Spoofing bounce actually comes in!

Problems/questions regarding the MailCleaner configuration

Moderators: FlorianB, Pascal, bourgeois, mentor

wolfsden3
Posts: 12
Joined: Mon Sep 29, 2014 6:07 am
How did you hear about Mailcleaner: ServerFault Forum

Spoofing bounce actually comes in!

Postby wolfsden3 » Sat Oct 01, 2016 2:13 am

I had a user get an NDR today BUT the stupid email was a spoof. So...I host mail for user@user.com and it's inbound mail only that gets filtered, the user@user.com NEVER sends outbound from the mailcleaner...it's only for inbound filtering.

So the spoof comes in from user@douchebag.net (websitewelcome.com actually) but says it's from "user@user.com", mail cleaner says:

Rejected:

Code: Select all

Incoming MTA stage:    2016-09-30 10:18:10 H=gateway30.websitewelcome.com [192.185.196.18] X=TLSv1:DHE-RSA-AES256-SHA:256 F=<user@user.com> rejected RCPT <otheruser@user.com>: This domain does not accept mail from itself (spoofing)


Now...almost immediately I get this that DOES come through...the bounce! It has their spoofed crap content in it asking for a money transfer...ugh!

Accepted:

Code: Select all

Incoming MTA stage:    2016-09-30 10:18:11 1bpydf-0000m6-6W <= <> H=gateway30.websitewelcome.com [192.185.196.18] P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=4767 id=20160930141810.C69EFFED6B19A@gateway30.websitewelcome.com
2016-09-30 10:18:11 1bpydf-0000m6-6W => user@user.com R=filter_forward T=local_smtp S=4908 H=127.0.0.1 [127.0.0.1] C="250 OK id=1bpydf-0000mA-AH"
2016-09-30 10:18:11 1bpydf-0000m6-6W Completed
Filtering MTA stage:    2016-09-30 10:18:11 1bpydf-0000mA-AH <= <> H=(10.0.10.2) [127.0.0.1] P=esmtp S=4767 id=20160930141810.C69EFFED6B19A@gateway30.websitewelcome.com
Filtering Engine:    Sep 30 10:18:12 localhost MailScanner[24545]: PreRBLs found sender hostname: gateway30.websitewelcome.com for 192.185.196.18 on message 1bpydf-0000mA-AH
Sep 30 10:18:13 localhost MailScanner[24545]: Spamc result is not spam (0.0/5.0) for 1bpydf-0000mA-AH
Sep 30 10:18:13 localhost MailScanner[24545]: Message 1bpydf-0000mA-AH from 192.185.196.18 () to user.com is not spam, Spamc (score=0.0, required=5.0, HTML_MESSAGE 0.0)
Sep 30 10:18:13 localhost MailScanner[24545]: Profiled SpamCheck for message 1bpydf-0000mA-AH: (ClamSpam_Check:0.0085s) (NiceBayes_Check:0.0004s) (PreRBLs_Check:0.2786s) (Prefilters:1.3497s) (SpamCacheCheck:0.0008s) (Spamc_Check:1.0243s) (TrustedSources_Check:0.0187s) (UriRBLs_Check:0.0174s)
Sep 30 10:18:13 localhost MailScanner[24545]: Count updated for 1bpydf-0000mA-AH
Sep 30 10:18:13 localhost MailScanner[24545]: Count updated in daemon for 1bpydf-0000mA-AH
Outgoing stage:    2016-09-30 10:18:14 1bpydf-0000mA-AH => user@user.com R=filter_forward T=remote_smtp S=5281 H=mail.user.com [IPwashere: x.x.x.x] X=TLSv1:DHE-RSA-AES256-SHA:256 C="250 2.0.0 Ok: queued as 85F936E234E"
2016-09-30 10:18:14 1bpydf-0000mA-AH Completed


How can I block the bounce from coming in when it clearly shouldn't?!

Return to “Configuration”

Who is online

Users browsing this forum: No registered users and 5 guests