> On 9/17/2009 9:04 AM, wiskbr...@hotmail.com wrote: > >> How can I tell then what the envelope looks like? > > Postfix logs the envelope address. > Examine the logs for this message; postfix logs it as from > but the From: is my address. > >> The logs are not showing anything unusual. Here they are: >> >> None of the inbound spam emails contain anything at all like (From: >> "real.addr...@yourcompany.tld"), all of them contain (from=), although the >> emails are sent to numerous recipients, so just one "from:" per smtp session. >> >> Oddly enough, the connecting/offending site also triggered this message in >> my postfix logs: >> >> Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] >> statistics: max connection rate 2/60s for (smtp:192.168.123.1) at Sep 11 >> 23:55:53 >> Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] >> statistics: max connection count 2 for (smtp:192.168.123.1) at Sep 11 >> 23:55:53 >> Sep 11 23:59:54 smtp-gw postfix/anvil[17292]: [ID 197553 mail.info] >> statistics: max cache size 8 at Sep 11 23:56:23 > > Is this 192.168.123.1 the actual IP address in the logs, or > have you altered it?
It's been altered, the original was an IP address from Russia which I've since blocked, but have since received identical emails from other IP addresses, from other countries too. >> Here is an example of just one of my MANY logs for a session which has >> resulted in my receiving inbound spam having a "From" address somehow >> appearing as it were coming from me. As I've said earlier, I restrict >> inbound email with a from address of my own domains by IP, and the site s >> that are able to sneak in are not from those IP's. >> >> Sep 11 23:55:55 smtp-gw postfix/smtpd[18200]: [ID 197553 mail.info] >> A4AD334F038: client=unknown[192.168.123.1] >> Sep 11 23:56:06 smtp-gw postfix/cleanup[19988]: [ID 197553 mail.info] >> A4AD334F038: message-id= >> Sep 11 23:56:06 smtp-gw postfix/qmgr[17278]: [ID 197553 mail.info] >> A4AD334F038: from=, size=2321, nrcpt=10 (queue active) > > Is that the real client IP? Same as above, the client in this case is the offenders IP "public" IP address. > Are the message-id= and from= really logged as empty, or did > you alter them? Ugh! I guess I did alter it, well not really, just did a poor copy/paste... The right one read something like this: Sep 16 23:56:06 smtp-gw postfix/cleanup[19988]: [ID 197553 mail.info] A4AD334F038: message-id= > > >> Can anyone please help? I am getting killed by this new spam. > > Don't confuse the envelope sender as logged by Postfix with > the From: header displayed by your mail client. Thanks. Is their a way to ensure that these are the same? How can I ensure that the From: header displayed by my mail clients are not allowed inbound with the same domains as those I host? Kindest regards, .vp
