Sender and Receiver same email

[SeLLeRoNe]

Hi,

till now two of my customers (and my own domain aswell) are facing a strange problem:

From - Mon Jul 30 10:29:15 2012
X-Account-Key: account2
X-UIDL: 00000fa04df63199
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 25 Jul 2012 19:00:30 +0200
Received: from mail by myserver.CrazyNetwork.it with spam-scanned (Exim 4.80)
    (envelope-from <[email protected]>)
    id 1Su4wj-0002xe-7Y
    for [email protected]; Wed, 25 Jul 2012 19:00:30 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
    Orange01.CrazyNetwork.it
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=3.5 tests=BAYES_00,SPF_FAIL,
    T_FILL_THIS_FORM_SHORT autolearn=no version=3.3.2
Received: from [186.116.64.50]
    by Orange01.CrazyNetwork.it with esmtp (Exim 4.80)
    (envelope-from <[email protected]>)
    id 1Su4wi-0002xM-OX
    for [email protected]; Wed, 25 Jul 2012 19:00:25 +0200
Message-ID: <[email protected]>
Date: Wed, 25 Jul 2012 12:00:27 -0500
From: <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <[email protected]>
Subject: {enlsbj}
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Antivirus-Scanner: Seems clean.  You should still use an Antivirus Scanner
X-EsetId: A722BE237802B619F261EF

The server accept this email cause the sender appear to be an external email but the email arrive with same address of the receiver, that can cause on a non-expert user to think that sender is the wrong one.

Can i block/prevent this?

At the first i thot was a local domain hacked, but no, it seems it is an external server that is sending email and i think it get accepted just cause the "sender" and is different andt the "from" is not checked.

Any hint? Except ban from firewall that domain should i change/edit something else?

Thanks

Regards

 

[SeLLeRoNe]

I also just did note that IP 186.116.64.50 is blacklisted in multiple list but dont know why wasnt blocked from server.

Regards

 

[nobaloney]

I can't tell you why the email was accepted; you should check your logs to see if the sender logged into an email account on your server before sending the email.

As to the behavior (which has been discussed on these forums before), we prefer it and think you should too, because (only one example):

We use services we buy from outside vendors (for example, billing system, domain registration system, etc.) and we want the emails to go out from one of our real email addresses on our server. And when we get those emails (perhaps because we have our billing system or domain registration system send us email) we want to be able to get the email.

If you're sure you don't want or or need the behavior you can write an ACL to block the email.

Jeff

 

[SeLLeRoNe]

Ok, i thot was coming from an external server but i did match the source with a normal email and in fact:

Received: from [186.116.64.50]
by Orange01.CrazyNetwork.it with esmtp (Exim 4.80)

so, that IP get connected directly to my server for send.

I'll do some investigations.

EDIT: HERE ARE THE LOG LINES:

2012-07-25 19:00:25 1Su4wi-0002xM-OX <= [email protected] H=([186.116.64.50]) [186.116.64.50] P=esmtp S=3221 [email protected] T="{enlsbj}" from <[email protected]> for [email protected]
2012-07-25 19:00:30 1Su4wj-0002xe-7Y <= [email protected] U=mail P=spam-scanned S=3646 [email protected] T="{enlsbj}" from <[email protected]> for [email protected]
2012-07-25 19:00:30 1Su4wj-0002xe-7Y => massimo <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=3771
2012-07-25 19:00:30 1Su4wi-0002xM-OX => massimo <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=3519
2012-07-25 20:41:56 H=cpc3-blbn9-2-0-cust164.10-1.cable.virginmedia.com [82.17.40.165] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by b.barracudacentral.org
2012-07-25 20:41:56 H=cpc3-blbn9-2-0-cust164.10-1.cable.virginmedia.com [82.17.40.165] incomplete transaction (connection lost) from <[email protected]>

Apparently from 20.41 barracuda started work again and now is correctly blocking the ip (that actually is different from the first one.
But on first line what i need to check for understand what user was logged in for send that mail?


Thanks Jeff

Regards

 

[SeLLeRoNe]

Fresh news:

Adding zen.spamhaus.org to the RBL list seems fixed the problem now.

No idea why barracuda and the others wasnt working.

Regards

 

[nobaloney]

No idea why barracuda and the others wasnt working.

If all blocklists and appliances worked all the time we'd only need to use one .

Jeff

 

[SeLLeRoNe]

Yes i agree, but:

#EDIT#41:
  deny message = Email blocked by $dnslist_domain
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       !authenticated = *
       dnslists = \
       b.barracudacentral.org : \
       zen.spamhaus.org : \
       cbl.abuseat.org : \
       hostkarma.junkemailfilter.com=127.0.0.2 : \
       bl.spamcop.net

I dont use just one

Also, i did notice this:

>nslookup zen.spamhaus.org
Server:         213.140.2.12
Address:        213.140.2.12#53

Non-authoritative answer:
*** Can't find zen.spamhaus.org: No answer

>nslookup b.barracudacentral.org
Server:         213.140.2.12
Address:        213.140.2.12#53

Non-authoritative answer:
*** Can't find b.barracudacentral.org: No answer
>nslookup zen.spamhaus.org
Server:         213.140.2.12
Address:        213.140.2.12#53

Non-authoritative answer:
*** Can't find zen.spamhaus.org: No answer

>nslookup zen.spamhaus.org
Server:         213.140.2.12
Address:        213.140.2.12#53

Non-authoritative answer:
*** Can't find zen.spamhaus.org: No answer

The others seems to be responding fine, but apparently they have not those new ip listed (ive starting receiving 2 new ip per day).

From logs dont appear as local server on local relay with an auth user, those are really from outside (some have on email source the PHP url for the script who is sending those email).

Any suggestion?

Thanks

Regards

 

[SeLLeRoNe]

Ok, using OpenDNS in /etc/resolv.conf apparently fixed the nslookup issue.

Lets see if is fine now.

Regards

 

[nobaloney]

Many blocklists limit the requests they get from nameservers, and if you and a million other clients are using the same nameservers, the blocklists may quit honoring them. While this may make some blocklists close to worthless if you don't have your own recursive nameserver, it's a fact of recent life. Some blocklists will make sure to accept your requests (especially if you build your own recursive nameservers), but to do that they may charge a lot.

I don't have answers; all I have is suggestions as to which lists to use, and which lists may not work for you if you don't pay them. And those suggestions may well be out of date.

At some point in the future the answer may only be commercial, and I've been talking with one company which may offer a commercial service as a plugin to DirectAdmin.



Jeff

 

[SeLLeRoNe]

Thanks for explanation Jeff.

So you suggest to create a recursive nameserver? What about create a own RBL list?

Lets say that should work like this:

mail server request info about an ip
own rbl check local db and if dont have that ip listed ask to other rbl's and store the result
mail server get info about the ip

should that be possible, and, should be that suggested?

Regards

 

[nobaloney]

We don't suggest you create your own recursive nameserver because then any of the blocklists that would like to enforce limitations can; they know it's only you using your nameserver.

And I strongly suggest you use your local blocklists instead of running your own blocklist on your own local nameserver; for my purposes it works well, and unless you've got many thousands of entries in your blocklist, it probably runs faster, but yes you can do it, and the method of searching DNS lists as opposed to text lists, is documented somewhere in the Exim documentation.

Jeff

 

[SeLLeRoNe]

Ok, thanks for the suggestions.

About the local blocklist well maybe a centralized one should be better instead use one for each server isn't it?

What do you suggest to create own blacklist? There is a standard program so i can use an hostname as for normals rbl's?

EDIT: Ive found this: http://www.blue-quartz.com/rbl/
this allow you to create own rbl list to point exim to with mysql DB, should be nice i suppose, i'll investigate about this but would ask, have you ever used it? Any other suggestion?

Thanks for your support

Regards

 

[nobaloney]

I prefer individual blocklists. Over nine years I've noticed that my individual blocklists tend to diverge rather thn converge, because different people want to block different servers. I also block very little; I'm conservative in what I send and liberal in what I accept (wikipedia.org), while still managing to block most spam (with very little in the way of false alarms; I get less than 100/year reported to me over all my servers).

I've never used the blue-quartz project, though I know some of the people involved in BlueQuartz (which grew out of the open-source release of the Cobalt RaQ code).

You might want to look at this (stackexchange.com).

Another way to do it (perhaps easier, perhaps not) would be to put your whitelists and blocklists (the ones already used by my SpamBlocker exim.conf files) into an NFS share, and have them linked to all your servers.

I've never studied to see if that's more or less resource intensive.

Jeff

 

[SeLLeRoNe]

But why should note be a "best practice" have your own RBL?

I mean, you should block all spammers IP just adding into a MySQL Database without go check each server that is "affected" and add the ip to firewall or blocklist.

Also would be useful for when other RBL's aren't working (that's why this problem came up on my mind) cause actually to me didnt seems that a fail rbl's send the check to the next one in list (but i should be wrong ofc) and have your own should be helpful at least a little more.

The problem should be have a "current standard list" of the listed ip on existing (famous) rbl's so you will start with an up2date system.

Ive read the post you linked but actually he just sugget the one i did found with not positive/negative comments except the fact that the users is not linux expert and dont know how to edit a file (did i miss something?).

Using a MYSQL DB as that solution do should be very useful for have a "one click way" to add and remove an IP from the list i think.

Also, i understand your way to think, but, dont you think there are some IP's worldwide recognized as spammer that should be a "standard" on all your server for prevent spammers?

Thanks for your time, as usual.

Regards

 

[nobaloney]

But why should note be a "best practice" have your own RBL?

I do believe in having your own blockliss and whitelists; I believe (you may disagree) that they should be on a per-server basis, and I believe that for me the easiest way to do it is with a flat file, which is why I use flat files in /etc/virtual in my SpamBlocker exim.conf files.

I mean, you should block all spammers IP just adding into a MySQL Database without go check each server that is "affected" and add the ip to firewall or blocklist.

If that's what works for you, then by all means do it. I've never checked but my intuition tells me that running a local list, under MySql or BIND, even for multiple servers, is more resource intensive than running a flat file. You can do it any way you want, and I apologize if I gave you the impression you should do it my way.

Also would be useful for when other RBL's aren't working (that's why this problem came up on my mind) cause actually to me didnt seems that a fail rbl's send the check to the next one in list (but i should be wrong ofc) and have your own should be helpful at least a little more.

The exim.conf file checks the emails against all ACLs in order, whether they check against flatfile lists MySQL lists, or BIND-based lists, until they either get accepted or rejected. The method you use has nothing to do with the order.

The problem should be have a "current standard list" of the listed ip on existing (famous) rbl's so you will start with an up2date system.

I'm not sure what you mean by this.

Ive read the post you linked but actually he just sugget the one i did found with not positive/negative comments except the fact that the users is not linux expert and dont know how to edit a file (did i miss something?).

I don't mean to suggest doing exactly what the article says; I just meant it to be another example of thought on the whole concept.

Using a MYSQL DB as that solution do should be very useful for have a "one click way" to add and remove an IP from the list i think.

Go ahead and implement it, then . My ideas certainly aren't the only way to do something.

Also, i understand your way to think, but, dont you think there are some IP's worldwide recognized as spammer that should be a "standard" on all your server for prevent spammers?

So far I've never done that; the address that everyone thinks is a spammer may never be a problem on any of our servers.

Thanks for your time, as usual.

And thank you for making me think about my choices .

Jeff