On 12/29/2016 11:13 AM, Martin Skjöldebrand wrote: > Den 2016-12-29 kl. 10:45, skrev Dominic Raferd: > >> Two possibilities occur to me - (a) the email is not 'really' from >> [email protected], maybe this is the envelope sender or just the >> display name? or (b) if your mailserver is relaying on incoming emails >> to another final destination mailbox e.g. gmail, maybe the emails from >> [email protected] are being sent direct to the final destination >> mailbox (i.e. your 'hidden' gmail address) and so never passing >> through your postfix mailserver. All this should be clear from the >> headers of an offending email. > I'm not relaying the mail anywhere, but reading off of my server. > > I post the headers of the mail here in case more eyes can see what I'm > not seeing. > > Return-Path: <[email protected]> > Delivered-To: [email protected] > Received: from localhost (mail.skjoldebrand.org [127.0.0.1]) > by mail.skjoldebrand.org (Postfix) with ESMTP id 5C49241FA9 > for <[email protected]>; Thu, 29 Dec 2016 09:49:14 +0000 (UTC) > X-Virus-Scanned: Debian amavisd-new at skjoldebrand.org > X-Spam-Flag: NO > X-Spam-Score: 4.93 > X-Spam-Level: **** > X-Spam-Status: No, score=4.93 tagged_above=-9999 required=6.31 > tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_IMAGE_ONLY_24=1.282, > HTML_MESSAGE=0.001, NO_RECEIVED=-0.001, NO_RELAYS=-0.001, > URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7] > autolearn=no autolearn_force=no > Received: from mail.skjoldebrand.org ([127.0.0.1]) > by localhost (mail.is5vvtanwi2exf2ymdo0g3rtze.fx.internal.cloudapp.net > [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id UEpvsKs9y09d for <[email protected]>; > Thu, 29 Dec 2016 09:49:10 +0000 (UTC) > Date: Thu, 29 Dec 2016 10:49:09 +0100 > To: [email protected] > From: Julia Petterson <[email protected]> > Subject: Du har 15.739,15 kr klart till utbetalning > Message-ID: <[email protected]> > X-YMLPcode: y3p2+398+54296 > List-Unsubscribe: <http://t.ymlp31.net/unsub_gwhbmmugsgbjeyhgmyqggyujsh.php> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="b1_5b2e4056110b69010cbed7ad5097c5ee" > > > --b1_5b2e4056110b69010cbed7ad5097c5ee > Content-Type: text/plain; charset = "utf-8" > Content-Transfer-Encoding: quoted-printable > > the envelope sender is [email protected]
That is why it is not stopped by your checks. There is a difference between the envelope sender (the sender that is indicated in the SMTP transaction in the MAIL FROM command) and the From: header in the message content. John
