On Tue, 15 Sep 2009 16:05:42 +0100, Mark Goodge > wrote: >> wiskbr...@hotmail.com wrote: >>> >>> >>> I am seeing a few spams coming through with a from address (seen on my >>> postfix logs) that does not match the "From" address shown on my users >>> Outlook. In fact my users are seeing a "From" address as their own, >>> something that my postfix server currently does not allow using >>> mynetworks and permitting this using smtpd_recipient_restrictions. >> >> Does it possibly have a From line that looks like this: >> >> From: "real.addr...@yourcompany.tld" >> >> Postfix will (correctly) consider the address in angle brackets as the >> actual address, but Outlook (and many other mail clients) will hide that >> and display the part in quotes, as it will interpret that as the >> sender's name. > > Postfix will not consider the address in the FROM header. It will look at > the address in the MAIL FROM address in the smtp stage. These addresses can > be different. >> >> Mark
How can I tell then what the envelope looks like? The logs are not showing anything unusual. Here they are: None of the inbound spam emails contain anything at all like (From: "real.addr...@yourcompany.tld"), all of them contain (from=), although the emails are sent to numerous recipients, so just one "from:" per smtp session. Oddly enough, the connecting/offending site also triggered this message in my postfix logs: Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: max connection rate 2/60s for (smtp:192.168.123.1) at Sep 11 23:55:53 Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: max connection count 2 for (smtp:192.168.123.1) at Sep 11 23:55:53 Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: max cache size 8 at Sep 11 23:56:23 Here is an example of just one of my MANY logs for a session which has resulted in my receiving inbound spam having a "From" address somehow appearing as it were coming from me. As I've said earlier, I restrict inbound email with a from address of my own domains by IP, and the site s that are able to sneak in are not from those IP's. Sep 11 23:55:55 smtp-gw postfix/smtpd[18200]: [ID 197553 mail.info] A4AD334F038: client=unknown[192.168.123.1] Sep 11 23:56:06 smtp-gw postfix/cleanup[19988]: [ID 197553 mail.info] A4AD334F038: message-id= Sep 11 23:56:06 smtp-gw postfix/qmgr[17278]: [ID 197553 mail.info] A4AD334F038: from=, size=2321, nrcpt=10 (queue active) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/smtp[19065]: [ID 197553 mail.info] A4AD334F038: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=11, delays=11/0/0/0.24, dsn=2.0.0, status=sent (250 OK, sent 4AB1B356_21275_170598_1 9C3E834F03A) Sep 11 23:56:06 smtp-gw postfix/qmgr[17278]: [ID 197553 mail.info] A4AD334F038: removed Can anyone please help? I am getting killed by this new spam. Thanks, .vp
