cloudapp.azure.com

And I haven't found a way to get rid of it yet.

At the moment they use addresses like "<randomly-chosen-alphabet-characters>@tmc.edu". But in the initial contact, there is no "from"-address.

Feb 27 15:28:22 pmg postfix/smtpd[4582]: connect from adsfsdf-i62p.northeurope.cloudapp.azure.com[40.85.76.105]
Feb 27 15:28:22 pmg postfix/smtpd[4582]: F3A3B30264F: client=adsfsdf-i62p.northeurope.cloudapp.azure.com[40.85.76.105]
Feb 27 15:28:23 pmg postfix/cleanup[4552]: F3A3B30264F: message-id=<JoVpeRH-SpApkRnJG-MtQyYzVu@tmc.edu>
Feb 27 15:28:23 pmg postfix/qmgr[1419]: F3A3B30264F: from=<>, size=10882, nrcpt=1 (queue active)
Feb 27 15:28:23 pmg pmg-smtp-filter[4360]: 302664603A570707E39: new mail message-id=<JoVpeRH-SpApkRnJG-MtQyYzVu@tmc.edu>#012
Feb 27 15:28:23 pmg postfix/smtpd[4582]: disconnect from adsfsdf-i62p.northeurope.cloudapp.azure.com[40.85.76.105] ehlo=1 mail=1 rcpt=1 bdat=2 quit=1 commands=6
Feb 27 15:28:23 pmg pmg-smtp-filter[4360]: 302664603A570707E39: SA score=0/5 time=0.672 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HTML_IMAGE_RATIO_06(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KHOP_HELO_FCRDNS(0.001),MIME_HTML_ONLY(0.1),SPF_HELO_NONE(0.001),TO_NO_BRKTS_HTML_ONLY(1.999)
Feb 27 15:28:23 pmg postfix/smtpd[4557]: connect from localhost.localdomain[127.0.0.1]
Feb 27 15:28:23 pmg postfix/smtpd[4557]: B4921302B3D: client=localhost.localdomain[127.0.0.1], orig_client=adsfsdf-i62p.northeurope.cloudapp.azure.com[40.85.76.105]
Feb 27 15:28:23 pmg postfix/cleanup[4552]: B4921302B3D: message-id=<JoVpeRH-SpApkRnJG-MtQyYzVu@tmc.edu>
Feb 27 15:28:23 pmg postfix/qmgr[1419]: B4921302B3D: from=<>, size=11691, nrcpt=1 (queue active)
Feb 27 15:28:23 pmg postfix/smtpd[4557]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb 27 15:28:23 pmg pmg-smtp-filter[4360]: 302664603A570707E39: accept mail to <xxx@xxx.xxx> (B4921302B3D) (rule: default-accept)
Feb 27 15:28:23 pmg pmg-smtp-filter[4360]: 302664603A570707E39: processing time: 0.711 seconds (0.672, 0.016, 0)
Feb 27 15:28:23 pmg postfix/lmtp[4553]: F3A3B30264F: to=<xxx@xxx.xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.76, delays=0.04/0/0/0.72, dsn=2.5.0, status=sent (250 2.5.0 OK (302664603A570707E39))
Feb 27 15:28:23 pmg postfix/qmgr[1419]: F3A3B30264F: removed
Feb 27 15:28:23 pmg postfix/smtp[4558]: B4921302B3D: to=<xxx@xxx.xxx>, relay=xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]:25, delay=0.07, delays=0/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5A8CF3400BF)
Feb 27 15:28:23 pmg postfix/qmgr[1419]: B4921302B3D: removed

When I block the IP as a WHO object, they come back with a trillion other IPs.
When I block .+@tmc.edu$ as a WHO object, sometimes they are blocked and other times they aren't.
When I block .+@tmc.edu$ as a WHAT object with matching field as From, sometimes they are blocked and sometimes they aren't.

What am I missing here? How do I get rid of these?

 

[wasteground]

Exactly the same issue here (same sources, same domains). Following to see if there's a good solution, I've tried all the same things as you and no luck so far

edit: fwiw, i reported a bunch of the ones that hit my users to Microsoft via their reporting form, but I doubt that'll really make any difference

 

[hata_ph]

Pls show the spam mail raw format for further checking..

 

[Patmo.de]

This one was sent from pmg to my zimbra at about 15:24h (zimbra then moved it to my spam folder there, so the X-Spam-Flag was added by zimbra, not by pmg):

Return-Path: <>
Received: from mx.patmo.de (LHLO mx.patmo.de) (xxx.xxx.xxx.xxx) by mx.patmo.de
with LMTP; Sat, 27 Feb 2021 15:24:57 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
    by mx.patmo.de (Postfix) with ESMTP id 521803400BF
    for <xxx@xxx.xxx>; Sat, 27 Feb 2021 15:24:57 +0100 (CET)
X-Spam-Flag: YES
X-Spam-Score: 4.802
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.802 required=3 tests=[ALL_TRUSTED=-1,
    BAYES_99=3.5, BAYES_999=0.2, HTML_IMAGE_RATIO_06=0.001,
    HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001,
    TO_NO_BRKTS_HTML_ONLY=1.999] autolearn=no autolearn_force=no
Received: from mx.patmo.de ([127.0.0.1])
    by localhost (mx.patmo.de [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id J2lNSqYM670n for <xxx@xxx.xxx>;
    Sat, 27 Feb 2021 15:24:52 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
    by mx.patmo.de (Postfix) with ESMTP id 222C93400C5
    for <xxx@xxx.xxx>; Sat, 27 Feb 2021 15:24:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at mx.patmo.de
Received: from mx.patmo.de ([127.0.0.1])
    by localhost (mx.patmo.de [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id I-uYELIK3F3p for <xxx@xxx.xxx>;
    Sat, 27 Feb 2021 15:24:52 +0100 (CET)
Received: from pmg.patmo.de (pmg.patmo.de [xxx.xxx.xxx.xxx])
    by mx.patmo.de (Postfix) with ESMTPS id 0F30E3400BF
    for <xxx@xxx.xxx>; Sat, 27 Feb 2021 15:24:52 +0100 (CET)
Received: from pmg.patmo.de (localhost.localdomain [127.0.0.1])
    by pmg.patmo.de (Proxmox) with ESMTP id 6B220302B3D
    for <xxx@xxx.xxx>; Sat, 27 Feb 2021 15:24:52 +0100 (CET)
Received: from cc69.bi.no (adsfsdf-i36p.northeurope.cloudapp.azure.com [40.115.109.128])
    by pmg.patmo.de (Proxmox) with ESMTP id AD5AD3002CB
    for <xxx@xxx.xxx>; Sat, 27 Feb 2021 15:24:51 +0100 (CET)
To: xxx@xxx.xxx
Date: Sat, 27 Feb 2021 13:45:05 +0100
Message-Id: <kNUXwLp-iOPXFnRHz-WGvAytVc@tmc.edu>
Subject: [SPAM]Der Preis von Bitcoin ist =?UTF-8?Q?h=C3=B6her?= als seit zwei
    Jahren
From: "Bitcoin_geld" <GjovwiGwwG@tmc.edu>
MIME-Version: 1.0
Content-Type: text/html

This is the corresponding pmg log:

Feb 27 15:24:51 pmg postfix/smtpd[4516]: connect from adsfsdf-i36p.northeurope.cloudapp.azure.com[40.115.109.128]
Feb 27 15:24:51 pmg postfix/smtpd[4516]: AD5AD3002CB: client=adsfsdf-i36p.northeurope.cloudapp.azure.com[40.115.109.128]
Feb 27 15:24:51 pmg postfix/cleanup[4522]: AD5AD3002CB: message-id=<kNUXwLp-iOPXFnRHz-WGvAytVc@tmc.edu>
Feb 27 15:24:51 pmg postfix/qmgr[1419]: AD5AD3002CB: from=<>, size=10878, nrcpt=1 (queue active)
Feb 27 15:24:51 pmg pmg-smtp-filter[4360]: 302664603A5633B58CA: new mail message-id=<kNUXwLp-iOPXFnRHz-WGvAytVc@tmc.edu>#012
Feb 27 15:24:51 pmg postfix/smtpd[4516]: disconnect from adsfsdf-i36p.northeurope.cloudapp.azure.com[40.115.109.128] ehlo=1 mail=1 rcpt=1 bdat=2 quit=1 commands=6
Feb 27 15:24:52 pmg pmg-smtp-filter[4360]: 302664603A5633B58CA: SA score=0/5 time=0.659 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HTML_IMAGE_RATIO_06(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KHOP_HELO_FCRDNS(0.001),MIME_HTML_ONLY(0.1),SPF_HELO_NONE(0.001),TO_NO_BRKTS_HTML_ONLY(1.999)
Feb 27 15:24:52 pmg postfix/smtpd[4537]: connect from localhost.localdomain[127.0.0.1]
Feb 27 15:24:52 pmg postfix/smtpd[4537]: 6B220302B3D: client=localhost.localdomain[127.0.0.1], orig_client=adsfsdf-i36p.northeurope.cloudapp.azure.com[40.115.109.128]
Feb 27 15:24:52 pmg postfix/cleanup[4522]: 6B220302B3D: message-id=<kNUXwLp-iOPXFnRHz-WGvAytVc@tmc.edu>
Feb 27 15:24:52 pmg postfix/qmgr[1419]: 6B220302B3D: from=<>, size=11681, nrcpt=1 (queue active)
Feb 27 15:24:52 pmg postfix/smtpd[4537]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb 27 15:24:52 pmg pmg-smtp-filter[4360]: 302664603A5633B58CA: accept mail to <xxx@xxx.xxx> (6B220302B3D) (rule: default-accept)
Feb 27 15:24:52 pmg pmg-smtp-filter[4360]: 302664603A5633B58CA: processing time: 0.701 seconds (0.659, 0.016, 0)
Feb 27 15:24:52 pmg postfix/lmtp[4523]: AD5AD3002CB: to=<xxx@xxx.xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.74, delays=0.04/0/0/0.71, dsn=2.5.0, status=sent (250 2.5.0 OK (302664603A5633B58CA))
Feb 27 15:24:52 pmg postfix/qmgr[1419]: AD5AD3002CB: removed
Feb 27 15:24:52 pmg postfix/smtp[4538]: 6B220302B3D: to=<xxx@xxx.xxx>, relay=xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]:25, delay=0.06, delays=0.01/0/0.04/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0F30E3400BF)
Feb 27 15:24:52 pmg postfix/qmgr[1419]: 6B220302B3D: removed

 

[hata_ph]

Pls show the value of Return-Path:
Try activate mark spam level rules for all incoming mail, it will add spam score to your mails and let spamassassin to detect and quarantine/block it if the score is high.

 

[Patmo.de]

All "changes" in the source code made by me can be recognized by the xxx-fields. I didn't change any other information.

The Return Path in that e-mail's source code is empty.

I already have "Modify Header" -> "Modify Spam Level" activated with a priority of 90 for all incoming e-mails. Is that, what you mean with "Try activate mark spam level rules for all incoming mail"?

 

[hata_ph]

I will suggest few quarantine/block rules.

1. Who object regex expression <> or ^$ for any empty Return-path:.
2. Who object regex expression (\W|^)[\w.+\-]{0,50}cloudapp\.azure\.com(\W|$) or domain cloudapp.azure.com
3. What object match field subject regex expression (?i)(\W|^)(bitcoin?)(\W|$)

 

[Patmo.de]

Thanks a lot for your help @hata_ph! I will try to add your suggested rules.

I have also set up the following ones:

# What object > Match field: From
^$
^.*<.*>.*<.*>.*$
^.*UTF-8.*<.*>.+$

# What object > Match field: Sender
^$
^.*<.*>.*<.*>.*$
^.*UTF-8.*<.*>.+$

 

[WalFra]

just registered to say thank you! have the same problem and added @Patmo.de rules...

but how do i add @hata_ph first rule?
when i navigate to who-object i have a blacklist and a whitelist.. should i create a new one between them or add it just to a blacklist regex? But i cant choose the return-path-field ... i only can choose the fields under what-objects

edit: okay, this was not the solution... still receiving mails with "Return-Path: "

 

[Patmo.de]

Hi @WalFra

You can add as many new 'lists' as you like - as you did with the 'Test-Azure'.

For @hata_ph 's rules:
#1: There is no way - at least I don't know of any - to set up a 'who object' with a combination of 'match field' and 'value', so i guessed, that it was to set up as a 'what object' instead. If '<>' or '^$' is used as a regular expression for a 'who object' it will search for empty fields in any of the lines and not just in the 'Return-Path' field, so this may help, but I didn't configure it.

#2: Just add the 'who object' as 'domain'.

#3: You already entered various 'match fields' to your 'what object' 'Test-Azure'. Add a match field 'Subject' as well (or add it to a new 'what object' if you don't want to mix up too many of those in one ruleset. (Here you can find a good introduction to subject filtering with pmg: https://dhenandi.com/how-to-block-email-by-subject-on-proxmox-mail-gateway/ )

And last but not least, all these objects have to be set in the overall rule set 'Mail filter'. There you'll have to add a new rule or to insert your objects to a given rule like the 'Quarantine' one. The search objects set in your 'who objects' and 'what objects' will only be searched for, when they are set here within one of the rules. (Again, you can add your own rules.).

For me, the problem was not solved by just adding these rules, but the number of emails that were delivered has decreased now. (I have to admit, that I have a quite large set of objects and rules that, when detected, will be sent to quarantine.)

 

[WalFra]

Thank you for your nice description...

i just added a new rule in mail-filter. in there, i have added the action "block" and from available object i have added my test-azure from what-objects... priority is set up to 1 (because of testing)..

the only problem now is, to set up cloudapp.azure.com in my what-objects... the return-path is empty, the received field differs as much as the domain field.

Received: from mxout.rshost.eu (astmpdsfsdf-i24telefonica.westeurope.cloudapp.azure.com [40.113.141.10])
by mx1.mydomain.de (Proxmox) with ESMTP id CA8F4C14AC
for <mmymail@mydomain.de>; Mon, 15 Mar 2021 09:11:19 +0100 (CET)

so i set up a new what-object:
Match Field Return=cloudapp.azure.com

maybe this will help me now.. if this rule is working, i should not see any azure mails in quarantine or at least in the spam-info of the mail