empty mails, empty headers

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
Hi Jeff,

What can we do against those (most probably) spam email harvesters / checkers, that send out empty emails with empty headers ?

Return-path: <>
Envelope-to: my_email@bar.com
Delivery-date: Mon, 09 May 2011 06:25:50 +0200
Received: from [89.33.85.26] (helo=vizlaptop1.pro.protv.ro)
by my.server.com with smtp (Exim 4.75)
id 1QJI2Y-0007r4-BN
for my_email@bar.com; Mon, 09 May 2011 06:25:50 +0200
Received: (qmail 8620 by uid 620); Mon, 9 May 2011 07:34:54 -0200
From: "" <>
To: <my_email@bar.com>
Subject:
Date: Mon, 9 May 2011 06:41:40 -0200
Message-ID: <000801c5a896$d5d4a1d0$817de570$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C5A896.D5D4A1D0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjhBm5DvtrroJXrkDQFu5EiYxBgzw==
Content-Language: en-us
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner
I'd very much like to block them.
And most rather with in a way that makes them think our email addresses don't exist. :)
 

chronic

Verified User
Joined
Dec 14, 2006
Messages
53
I also have the same problem a few days, can anyone help please?
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
I have had the same problem...over the past week I have been getting blasted with emails from empty sender.
 

Dennis

Verified User
Joined
Nov 13, 2004
Messages
123
Location
The Netherlands
Same problem here, but not with all customers.

Return-path: <>
Envelope-to: email@domain.nl
Delivery-date: Mon, 09 May 2011 18:50:11 +0200
Received: from 89-105-235-94.static.vega-ua.net ([89.105.235.94] helo=pc3)
by server.domain.nl with smtp (Exim 4.75)
id 1QJTet-0007m5-87
for email@domain.nl; Mon, 09 May 2011 18:50:11 +0200
Received: (qmail 4607 by uid 607); Mon, 9 May 2011 19:49:01 -0200
From: "" <>
To: <email@domain.nl>
Subject:
Date: Mon, 9 May 2011 19:29:12 -0200
Message-ID: <002c01cc0e82$51cf01c0$f56d0540$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_002B_01CC0E82.51CF01C0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjsZayg29vxvNOPOOHNJlRTv4NZlA==
Content-Language: en-us
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner | X-Antivirus-Scanner: Lijkt ongevaarlijk. Gebruik toch nog een eigen virusscanner voor dit bericht.
X-EsetId: F14B54215D4C3C32A10B
(email and server name are changed)

Because the first post was from Romania and this one is from Ukraine....are there bad servers in eastern European countries? And they are not placed on the spamlists yet?

Still the "From"-address should be filled in and not blank, is there a config part we missed?

- Edit -

It is Exim doing.... or rather NOT doing a check: 45.5 Header verification
 
Last edited:

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Dennis => have you changed the settings, is it working ?
Thx for any feedback :)
 

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Thx for reply, i see the problem.
Well, i only have like less than 50 à day, so not sure i want to block "possible" correct emails for that.
After tweaking spamd for my email account, i dont even get any more now, but it would be nice to block them with exim :)
 

Dennis

Verified User
Joined
Nov 13, 2004
Messages
123
Location
The Netherlands
Still searching and found the reason in another thread: http://www.directadmin.com/forum/showthread.php?t=37704

That said, the latest version of my SpamBlocker-powered exim.conf file doesn't accept messages from blank senders unless the recipient address is located on your server.
Still the rule is to accept the message. And if the IP is not on a spamlist, the message will be delivered. hard problem to tackle in this case...
 

sky

Verified User
Joined
Nov 12, 2004
Messages
338
So, if the server receives a email for a "local email", it accepts empty sender ?

About the IP blacklisting : last week, the sender ip whas whitelisted in list.dnswl.org ...

Edit : after checking that IP, is whas ebay.com, i suppose its fake.
 
Last edited:

Dennis

Verified User
Joined
Nov 13, 2004
Messages
123
Location
The Netherlands
Yes, but was the "Envelope-to:" a valid emailbox on your server?
(And if the IP is on a whitelist then the email is delivered)
 

YMTan

Verified User
Joined
Jun 26, 2009
Messages
27
I noticed that many of the empty emails are generated by an email to the domain with a few CC. In the header, it looks like this:

From: "" <>
To: <shami@abc.com>,
<sohri@abc.com>,
<nasir@abc.com>

Inspired by the exim4 configuration at http://marc.merlins.org/linux/exim/exim4-conf/exim4.conf, I added

# Null Sender with more than one recipient is not allowed
deny message = Only one recipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}

before

# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains

It does help to reject those empty junks with this pattern.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Spammers continue to figure out how to spam us. Pretending to be a mailer-daemon is one way. Why would these messages be blank? One guess would be to see if an email address exists. I don't know, though.

I think adding the code for null-senders sending to more than one recipient is a good idea, and I will the next time I work on my SpamBlocker powered exim.conf file for DirectAdmin; possibly today.

If someone figures out a way to check body length, and tests it, I can add that also.

Otherwise my file will continue to accept email from null-senders addressed to valid users as it's the only way to get notified of a bounce.

Jeff
 

Dennis

Verified User
Joined
Nov 13, 2004
Messages
123
Location
The Netherlands
After a closer look in the emails my customer gave me I found out that the emails with the blank headers are not blocked by the spamblocker. I got 3 emails with the mark ****SPAM**** from his spamassassin configuration and it reads the lines:

[200.93.133.10 listed in zen.spamhaus.org]
[178.37.94.211 listed in dnsbl.sorbs.net]
[90.188.97.190 listed in dnsbl.sorbs.net]
I searched a few more and found more IP's listed but when they send a blank header "From" the email is accepted.

Does the exim config first need to test the IP before it gets to the headers? Or is that not possible?

(Tested the IP's on this site: MX Toolbox Blacklists test)
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Is your spamblocker configuration set up to use either of those two blocklists?

Jeff
 

Dennis

Verified User
Joined
Nov 13, 2004
Messages
123
Location
The Netherlands
Hi Jeff,

it's pretty standard there:

Code:
#EDIT#41:
  deny message = Email blocked by $dnslist_domain | E-mail geblokkeerd door $dnslist_domain
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       !authenticated = *
       dnslists = \
       cbl.abuseat.org : \
       dnsbl.njabl.org : \
       bl.spamcop.net : \
       dnsbl.ahbl.org : \
       combined.rbl.msrbl.net : \
       b.barracudacentral.org : \
       zen.spamhaus.org : \
       hostkarma.junkemailfilter.com=127.0.0.2

#EDIT#42:
  deny message = Email blocked by $dnslist_domain | E-mail geblokkeerd door $dnslist_domain
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       !authenticated = *
       dnslists = \
       rhsbl.ahbl.org/$sender_address_domain
I see zen.spamhaus.org but the other one is not there :eek:....sorry

- Edit -
But it is still after the:

Code:
#EDIT#38:
  require verify = sender
So is my theory still valid? :)

- Edit 2 -
Want to find the solution so much that I do not read enough in your readme file...this has only to do with the domain, if it exists.
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I see zen.spamhaus.org but the other one is not there :eek:....sorry
You can add sorbs blocklists if you want to, after doing some research on them, but I don't recommend or support them.
But it is still after the:

Code:
#EDIT#38:
  require verify = sender
So is my theory still valid? :)
What theory? null senders are accepted before require verify = senderl is tested.

Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Tentative new policy

I'm working on a new policy to limit versions of SpamBlocker to no more than one per month, unless there's some sort of emergency issue which needs to be addressed. So probably won't be until end end of this month at the earliest before I create a new revision.

Jeff
 
Top