spoofing mail

Rick Gutierrez Tue, 27 Nov 2018 08:49:23 -0800

Hi , I have a situation a little complicated, I have emails from
spammers that come with the name of one of my users, but the email
address is not from my domain , they send it from a valid domain,
which complies with spf, DKIM etc etc, some idea that could help me to
adjust my spamassassin and stop this kind of post, someone has had
experience in this type of evasion?


my user is lvelasquez

attached the trace

Nov 27 03:21:07 scmspam postfix/smtpd[30321]: warning: hostname
cloud.casasponty.com does not resolve to address 206.189.74.145: Name
or service not known
Nov 27 03:21:07 scmspam postfix/smtpd[30321]: connect from
unknown[206.189.74.145]
Nov 27 03:21:07 scmspam policyd-spf[30325]: None; identity=helo;
client-ip=206.189.74.145; helo=cloud.casasponty.com;
envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com
Nov 27 03:21:07 scmspam policyd-spf[30325]: Pass; identity=mailfrom;
client-ip=206.189.74.145; helo=cloud.casasponty.com;
envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com
Nov 27 03:21:07 scmspam postfix/smtpd[30322]: warning: hostname
cloud.casasponty.com does not resolve to address 206.189.74.145: Name
or service not known
Nov 27 03:21:07 scmspam postfix/smtpd[30322]: connect from
unknown[206.189.74.145]
Nov 27 03:21:07 scmspam policyd-spf[30326]: None; identity=helo;
client-ip=206.189.74.145; helo=cloud.casasponty.com;
envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com
Nov 27 03:21:07 scmspam policyd-spf[30326]: Pass; identity=mailfrom;
client-ip=206.189.74.145; helo=cloud.casasponty.com;
envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com
Nov 27 03:21:08 scmspam postfix/smtpd[30321]: 2D19A1089D:
client=unknown[206.189.74.145]
Nov 27 03:21:08 scmspam postfix/smtpd[30322]: 32F15108A7:
client=unknown[206.189.74.145]
Nov 27 03:21:08 scmspam postfix/cleanup[30327]: 2D19A1089D:
message-id=<18301625705448019599.084a539583f0b...@mydomain.com>
Nov 27 03:21:08 scmspam postfix/cleanup[30351]: 32F15108A7:
message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com>
Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 2D19A1089D:
from=<acha...@casasponty.com>, size=127129, nrcpt=1 (queue active)
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05)
LMTP:[127.0.0.1]:10024
/var/amavis/tmp/amavis-20181127T031602-30276-giUj8Gm1:
<acha...@casasponty.com> -> <lvelasq...@mydomain.com> SIZE=127129
Received: from scmspam.mydomain.com ([127.0.0.1]) by localhost
(scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP
for <lvelasq...@mydomain.com>; Tue, 27 Nov 2018 03:21:08 -0600 (CST)
Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 32F15108A7:
from=<acha...@casasponty.com>, size=127113, nrcpt=1 (queue active)
Nov 27 03:21:08 scmspam postfix/smtpd[30321]: disconnect from
unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04)
LMTP:[127.0.0.1]:10024
/var/amavis/tmp/amavis-20181127T031805-30291-C1blwKk0:
<acha...@casasponty.com> -> <yr...@mydomain.com> SIZE=127113 Received:
from scmspam.mydomain.com ([127.0.0.1]) by localhost
(scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP
for <yr...@mydomain.com>; Tue, 27 Nov 2018 03:21:08 -0600 (CST)
Nov 27 03:21:08 scmspam postfix/smtpd[30322]: disconnect from
unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) dkim: VALID
Author+Sender+MailFrom signature by d=casasponty.com, From:
<acha...@casasponty.com>, a=rsa-sha256, c=relaxed/relaxed, s=default,
i=@casasponty.com
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) Checking:
1SgjFC6nhGVK [206.189.74.145] <acha...@casasponty.com> ->
<lvelasq...@mydomain.com>
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) dkim: VALID
Author+Sender+MailFrom signature by d=casasponty.com, From:
<acha...@casasponty.com>, a=rsa-sha256, c=relaxed/relaxed, s=default,
i=@casasponty.com
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p003 1 Content-Type:
multipart/mixed
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p001 1/1
Content-Type: text/plain, size: 162 B, name:
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) Checking:
22udI1Q-h9lr [206.189.74.145] <acha...@casasponty.com> ->
<yr...@mydomain.com>
Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p002 1/2
Content-Type: application/msword, size: 90752 B, name: Contrato.doc
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p003 1 Content-Type:
multipart/mixed
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p001 1/1
Content-Type: text/plain, size: 162 B, name:
Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p002 1/2
Content-Type: application/msword, size: 90752 B, name: Contrato.doc
Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) spam-tag,
<acha...@casasponty.com> -> <yr...@mydomain.com>, No, score=4.673
tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3,
RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Nov 27 03:21:10 scmspam postfix/smtpd[30334]: connect from localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/smtpd[30334]: B9B79108A8:
client=localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/cleanup[30327]: B9B79108A8:
message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com>
Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) spam-tag,
<acha...@casasponty.com> -> <lvelasq...@mydomain.com>, No, score=4.673
tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3,
RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Nov 27 03:21:10 scmspam postfix/smtpd[30257]: connect from localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/smtpd[30257]: BF820108A9:
client=localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/smtpd[30334]: connect from localhost[127.0.0.1]
Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) spam-tag,
<acha...@casasponty.com> -> <lvelasq...@mydomain.com>, No, score=4.673
tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3,
RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Nov 27 03:21:10 scmspam postfix/smtpd[30257]: connect from localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/smtpd[30257]: BF820108A9:
client=localhost[127.0.0.1]
Nov 27 03:21:10 scmspam postfix/cleanup[30351]: BF820108A9:
message-id=<18301625705448019599.084a539583f0b...@mydomain.com>
Nov 27 03:21:10 scmspam postfix/qmgr[24718]: B9B79108A8:
from=<acha...@casasponty.com>, size=127970, nrcpt=1 (queue active)
Nov 27 03:21:10 scmspam postfix/smtpd[30334]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) FWD from
<acha...@casasponty.com> -> <yr...@mydomain.com>,BODY=7BIT 250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B9B79108A8
Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) Passed CLEAN
{RelayedInbound}, [206.189.74.145]:50856 [117.20.31.98]
<acha...@casasponty.com> -> <yr...@mydomain.com>, Queue-ID:
32F15108A7, Message-ID:
<40635101623011819320.2fc59783b4b6f...@mydomain.com>, mail_id:
22udI1Q-h9lr, Hits: 4.673, size: 127112, queued_as: B9B79108A8,
dkim_sd=default:casasponty.com, 2342 ms
Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) TIMING-SA total 854
ms - parse: 18 (2.1%), extract_message_metadata: 62 (7.3%),
get_uri_detail_list: 4.2 (0.5%), tests_pri_-1000: 106 (12.5%),
tests_pri_-950: 4.5 (0.5%), tests_pri_-900: 2.1 (0.3%), tests_pri_-90:
4.3 (0.5%), tests_pri_0: 210 (24.6%), check_spf: 9 (1.1%),
poll_dns_idle: 5 (0.6%), tests_pri_20: 201 (23.6%), check_razor2: 200
(23.4%), tests_pri_30: 210 (24.7%), check_pyzor: 209 (24.5%),
tests_pri_500: 7 (0.8%), get_report: 0.47 (0.1%)
Nov 27 03:21:10 scmspam postfix/lmtp[30328]: 32F15108A7:
to=<yr...@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9,
delays=0.55/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B9B79108A8)
Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) size: 127112, TIMING
[total 2352 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 0 (0%)0, SMTP
pre-MAIL: 0 (0%)0, lookup_sql: 2 (0%)0, SMTP pre-DATA-flush: 1 (0%)0,
SMTP DATA: 82 (3%)4, check_init: 1 (0%)4, digest_hdr: 13 (1%)4,
digest_body_dkim: 24 (1%)5, gen_mail_id: 10 (0%)6, mime_decode: 38
(2%)7, get-file-type2: 28 (1%)9, parts_decode: 0 (0%)9, check_header:
1 (0%)9, AV-scan-1: 1193 (51%)59, spam-wb-list: 1 (0%)59, SA msg read:
1 (0%)59, SA parse: 18 (1%)60, SA check: 834 (35%)96, lookup_sql: 10
(0%)96, penpals_check: 9 (0%)96, decide_mail_destiny: 1 (0%)96,
notif-quar: 4 (0%)97, fwd-connect: 9 (0%)97, fwd-mail-pip: 2 (0%)97,
fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0 (0%)97, write-header: 1
(0%)97, fwd-data-contents: 7 (0%)97, fwd-end-chkpnt: 48 (2%)99,
prepare-dsn: 1 (0%)99, main_log_entry: 5 (0%)100, sql-update: 5
(0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 1 (0%)100, SMTP
response: 0 (0%)100, unlink-3-files: 1 (0%)100, rundown: 1 (0%)100
Nov 27 03:21:10 scmspam postfix/qmgr[24718]: BF820108A9:
from=<acha...@casasponty.com>, size=127996, nrcpt=1 (queue active)
Nov 27 03:21:10 scmspam postfix/smtpd[30257]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) FWD from
<acha...@casasponty.com> -> <lvelasq...@mydomain.com>,BODY=7BIT 250
2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
BF820108A9
Nov 27 03:21:10 scmspam postfix/qmgr[24718]: 32F15108A7: removed
Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) Passed CLEAN
{RelayedInbound}, [206.189.74.145]:50850 [117.20.31.98]
<acha...@casasponty.com> -> <lvelasq...@mydomain.com>, Queue-ID:
2D19A1089D, Message-ID:
<18301625705448019599.084a539583f0b...@mydomain.com>, mail_id:
1SgjFC6nhGVK, Hits: 4.673, size: 127128, queued_as: BF820108A9,
dkim_sd=default:casasponty.com, 2416 ms
Nov 27 03:21:10 scmspam amavis[30276]: (30276-05) TIMING-SA total 894
ms - parse: 15 (1.7%), extract_message_metadata: 59 (6.5%),
get_uri_detail_list: 0.71 (0.1%), tests_pri_-1000: 107 (12.0%),
tests_pri_-950: 4.5 (0.5%), tests_pri_-900: 2.4 (0.3%), tests_pri_-90:
4.3 (0.5%), tests_pri_0: 212 (23.8%), check_spf: 7 (0.8%),
poll_dns_idle: 0.67 (0.1%), tests_pri_20: 225 (25.2%), check_razor2:
220 (24.6%), tests_pri_30: 213 (23.8%), check_pyzor: 211 (23.6%),
tests_pri_500: 10 (1.2%), get_report: 0.49 (0.1%)
Nov 27 03:21:10 scmspam postfix/lmtp[30331]: 2D19A1089D:
to=<lvelasq...@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=3.3, delays=0.89/0/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BF820108A9)

regards.

-- 
rickygm

http://gnuforever.homelinux.com

spoofing mail

Reply via email to