Hello,
I'm confused and need your help.
I run a small server with rspamd as spam filter (smtpd_milters =
inet:localhost:11332).
There are only a limited number of users, they only can send emails
with smtp auth.
Until recently everything was fine but in the last couple of days huge
amount of undetected spam arrived to all mailboxes.
The thing is that all these emails are avoiding rspam completely (but
other incoming mails are filtered as it supposed to happen).
I started some investigation and found this:
- for years now, because of reasons I put an extra header to all
outgoing emails (with header_checks and PREPEND)
- I have tested again and "normal" incoming emails (spam & ham) don't
contain this extra header just outgoing mails so this works fine
- however the mentioned spam seemingly comes from the internet (there
is an "external" IP and hostname in the "Received: from" header) this
extra outgoing header ("X-Original-Outgoing-Mail") can be seen in the
mail headers as it was sent out from my server
The whole mail header can be found here: https://pastebin.com/UVK3d2V8
(there's nothing special in it, except there is no rspamd invoked).
My first thought was that some of the "internal" senders (family &
friends) got infected and they are sending these mails somehow but I
also have rspamd in "non_smtpd_milters" and it's also not triggered)
and there is an "external" IP and hostname in the incoming mails.
Any idea what's going on (especially for the extra outgoing header
that appears in the incoming spam)?
Any advice is appreciated,
Zsombor
