Having a really weird problem that I can't track down, and it's happening more and more often. Phishing emails with a spoofed address are making it through the gateway and delivered to the users mailbox, with the logs saying that the sender is in the user's 'welcomelist'. I double checked and the sending server is nowhere in any whitelist, let alone this user's. PMG shows the sending From as blank in the tracking center.
And here the details of the message from the users mailbox
Any idea why PMG would be saying the sender is in a welcomelist when 1) its empty, and 2) isn't present anywhere? Thanks!
Code:
2025-09-25T09:06:34.556468-04:00 mxp10 postfix/smtpd[163014]: connect from 132.196.168.34.bc.googleusercontent.com[34.168.196.132]
2025-09-25T09:06:34.991387-04:00 mxp10 postfix/smtpd[163014]: F1F362028EF: client=132.196.168.34.bc.googleusercontent.com[34.168.196.132]
2025-09-25T09:06:35.144989-04:00 mxp10 postfix/cleanup[163040]: F1F362028EF: message-id=<>
2025-09-25T09:06:35.233880-04:00 mxp10 postfix/qmgr[110363]: F1F362028EF: from=<>, size=9221, nrcpt=1 (queue active)
2025-09-25T09:06:35.284917-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: new mail message-id=
2025-09-25T09:06:35.613419-04:00 mxp10 postfix/smtpd[163014]: disconnect from 132.196.168.34.bc.googleusercontent.com[34.168.196.132] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2025-09-25T09:06:35.713665-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: SA score=17/5 time=0.384 bayes=undefined autolearn=disabled hits=DMARC_QUAR(0.1),GOOG_STO_NOIMG_HTML(2.999),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_QUARANTINE(4),KAM_DMARC_STATUS(0.01),KAM_STORAGE_GOOGLE(1.7),MIME_HTML_ONLY(0.1),MISSING_DATE(1.396),MISSING_MID(0.14),NO_FM_NAME_IP_HOSTN(0.001),RCVD_IN_SBL_CSS(3.558),RCVD_IN_XBL(0.724),RDNS_DYNAMIC(0.363),TO_EQ_FM_DIRECT_MX(0.001),TO_EQ_FM_HTML_DIRECT(1.557),TO_EQ_FM_HTML_ONLY(1.134),T_MXG_EMAIL_FRAG(0.01)
2025-09-25T09:06:35.715233-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: sender in user (sales@domain.com) welcomelist
2025-09-25T09:06:35.715515-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: sender in user (sales@domain.com) welcomelist
2025-09-25T09:06:35.715677-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: sender in user (sales@domain.com) welcomelist
2025-09-25T09:06:35.718563-04:00 mxp10 postfix/smtpd[162299]: connect from localhost.localdomain[127.0.0.1]
2025-09-25T09:06:35.720291-04:00 mxp10 postfix/smtpd[162299]: AFCC62028A5: client=localhost.localdomain[127.0.0.1], orig_client=132.196.168.34.bc.googleusercontent.com[34.168.196.132]
2025-09-25T09:06:35.762264-04:00 mxp10 postfix/cleanup[162743]: AFCC62028A5: message-id=<20250925130635.AFCC62028A5@mail.protection.domain.com>
2025-09-25T09:06:35.893099-04:00 mxp10 postfix/qmgr[110363]: AFCC62028A5: from=<>, size=10908, nrcpt=1 (queue active)
2025-09-25T09:06:35.893493-04:00 mxp10 postfix/smtpd[162299]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2025-09-25T09:06:35.893605-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: accept mail to <sales@domain.com> (AFCC62028A5) (rule: default-accept)
2025-09-25T09:06:35.905880-04:00 mxp10 pmg-smtp-filter[162968]: 2023A168D53E5B439A2: processing time: 0.616 seconds (0.384, 0.041, 0)
2025-09-25T09:06:35.906276-04:00 mxp10 postfix/lmtp[161850]: F1F362028EF: to=<sales@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.47/0/0.04/0.63, dsn=2.5.0, status=sent (250 2.5.0 OK (2023A168D53E5B439A2))
2025-09-25T09:06:35.906475-04:00 mxp10 postfix/qmgr[110363]: F1F362028EF: removed
2025-09-25T09:06:36.113499-04:00 mxp10 postfix/smtp[162392]: AFCC62028A5: to=<sales@domain.com>, relay=xxx.xxx.xxx.31[xxx.xxx.xxx.31]:25, delay=0.39, delays=0.17/0/0.05/0.17, dsn=2.6.0, status=sent (250 2.6.0 <20250925130635.AFCC62028A5@mail.protection.domain.com> [InternalId=122982093553748, Hostname=EX01.domain.com] 12217 bytes in 0.130, 91.369 KB/sec Queued mail for delivery)
2025-09-25T09:06:36.113801-04:00 mxp10 postfix/qmgr[110363]: AFCC62028A5: removedAnd here the details of the message from the users mailbox
Code:
Received: from EX01.domain.com (xxx.xxx.xxx.160) by EX01.domain.com (xxx.xxx.xxx.160)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27 via Mailbox
Transport; Thu, 25 Sep 2025 09:06:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=domain.com; s=2987868260;
c=simple/simple; t=1758805596; h=from:subject:to:date:message-id;
bh=L/h374k77EFX4BzGBOKdaKAYIGDWBV0GKBbgM3/bVEU=;
b=UKbYHVv4NfU5Vzo4fBJ7XXa0Qb1VLw18maRfHFnU9kZIqGGLmInpgg93lW4/IVEcHCj47VhgeRl
qQkICnoH8JI9N7Hsau4ttp1MD7DdL5ek03wWM6jKUAOoTag8R7WiQEsQQWXfrFXvAUx8SH8hNcefL
s7JWjcmKy4pbjZsMX0x80Pi1pg1DvHETnQ64uRJlLAnHZ/FDyCq2U25DLprTUsJlNwAmxFYL3SSuR
4Ah4cn2PmAYF3HG0XZj2QAJK8qUwYrfyoUAPlQYgtMipNje1P/Ni5XFxIjzMnJl9Azm1+2cYR7E3y
i/hdiQVQ7cgDYfcVy660PIux4LcR4rLsHIPQ==
Received: from EX01.domain.com (xxx.xxx.xxx.160) by EX01.domain.com (xxx.xxx.xxx.160)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27; Thu, 25 Sep
2025 09:06:35 -0400
Received: from mail.protection.domain.com (xxx.xxx.xxx.31) by EX01.domain.com
(xxx.xxx.xxx.160) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27 via Frontend
Transport; Thu, 25 Sep 2025 09:06:35 -0400
Received: from mxp10.domain.com (localhost.localdomain [127.0.0.1])
by mail.protection.domain.com (Proxmox) with ESMTP id AFCC62028A5
for <sales@domain.com>; Thu, 25 Sep 2025 09:06:35 -0400 (EDT)
Received: from [10.88.0.4] (132.196.168.34.bc.googleusercontent.com [34.168.196.132])
by mail.protection.domain.com (Proxmox) with ESMTP id F1F362028EF
for <sales@domain.com>; Thu, 25 Sep 2025 09:06:34 -0400 (EDT)
Content-Type: multipart/related;
boundary="===============2426126347014836834=="
MIME-Version: 1.0
From: "sales@domain.com" <sales@domain.com>
To: <sales@domain.com>
Subject: [EXTERNAL] Action Required Immediately
X-Priority: 2
X-SPAM-LEVEL: Spam detection results: 17
DMARC_QUAR 0.1 DMARC quarantine policy
GOOG_STO_NOIMG_HTML 2.999 Apparently using google content hosting to avoid URIBL
HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to background
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_QUARANTINE 4 DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_STORAGE_GOOGLE 1.7 Google Storage API being abused by spammers
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_DATE 1.396 Missing Date: header
MISSING_MID 0.14 Missing Message-Id: header
NO_FM_NAME_IP_HOSTN 0.001 No From name + hostname using IP address
RCVD_IN_SBL_CSS 3.558 Received via a relay in Spamhaus SBL-CSS
RCVD_IN_XBL 0.724 Received via a relay in Spamhaus XBL
RDNS_DYNAMIC 0.363 Delivered to internal network by host with dynamic-looking rDNS
TO_EQ_FM_DIRECT_MX 0.001 To == From and direct-to-MX
TO_EQ_FM_HTML_DIRECT 1.557 To == From and HTML only, direct-to-MX
TO_EQ_FM_HTML_ONLY 1.134 To == From and HTML only
T_MXG_EMAIL_FRAG 0.01 URI with email in fragment
Message-ID: <20250925130635.AFCC62028A5@mail.protection.domain.com>
Date: Thu, 25 Sep 2025 09:06:35 -0400
Return-Path: <>
X-MS-Exchange-Organization-Network-Message-Id: ffba06fb-44ed-44de-426d-08ddfc345b77
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: EX01.domain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2609405
X-MS-Exchange-Processed-By-BccFoldering: 15.02.2562.027Any idea why PMG would be saying the sender is in a welcomelist when 1) its empty, and 2) isn't present anywhere? Thanks!
Last edited: