> /Show evidence (logging) and turn of verbose logging. Wietse/
OK, here is the message header for one of the spam e-mails (which did
not get deleted during my mass cleanup efforts because a copy was saved
in my amavisd-new quarantine database):
X-Envelope-From: <communications.reference.437...@novascotia.com>
X-Envelope-To: <andrea_ma...@yahoo.ca>
X-Envelope-To-Blocked: <andrea_ma...@yahoo.ca>
X-Quarantine-ID: <D0t9j6VORyNH>
X-Spam-Flag: YES
X-Spam-Score: 5.488
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.488 tag=x tag2=4.5 kill=4.5
tests=[ALL_TRUSTED=-1,
BAYES_00=-0.8, BAYES_00_RAZOR=0.8, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=1,
RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=3, SUBJ_ALL_CAPS=0.5]
autolearn=disabled
Received: from memoryalpha.richw.org ([127.0.0.1])
by localhost (memoryalpha.richw.org [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id D0t9j6VORyNH for <andrea_ma...@yahoo.ca>;
Thu, 15 Oct 2020 14:48:06 -0700 (PDT)
Received: from [154.91.34.144] (localhost [127.0.0.1])
by memoryalpha.richw.org (Postfix) with ESMTP id 4CC2vp5WmFz87Jy
for <andrea_ma...@yahoo.ca>; Thu, 15 Oct 2020 14:48:06 -0700 (PDT)
From: ScotiaInfoAlerts Communications
<communications.reference.437...@novascotia.com>
Content-Type: text/html
To: andrea_ma...@yahoo.ca
Content-Transfer-Encoding: 7bit
X-Read: MailingV.4371434NJ
Subject: CONFIRMATION REQUIRED - CUSTOMER ID: SS437143
Message-Id: <4cc2vp5wmfz8...@memoryalpha.richw.org>
Date: Thu, 15 Oct 2020 14:48:06 -0700 (PDT)
Note that the chronologically last "Received:" line says the message was
received from 154.91.34.144 -- an IP address with no hostname, in a
range assigned (according to WHOIS) to Hong Kong.
I'm not sure what the parenthesized reference to "(localhost
[127.0.0.1])" in this "Received:" line means. Does this mean that the
client host falsely identified itself with "HELO localhost"?
Now, here are the lines in my mail log corresponding to this message:
Oct 15 14:48:06 memoryalpha postfix/postscreen[18030]: CONNECT from
[127.0.0.1]:52138 to [127.0.0.1]:25
Oct 15 14:48:06 memoryalpha postfix/postscreen[18030]: WHITELISTED
[127.0.0.1]:52138
Oct 15 14:48:06 memoryalpha postfix/smtpd[6414]: connect from
localhost[127.0.0.1]
Oct 15 14:48:06 memoryalpha postfix/smtpd[6414]: 4CC2vp5WmFz87Jy:
client=localhost[127.0.0.1]
Oct 15 14:48:06 memoryalpha postfix/cleanup[7158]: 4CC2vp5WmFz87Jy:
message-id=<4cc2vp5wmfz8...@memoryalpha.richw.org>
Oct 15 14:48:06 memoryalpha postfix/qmgr[26090]: 4CC2vp5WmFz87Jy:
from=<communications.reference.437...@novascotia.com>, size=9292,
nrcpt=1 (queue active)
Oct 15 14:48:08 memoryalpha amavis[8375]: (08375-11) Blocked SPAM
{DiscardedOpenRelay,Quarantined}, [127.0.0.1]:52138
<communications.reference.437...@novascotia.com> ->
<andrea_ma...@yahoo.ca>, quarantine: D0t9j6VORyNH, Queue-ID:
4CC2vp5WmFz87Jy, Message-ID:
<4cc2vp5wmfz8...@memoryalpha.richw.org>, mail_id: D0t9j6VORyNH,
Hits: 5.488, size: 9276, 1290 ms
Oct 15 14:48:08 memoryalpha postfix/smtp[8703]: 4CC2vp5WmFz87Jy:
to=<andrea_ma...@yahoo.ca>, relay=127.0.0.1[127.0.0.1]:10024,
delay=1.5, delays=0.19/0/0/1.3, dsn=2.7.0, status=sent (250 2.7.0
Ok, discarded, id=08375-11 - spam)
(plus some more amavis-specific log lines which I assume people here
don't care about).
Note here that the "client=" line (first line in the above) gives the
sending host as "localhost[127.0.0.1]". I know that Postfix connects to
amavisd-new via [127.0.0.1]:10024, so I can understand references to
this IP address in and after the "amavis[8375]" log line. But why does
the very first line (smtpd[6414], before any amavis processing) have
localhost as the client?
If my server is getting confused and thinks the message in question
originally came from localhost, I can easily understand why the open
relay checks are being skipped, since my main.cf file includes
127.0.0.0/8 amongst the "mynetworks" values.
So, am I doing something wrong that is allowing spammers to say "HELO
localhost" and get away with it? Or is something else causing my
Postfix to think the e-mail came inbound from localhost even though it
didn't?
Other, valid e-mail coming into and delivered via this server retain the
sending host's identity, btw, and are not rewritten to claim they came
from localhost.
Rich Wales
ri...@richw.org
