Another spam problem

sirwiz

Verified User
Joined
Mar 5, 2008
Messages
41
Hi,

i use spamblocker4, and till now all was ok, but from few days i have 10-20 spam email per account, all with the same rule, where TO = FROM

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 26 Apr 2012 12:48:14 +0200
Received: from mail by t1000.8host.pl with spam-scanned (Exim 4.77)
(envelope-from <[email protected]>)
id 1SNMFC-0001ye-AI
for [email protected]; Thu, 26 Apr 2012 12:48:14 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on t1000.8host.pl
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=7.5 tests=HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID,SPF_PASS,TO_EQ_FM_DIRECT_MX,
TO_EQ_FM_HTML_DIRECT autolearn=no version=3.3.2
Received: from [37.152.150.99]
by t1000.8host.pl with esmtp (Exim 4.77)
(envelope-from <[email protected]>)
id 1SNMFB-0001yD-0F
for [email protected]; Thu, 26 Apr 2012 12:48:14 +0200
Date: Thu, 26 Apr 2012 11:48:16 +0100
From: <[email protected]>
To: <[email protected]>
Subject: Zarob 200-400 EUR za dwie godziny pracy juz w następnym tygodniu.
X-Mailer: mpplqogk
MIME-Version: 1.0
Content-Type: text/html;
charset=windows-1250
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>

Is there any chance to block all emails where "From" = "To" and "From" is not "envelope-from" or any other way to block this SPAM ?
 
If they are sending from an account that exists on your server it would require authentication before allowing them to send anything. Try changing the password.
 
It is not password related problem cos you can put in field FROM, any value when sending mail, and this problem is not only on one account, but many...
 
Based on the headers you've posted, it doesn't appear to be coming in as authenticated mail. Check to see if your domain is whitelisted anywhere in the whitelist files accessed by exim.conf (the ones at /etc/virtual/whitelist*). That turns your system into an open relay.

If that's not your problem, then define your issue for us. Posts on these forums explain how you can block email coming from outside which spoofs your from address, but I won't implement them by default as too many people rely on them being allowed. Or block individual IP# if you see them involved in continuous violations. What else do these spams have in common besides having the same from/to addresses?

Jeff
 
Its not authorized emails cos it was send by other infected host or computers, FROM MAIL is OK, this spam only fake FROM field, that its easy, cos you can enter anything in FROM. My whitelists are empty. My host is not an open relay. This spam is well writen, and have low scores in spam filters, and is send in small pockets per sender host. Only way to block it is to block all email where "TO" is the same as "FROM" (NOT "FROM MAIL") and to avoid situation to block emails that users send to themselfs where "From" is not the same as "envelope-from". Im not exim scripts ninja, so i do not know it is possible or if it is, how to write such thing ;)
 
Last edited:
I've had the same problem. I also use Spamblocker 4. I had to use greylisting to stop this spam.
You can use this HOWTO.
 
Thanks, remikk, for your suggestion. It may help. I'm going to start testing greylisting some time this year as a formal addition to the exim.conf file.

Jeff
 
Back
Top