On 25/11/2016 11:22, Matus UHLAR - fantomas wrote:
On 24.11.16 10:23, Geoff Soper wrote:
Subject: Spam with attachments and UNPARSEABLE_RELAY
For a few weeks I've been suffering spam messages with attachments
getting through with a suspicious score of 0.0. Upon inspection,
they all had the following lines in the header:
On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:
1. See attached example. I've removed the username and replaced it
with <removed>.
2. Other mail is getting correctly identified as spam so that's
something...
Return-Path: <gardner.esmera...@microauto.com>
X-Spam-Report:
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-PHP-Originating-Script: 7637323:SendMail.class.php
This says that the mail was received from webpage on your server, and the
local mailer "nullmailer" seems have delivered it directly to you.
in fact, you don't know anything about this mail - it was apparently
received via HTTP, but the SendMail.class.php running under uid
7637323 did
not provide even remote IP address.
apparently SA can't parse nullmailer headers - apparently because
nullmailer
provides no useful headers.
in this case it's really hard to detect anything, since all information
about mail is lost in PHP.
Maybe PHP could at least provide client's IP (maybe all in
x-forwarded-for
path) and that could help us.
Apologies for the delay but my hosting support looked into this on
Friday and had the following to say:
We have checked this for you and indeed these spam messages were
sent by a PHP script outside of your system.
Note this mail has not been sent in behalf of your domain, maybe
from an exploited domain outside of your system.
2016-11-25T11:15:25.755261+00:00 server postfix/smtpd[6946]:
B85B52E0097: client=unknown[120.188.64.47]
2016-11-25T11:15:26.510335+00:00 server postfix/cleanup[2877]:
B85B52E0097:
message-id=<7009914603.543683.47189.sendm...@alphaworks.co.uk>
2016-11-25T11:15:26.565616+00:00 server postfix/qmgr[1914]:
B85B52E0097: from=<mendez.derr...@cncvacation.com>, size=5340,
nrcpt=1 (queue active)
2016-11-25T11:15:30.892826+00:00 server postfix/pipe[8646]:
B85B52E0097: to=<__REMOVED__>, orig_to=<__REMOVED__>,
relay=plesk_virtual, delay=5.2, delays=0.91/0/0/4.3, dsn=2.0.0,
status=sent (delivered via plesk_virtual service)
Also, we checked the SPF record of the sender which is very weak
(enclosed with ?all instead of stricter -all ), and to reject such
mails you can turn on SPF spam protection at > Tools &Settings >
Mail Server Settings > check Switch on SPF spam protection and at
the drop down menu select Reject mail when SPF resolves to neutral.
So it didn't originate within my system, which is a relief...
Does this go any way to explain why we're seeing UNPARSEABLE_RELAY?
Does setting my VPS's "SPF spam protection" to "Reject mail when SPF
resolves to neutral" sound a sensible course of action?
Many thanks,
Geoff
