Spam from non existing domains

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
djhabana
Normal user
Normal user
Posts: 72
Joined: 2013-12-14 09:19

Spam from non existing domains

Post by djhabana » 2017-02-15 08:04

I am receiving quite a lot of spam like the one attached, I usually get them when some of the domains are close to or on renewal.

All of them usually from a different sender but the domains never exist i.e "nhtqvpzmt@pullmail.info" if I go to pullmail.info it doesn't exist
My Spam Settings are the following
SpamSettings.png
Can anyone assist me in configuring my spam settings or SpamAssasin
Attachments
Domain Notification for balooone.com This is your Final Notice of Domain Listing.zip
(1.52 KiB) Downloaded 60 times

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam from non existing domains

Post by mattg » 2017-02-15 08:35

Did you have any logging enabled when this was received?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

djhabana
Normal user
Normal user
Posts: 72
Joined: 2013-12-14 09:19

Re: Spam from non existing domains

Post by djhabana » 2017-02-17 10:36

Yes I have it enabled

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam from non existing domains

Post by mattg » 2017-02-17 10:42

Can you please show the logs of the 30 seconds before and 1 minute after the message was received by your server?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8132
Joined: 2011-09-08 17:48

Re: Spam from non existing domains

Post by jimimaseye » 2017-02-17 10:47

(Screenshots do not show the full scoring picture. Sounds like a good candidate for a special diagnostic script that shows the full setup :wink: viewtopic.php?f=20&t=30914)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

djhabana
Normal user
Normal user
Posts: 72
Joined: 2013-12-14 09:19

Re: Spam from non existing domains

Post by djhabana » 2017-02-19 08:51

The log only showed the following on the IP from that email
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.143" "194.25.157.76" "SENT: 220 mail.peachss.co.za"
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.349" "194.25.157.76" "RECEIVED: EHLO diaisp1.dwbs.de"
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.349" "194.25.157.76" "SENT: 250-mail.peachss.co.za[nl]250-SIZE[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3308 1219358 "2017-02-14 16:59:42.554" "194.25.157.76" "RECEIVED: MAIL FROM:<nhtqvpzmt@pullmail.info>"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.172" "194.25.157.76" "SENT: 250 OK"
"SMTPD" 4092 1219358 "2017-02-14 16:59:45.378" "194.25.157.76" "RECEIVED: RCPT TO:<donald@peachss.co.za>"
"SMTPD" 4092 1219358 "2017-02-14 16:59:45.380" "194.25.157.76" "SENT: 250 OK"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.585" "194.25.157.76" "RECEIVED: DATA"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.586" "194.25.157.76" "SENT: 354 OK, send."
"SMTPD" 3920 1219358 "2017-02-14 16:59:47.840" "194.25.157.76" "SENT: 250 Queued (2.304 seconds)"
"SMTPD" 4092 1219358 "2017-02-14 16:59:48.060" "194.25.157.76" "RECEIVED: QUIT"
"SMTPD" 4092 1219358 "2017-02-14 16:59:48.060" "194.25.157.76" "SENT: 221 goodbye"

But I also noticed in the error log that spamassasin failed or wasn't running.
See attached error log.

SpamAssasin seems to be running but I think it may be the problem
Attachments
errorlog.rar
(1.38 KiB) Downloaded 60 times

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam from non existing domains

Post by mattg » 2017-02-19 09:39

Does the test button on the SpamAssassin screen work?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

djhabana
Normal user
Normal user
Posts: 72
Joined: 2013-12-14 09:19

Re: Spam from non existing domains

Post by djhabana » 2017-02-20 07:11

Yes it seems to be working

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam from non existing domains

Post by mattg » 2017-02-20 10:19

How many messages per day are received by your hMailserver, how many a day are sent to your spamassassin?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8132
Joined: 2011-09-08 17:48

Re: Spam from non existing domains

Post by jimimaseye » 2017-02-20 10:20

You have not given your complete settings. There is something very obvious as to why this may happen.

Please......
jimimaseye wrote:Screenshots do not show the full scoring picture. Sounds like a good candidate for a special diagnostic script that shows the full setup: viewtopic.php?f=20&t=30914
Also, I see from the log that there is a delay of 3 seconds between 16:59:42 and 16:59:45 where it then accepted the email. This is the point where it would have done the DNSBL checks.

Have you actually considered that maybe this domain/sender just simply didnt register/score with these DNSBL's because they were a new source? (There is not even a guarantee that they are registered at all - non-existent domains will appear on these lists....on account that they dont exist....IF, of course, they dont exist.)

ie: https://www.spamhaus.org/query/ip/194.25.157.76
194.25.157.76 is not listed in the SBL

194.25.157.76 is not listed in the PBL

194.25.157.76 is not listed in the XBL
This is why it was allowed to come in.


Regarding the spamassassin error log: no - there is nothing in that correlating to the time of this email.


(Dont forget to post that full diagnostic script - it may well show the cause for the other errors in your error.log).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply