Stop spam that appears from themselves

dthompson

Active Member
Nov 23, 2011
120
8
38
Canada
www.digitaltransitions.ca
One of the domains I manage is getting some spam thats getting through the PMG.

This is what they see in their email. It appears to be from them, but is in fact not.
matt@domain.ca <iqra@skcl-bd.com>

The tracking centre shows this as follows:

Aug 26 18:39:38 swarmx1 postfix/smtpd[287961]: connect from walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:38 swarmx1 postfix/smtpd[287961]: Anonymous TLS connection established from walmailout02.yourhostingaccount.com[65.254.253.99]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 26 18:39:39 swarmx1 postfix/smtpd[287961]: 0605B60D1F: client=walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:39 swarmx1 postfix/cleanup[287954]: 0605B60D1F: message-id=<>
Aug 26 18:39:39 swarmx1 postfix/qmgr[142891]: 0605B60D1F: from=<SRS0=goC0mr=CE=skcl-bd.com=iqra@yourhostingaccount.com>, size=315778, nrcpt=1 (queue active)
Aug 26 18:39:39 swarmx1 postfix/smtpd[287961]: disconnect from walmailout02.yourhostingaccount.com[65.254.253.99] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Aug 26 18:39:39 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: new mail message-id=
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: SA score=2/5 time=1.083 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),MIME_BOUND_DD_DIGITS(1.373),MIME_HTML_ONLY(0.1),MISSING_MID(0.497),RCVD_IN_BL_SPAMCOP_NET(1.347),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: connect from localhost[127.0.0.1]
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: 8546D60D29: client=localhost[127.0.0.1], orig_client=walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:40 swarmx1 postfix/cleanup[287996]: 8546D60D29: message-id=<20200826223940.8546D60D29@swarmx1.mx-domain.ca>
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 8546D60D29: from=<SRS0=goC0mr=CE=skcl-bd.com=iqra@yourhostingaccount.com>, size=317090, nrcpt=1 (queue active)
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: accept mail to <anthony@domain.ca> (8546D60D29) (rule: default-accept)
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: processing time: 1.318 seconds (1.083, 0.188, 0)
Aug 26 18:39:40 swarmx1 postfix/lmtp[287983]: 0605B60D1F: to=<anthony@domain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.22/0.02/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (814695F46E4AB39D47))
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 0605B60D1F: removed
Aug 26 18:39:40 swarmx1 postfix/smtp[287966]: 8546D60D29: to=<anthony@domain.ca>, relay=192.168.9.11[192.168.9.11]:25, delay=0.09, delays=0.02/0/0.06/0.01, dsn=2.0.0, status=sent (250 2.0.0 5f46e4ac-000043fc Message accepted for delivery)
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 8546D60D29: removed


These are phishing attacks on the customer. How would one best go around tightening up the PMG to block these types of spam attacks? The problem is that the end user(s) see the emails as being from a co-worker and could get tricked.

I'm looking for any ideas that I can use to help stop this type of spam coming in. I can blacklist the actual domains that are doing this, but the issue is that the emails are coming in from all sorts of different domains. The above it just one example.

Thanks for your help.
 

fluxX04

Member
Mar 14, 2018
83
33
23
Austria
Hi,

you can test the method described in this post.
This is a 'What Object' which matches if there are two mail as FROM set.

Greetz
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!