On 25/11/2016 11:22, Matus UHLAR - fantomas wrote:
On 24.11.16 10:23, Geoff Soper wrote:
Subject: Spam with attachments and UNPARSEABLE_RELAY
For a few weeks I've been suffering spam messages with attachments
getting through with a suspicious score of 0.0. Upon inspection,
they all had the following lines in the header:
On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:
1. See attached example. I've removed the username and replaced it
with <removed>.
2. Other mail is getting correctly identified as spam so that's
something...
Return-Path: <gardner.esmera...@microauto.com>
X-Spam-Report:
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-PHP-Originating-Script: 7637323:SendMail.class.php
This says that the mail was received from webpage on your server, and the
local mailer "nullmailer" seems have delivered it directly to you.
in fact, you don't know anything about this mail - it was apparently
received via HTTP, but the SendMail.class.php running under uid
7637323 did
not provide even remote IP address.
apparently SA can't parse nullmailer headers - apparently because
nullmailer
provides no useful headers.
in this case it's really hard to detect anything, since all information
about mail is lost in PHP.
Maybe PHP could at least provide client's IP (maybe all in
x-forwarded-for
path) and that could help us.
Thanks for this analysis, this rings alarm bells. Can you be sure that
this is definitely coming from a PHP on my server? I'll start
investigating on the assumption that it is.
Many thanks,
Geoff
