Stop spam that appears from themselves

[dthompson]

One of the domains I manage is getting some spam thats getting through the PMG.

This is what they see in their email. It appears to be from them, but is in fact not.
matt@domain.ca <iqra@skcl-bd.com>

The tracking centre shows this as follows:

Aug 26 18:39:38 swarmx1 postfix/smtpd[287961]: connect from walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:38 swarmx1 postfix/smtpd[287961]: Anonymous TLS connection established from walmailout02.yourhostingaccount.com[65.254.253.99]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 26 18:39:39 swarmx1 postfix/smtpd[287961]: 0605B60D1F: client=walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:39 swarmx1 postfix/cleanup[287954]: 0605B60D1F: message-id=<>
Aug 26 18:39:39 swarmx1 postfix/qmgr[142891]: 0605B60D1F: from=<SRS0=goC0mr=CE=skcl-bd.com=iqra@yourhostingaccount.com>, size=315778, nrcpt=1 (queue active)
Aug 26 18:39:39 swarmx1 postfix/smtpd[287961]: disconnect from walmailout02.yourhostingaccount.com[65.254.253.99] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Aug 26 18:39:39 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: new mail message-id=
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: SA score=2/5 time=1.083 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),MIME_BOUND_DD_DIGITS(1.373),MIME_HTML_ONLY(0.1),MISSING_MID(0.497),RCVD_IN_BL_SPAMCOP_NET(1.347),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: connect from localhost[127.0.0.1]
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: 8546D60D29: client=localhost[127.0.0.1], orig_client=walmailout02.yourhostingaccount.com[65.254.253.99]
Aug 26 18:39:40 swarmx1 postfix/cleanup[287996]: 8546D60D29: message-id=<20200826223940.8546D60D29@swarmx1.mx-domain.ca>
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 8546D60D29: from=<SRS0=goC0mr=CE=skcl-bd.com=iqra@yourhostingaccount.com>, size=317090, nrcpt=1 (queue active)
Aug 26 18:39:40 swarmx1 postfix/smtpd[287959]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: accept mail to <anthony@domain.ca> (8546D60D29) (rule: default-accept)
Aug 26 18:39:40 swarmx1 pmg-smtp-filter[287833]: 814695F46E4AB39D47: processing time: 1.318 seconds (1.083, 0.188, 0)
Aug 26 18:39:40 swarmx1 postfix/lmtp[287983]: 0605B60D1F: to=<anthony@domain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.22/0.02/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (814695F46E4AB39D47))
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 0605B60D1F: removed
Aug 26 18:39:40 swarmx1 postfix/smtp[287966]: 8546D60D29: to=<anthony@domain.ca>, relay=192.168.9.11[192.168.9.11]:25, delay=0.09, delays=0.02/0/0.06/0.01, dsn=2.0.0, status=sent (250 2.0.0 5f46e4ac-000043fc Message accepted for delivery)
Aug 26 18:39:40 swarmx1 postfix/qmgr[142891]: 8546D60D29: removed


These are phishing attacks on the customer. How would one best go around tightening up the PMG to block these types of spam attacks? The problem is that the end user(s) see the emails as being from a co-worker and could get tricked.

I'm looking for any ideas that I can use to help stop this type of spam coming in. I can blacklist the actual domains that are doing this, but the issue is that the emails are coming in from all sorts of different domains. The above it just one example.

Thanks for your help.

 

[fluxX04]

Hi,

you can test the method described in this post.
This is a 'What Object' which matches if there are two mail as FROM set.

Greetz

 

[dthompson]

Thanks. I've had something like that in place for a long time now. It never seems to work. I'm assuming I'm missing something as whenever I test the expression it always fails.