Re: From Altered After Mail Accepted

Thu, 17 Sep 2009 09:52:18 -0700 

On 9/17/2009 9:04 AM, wiskbr...@hotmail.com wrote:


How can I tell then what the envelope looks like?


Postfix logs the envelope address.

Examine the logs for this message; postfix logs it as from 
<owner-postfix-us...@...> but the From: is my address.



The logs are not showing anything unusual.  Here they are:

None of the inbound spam emails  contain anything at all like (From: 
"real.addr...@yourcompany.tld"),  all of them contain (from=), although the emails are 
sent to numerous recipients, so just one "from:" per smtp session.

Oddly enough, the connecting/offending site also triggered this message in my 
postfix logs:

Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: 
max connection rate 2/60s for (smtp:192.168.123.1) at Sep 11 23:55:53
Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: 
max connection count 2 for (smtp:192.168.123.1) at Sep 11 23:55:53
Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] statistics: 
max cache size 8 at Sep 11 23:56:23



Is this 192.168.123.1 the actual IP address in the logs, or 
have you altered it?




Here is an example of just one of my MANY logs for a session which has resulted in my 
receiving inbound spam having a "From" address somehow appearing as it were 
coming from me. As I've said earlier, I restrict inbound email with a from address of my 
own domains by IP, and the site s that are able to sneak in are not from those IP's.

Sep 11 23:55:55 smtp-gw postfix/smtpd[18200]: [ID 197553 mail.info] 
A4AD334F038: client=unknown[192.168.123.1]
Sep 11 23:56:06 smtp-gw postfix/cleanup[19988]: [ID 197553 mail.info] 
A4AD334F038: message-id=
Sep 11 23:56:06 smtp-gw postfix/qmgr[17278]: [ID 197553 mail.info] A4AD334F038: 
from=, size=2321, nrcpt=10 (queue active)


Is that the real client IP?

Are the message-id= and from= really logged as empty, or did 
you alter them?




Can anyone please help?  I am getting killed by this new spam.



Don't confuse the envelope sender as logged by Postfix with 
the From: header displayed by your mail client.



  -- Noel Jones






















					Reply via email to