[Mimedefang] How can I block spam mail addressed FROM me TO me if not HELO match of my SMTP server?

Tue, 23 Feb 2010 20:16:44 -0800

Hi all. Newbie to your list. Ive searched and searched your archives to no avail.
I'm having a large amount of spam mail hitting all my mail accounts, with forged addresses FROM myaccount TO myaccount, but coming from an SMTP server that isnt mine. 


Is there a rule that will allow me to block any incoming mail FROM a list 
of legit email addresses, but where the HELO does not match the 
address/name of my SMTP server?



Below is an example where I get a HELO from 77.211.243.157, which is NOT 
my SMTP server or any other server in my subnet.  The spammers are saying 
MAIL FROM: <[email protected]> which is an actual local mail account 
we send/receive for, but the HELO from has no authority to send mail on 
behalf of that user and they are sending RCPT 
TO:<[email protected]>.  I've also found numerous other examples 
where they send MAIL FROM: <realuser1> with receipt to RCT TO: 
<realuser2>.  Tons and tons of these.


What am I missing or doing wrong?  ?

Much appreciation in advance for a rule filter that would block these.

Andre
--------------------------------------------------------------
Example session:


Feb 23 00:50:12 mydns1 sendmail[8854]: o1N8oCiO008854: --- 220 
mydns1.mymailserver.com ESMTP Sendmail; Tue, 23 Feb 2010 00:50:12 -0800
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- EHLO 
[77.211.243.157]
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 
250-mydns1.mymailserver.com Hello [77.211.243.157], pleased to meet you
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 
250-ENHANCEDSTATUSCODES

Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-PIPELINING
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-8BITMIME
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-SIZE
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DSN
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-ETRN

Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-AUTH LOGIN 
PLAIN

Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250-DELIVERBY
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 HELP

Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- MAIL 
FROM:<[email protected]> SIZE=1722
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.0 
<[email protected]>... Sender ok
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: <-- RCPT 
TO:<[email protected]>
Feb 23 00:50:13 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.1.5 
<[email protected]>... Recipient ok

Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: <-- DATA

Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 354 Enter mail, 
end with "." on a line by itself
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: 
from=<[email protected]>, size=1664, class=0, nrcpts=1, 
msgid=<[email protected]>, proto=ESMTP, 
daemon=MTA, relay=[77.211.243.157]
Feb 23 00:50:14 mydns1 mimedefang.pl[32469]: 
MDLOG,o1N8oCiO008854,mail_in,,,<[email protected]>,<[email protected]>,Exclusively 
for paypal%2C -80%25
Feb 23 00:50:14 mydns1 sendmail[8854]: o1N8oCiO008854: --- 250 2.0.0 
o1N8oCiO008854 Message accepted for delivery
Feb 23 00:50:14 mydns1 sendmail[8857]: o1N8oCiO008854: alias 
<[email protected]> => andre
Feb 23 00:50:21 mydns1 spamd[3106]: spamd: processing message 
<[email protected]> for andre:500
Feb 23 00:50:25 mydns1 spamd[3106]: spamd: result: . -78 - 
AWL,BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URI_HEX,USER_IN_WHITELIST 
scantime=3.8,size=2659,user=andre,uid=500,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=44412,mid=<[email protected]>,bayes=0.999959,autolearn=no
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: to=andre, 
delay=00:00:12, xdelay=00:00:11, mailer=local, pri=31992, dsn=2.0.0, 
stat=Sent
Feb 23 00:50:25 mydns1 sendmail[8857]: o1N8oCiO008854: done; 
delay=00:00:12, ntries=1


_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang






















					Reply via email to