Single Account + Forwarders and Spam

S

Spook

Verified User
Joined
Jan 3, 2006
Messages
132
I have what I figure to be really simple email settings for a domain but it doesn't seem to work like I expected.

- DA 1.26.2
- SA not installed
- admin@ account using login = admin (only email account for the domain)
- catchall = Ignore
- webmaster@ forwarder to admin
- postmaster@ forwarder to admin
- abuse@ forwarder to admin

The intention is to allow only the basic RFC reccomendations plus the admin@ to make it to my inbox.

I am getting messages with headers like:
Code: 
Return-path: <[email protected]>
Envelope-to: [email][email protected][/email]
Delivery-date: Wed, 01 Mar 2006 04:56:12 -0600
Received: from pool-71-241-47-126.nrflva.east.verizon.net ([71.241.47.126] helo=35D6B820)
        by one.mydomain.com with smtp (Exim 4.53)
        id 1FEP08-000LWb-LT; Wed, 01 Mar 2006 04:56:12 -0600
Received: from walla.com (walla.com.mamma.com [64.126.213.61])
  by free.fr with SMTP id AIEA7LIZVH
  for <[email protected]>; Wed, 01 Mar 2006 04:46:19 -0600
From: "Dawn Black" <[email protected]>
To: "Test" <[email protected]>
Subject: [email][email protected][/email]
X-Authenticated: #08425214
User-Agent: Mutt/1.5.1i
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
..
Most all of the headers are spoofed, from,return-path,UA, etc. and they are different in each email (although msg content is always the same) and being sent from verizon dynamic IP dial-ups I guess.

Anyhow, I don't understand why messages to <most_anything>@mydomain are not being dropped..

When I send test emails to the admin,abuse,postmaster and webmaster they are working as I anticipated but my approach is apparently not helping with however this spammer is sending emails.

I'd prefer not to install SA or create real acounts or abuse,postmaster and webmaster if possible to keep things as simple.

Any ideas? I've thought I might try and filter on something in the message body but have not tried yet. Filtering on the header in any way seems impossible unless I want to block verizon entirely..
 
Look carefully and you'll see that the envelope-to address is webmaster at your domain.

Forget the "To:" line in the headers; email delivery doesn't depend on that line; it depends on the envelope addresses.

Think of it as a letter inside an envelope.

Inside the envelope you can have any inside address you want; the mailman doesn't see that.

Exim is the mailman, and he doesn't see any of the headers. He sees only the To address on the envelope.

The spammer (or whomever) is actually sending the email to webmaster. Because they know that has to be accepted.

Are you using SpamBlocker or SpamAssassin?

Jeff
 
Hi Jeff,

Yes, I noticed the envelope-to but wasn't sure how that was created. I thought maybe that was something to do with the forwarding I have set.

I'm not using spam assassin and am not certain about spam blocker -- I've not done anything outside of the DA CP aside from implement a certificate for TLS.
 
Look at that top Received: line; it doesn't have a recipient in it.

That means the email had multiple recipients.

The Envelope-to: says webmaster is the recipient.

If you don't have a webmaster account or forward then you'll need to do some forensic work, probably by running the exim -bh command manually from the server command line. Google for instructions.

Jeff
 
You must log in or register to reply here.
Back
Top