PMG to detect FAKE To: Adresses in mail headers

R

Riesling.Dry

Renowned Member
Jul 17, 2014
95
7
73
Hi,

we just set up a phresh PMG and the SPAM Mail quoted below got through.

User has a catch-all Domain and gets a LOT of emails using FAKE To: addresses.
In the example below, mail "seems" to go To: <office@hsmart.ro> but has X-Original-To: pg@[clients Domain name]. Neither we nor client have anything to do with domain "hsmart.ro".

Q: is there any way PMG can detect and handle, i.e. REJECT this kind of mails that are using FAKE To: addresses, different from the actual, X-Original-To?

Cheers,
~R.

Return-Path: <esjyxck@marashostel.gb.net>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on [clients mail server [behind our PMG]
X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=BAYES_00,HTML_IMAGE_ONLY_16,
HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
SPF_FAIL,SPF_HELO_NONE,T_TVD_MIME_EPI autolearn=no autolearn_force=no
version=3.4.2
X-Original-To: pg@[clients Domain name]
Delivered-To: [catchall]@[clients mail server [behind our PMG]
Received: from mailgateway.[our PMG] (mail.[our PMG] [185.27.255.11])
by [clients mail server [behind our PMG] (Postfix) with ESMTPS id ED0354C875C;
Wed, 26 Nov 2025 23:13:32 +0100 (CET)
Received: from mailgateway.[our PMG] (localhost [127.0.0.1])
by mailgateway.[our PMG] (Proxmox) with ESMTP id 75EFB101158;
Wed, 26 Nov 2025 22:13:32 +0000 (UTC)
Received-SPF: pass (marashostel.gb.net: 62.173.139.38 is authorized to use 'esjyxck@marashostel.gb.net' in 'mfrom' identity (mechanism 'ip4:62.173.139.38' matched)) receiver=mailgateway.[our PMG]; identity=mailfrom; envelope-from="esjyxck@marashostel.gb.net"; helo=mail.art-decore.ru; client-ip=62.173.139.38
Received-SPF: pass (marashostel.gb.net: 62.173.139.38 is authorized to use 'esjyxck@marashostel.gb.net' in 'mfrom' identity (mechanism 'ip4:62.173.139.38' matched)) receiver=mailgateway.[our PMG]; identity=mailfrom; envelope-from="esjyxck@marashostel.gb.net"; helo=mail.art-decore.ru; client-ip=62.173.139.38
Received-SPF: pass (marashostel.gb.net: 62.173.139.38 is authorized to use 'esjyxck@marashostel.gb.net' in 'mfrom' identity (mechanism 'ip4:62.173.139.38' matched)) receiver=mailgateway.[our PMG]; identity=mailfrom; envelope-from="esjyxck@marashostel.gb.net"; helo=mail.art-decore.ru; client-ip=62.173.139.38
Received-SPF: pass (marashostel.gb.net: 62.173.139.38 is authorized to use 'esjyxck@marashostel.gb.net' in 'mfrom' identity (mechanism 'ip4:62.173.139.38' matched)) receiver=mailgateway.[our PMG]; identity=mailfrom; envelope-from="esjyxck@marashostel.gb.net"; helo=mail.art-decore.ru; client-ip=62.173.139.38
Received: from mail.art-decore.ru (mail.art-decore.ru [62.173.139.38])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mailgateway.[our PMG] (Proxmox) with ESMTPS id ECF07100DEC;
Wed, 26 Nov 2025 22:13:30 +0000 (UTC)
Message-ID: <453348832738136413884014255568852051805230520777@marashostel.gb.net>
From: "Sup Game Box" <esjyxck@marashostel.gb.net>
To: <office@hsmart.ro>
Subject: =?utf-8?B?Q2Fkb3VsIHBlcmZlY3QgcGVudHJ1IGFkZXbEg3JhyJtpaSBwYXNpb25hyJtpIGRlIGpvY3VyaSE=?=
Date: Wed, 26 Nov 2025 22:37:53 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0006_01DC5F22.D0BA4F70"

This is a multi-part message in MIME format.

...
 
It's good practice to make sure you configure SPF, DKIM, and especially a DMARC policy (quarantine/reject) before relying on PMG for SPAM rejections. If valid email ends up in SPAM, the sender domain's owner should also do this. PMG won’t protect you from spoofing unless your DNS authentication is already correct.

PMG does not natively check DKIM or DMARC on inbound mail unless the admin manually extends it (see this post). I would start there and test using different providers. If your email is managed at Google or Microsoft, remember they have strict rules (which change sometimes!) so regular testing is almost a requirement these days.

Fabián Rodríguez | Le Goût du Libre Inc. | Montreal, Canada | Mastodon
Proxmox Silver Partner, server and desktop enterprise support in French, English and Spanish
 
MagicFab said:
It's good practice to make sure you configure SPF, DKIM, and especially a DMARC policy (quarantine/reject) before relying on PMG for SPAM rejections.
Click to expand...
Merci bien, cher Fabian,
just to clarify: our user is receiving these SPAM emails w. FAKE headers through our PMG. We only use it for receiving mail and for SPAM protection, currently not for sending email. SPF, DKIM and DMARC won't probably help in this case, but please correct me if I'm mistaken.
Cheers,
~R.
 
You must log in or register to reply here.
Top Bottom