Another spam problem

sirwiz

Verified User
Joined
Mar 5, 2008
Messages
35
Hi,

i use spamblocker4, and till now all was ok, but from few days i have 10-20 spam email per account, all with the same rule, where TO = FROM

Return-path: <dehumanizesmfbl4@cochamber.com>
Envelope-to: sirwiz@e500.pl
Delivery-date: Thu, 26 Apr 2012 12:48:14 +0200
Received: from mail by t1000.8host.pl with spam-scanned (Exim 4.77)
(envelope-from <dehumanizesmfbl4@cochamber.com>)
id 1SNMFC-0001ye-AI
for sirwiz@e500.pl; Thu, 26 Apr 2012 12:48:14 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on t1000.8host.pl
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=7.5 tests=HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID,SPF_PASS,TO_EQ_FM_DIRECT_MX,
TO_EQ_FM_HTML_DIRECT autolearn=no version=3.3.2
Received: from [37.152.150.99]
by t1000.8host.pl with esmtp (Exim 4.77)
(envelope-from <dehumanizesmfbl4@cochamber.com>)
id 1SNMFB-0001yD-0F
for sirwiz@e500.pl; Thu, 26 Apr 2012 12:48:14 +0200
Date: Thu, 26 Apr 2012 11:48:16 +0100
From: <sirwiz@e500.pl>
To: <sirwiz@e500.pl>
Subject: Zarob 200-400 EUR za dwie godziny pracy juz w następnym tygodniu.
X-Mailer: mpplqogk
MIME-Version: 1.0
Content-Type: text/html;
charset=windows-1250
Content-Transfer-Encoding: 7bit
Message-Id: <E1SNMFC-0001ye-AI@t1000.8host.pl>
Is there any chance to block all emails where "From" = "To" and "From" is not "envelope-from" or any other way to block this SPAM ?
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
If they are sending from an account that exists on your server it would require authentication before allowing them to send anything. Try changing the password.
 

sirwiz

Verified User
Joined
Mar 5, 2008
Messages
35
It is not password related problem cos you can put in field FROM, any value when sending mail, and this problem is not only on one account, but many...
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Based on the headers you've posted, it doesn't appear to be coming in as authenticated mail. Check to see if your domain is whitelisted anywhere in the whitelist files accessed by exim.conf (the ones at /etc/virtual/whitelist*). That turns your system into an open relay.

If that's not your problem, then define your issue for us. Posts on these forums explain how you can block email coming from outside which spoofs your from address, but I won't implement them by default as too many people rely on them being allowed. Or block individual IP# if you see them involved in continuous violations. What else do these spams have in common besides having the same from/to addresses?

Jeff
 

sirwiz

Verified User
Joined
Mar 5, 2008
Messages
35
Its not authorized emails cos it was send by other infected host or computers, FROM MAIL is OK, this spam only fake FROM field, that its easy, cos you can enter anything in FROM. My whitelists are empty. My host is not an open relay. This spam is well writen, and have low scores in spam filters, and is send in small pockets per sender host. Only way to block it is to block all email where "TO" is the same as "FROM" (NOT "FROM MAIL") and to avoid situation to block emails that users send to themselfs where "From" is not the same as "envelope-from". Im not exim scripts ninja, so i do not know it is possible or if it is, how to write such thing ;)
 
Last edited:

remikk

Verified User
Joined
Apr 30, 2008
Messages
153
Location
Poland
I've had the same problem. I also use Spamblocker 4. I had to use greylisting to stop this spam.
You can use this HOWTO.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks, remikk, for your suggestion. It may help. I'm going to start testing greylisting some time this year as a formal addition to the exim.conf file.

Jeff
 
Top