Page 1 of 1

Spam from non existing domains

Posted: 2017-02-15 08:04
by djhabana
I am receiving quite a lot of spam like the one attached, I usually get them when some of the domains are close to or on renewal.

All of them usually from a different sender but the domains never exist i.e "nhtqvpzmt@pullmail.info" if I go to pullmail.info it doesn't exist
My Spam Settings are the following
SpamSettings.png
Can anyone assist me in configuring my spam settings or SpamAssasin

Re: Spam from non existing domains

Posted: 2017-02-15 08:35
by mattg
Did you have any logging enabled when this was received?

Re: Spam from non existing domains

Posted: 2017-02-17 10:36
by djhabana
Yes I have it enabled

Re: Spam from non existing domains

Posted: 2017-02-17 10:42
by mattg
Can you please show the logs of the 30 seconds before and 1 minute after the message was received by your server?

Re: Spam from non existing domains

Posted: 2017-02-17 10:47
by jimimaseye
(Screenshots do not show the full scoring picture. Sounds like a good candidate for a special diagnostic script that shows the full setup :wink: viewtopic.php?f=20&t=30914)

Re: Spam from non existing domains

Posted: 2017-02-19 08:51
by djhabana
The log only showed the following on the IP from that email
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.143" "194.25.157.76" "SENT: 220 mail.peachss.co.za"
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.349" "194.25.157.76" "RECEIVED: EHLO diaisp1.dwbs.de"
"SMTPD" 4080 1219358 "2017-02-14 16:59:42.349" "194.25.157.76" "SENT: 250-mail.peachss.co.za[nl]250-SIZE[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3308 1219358 "2017-02-14 16:59:42.554" "194.25.157.76" "RECEIVED: MAIL FROM:<nhtqvpzmt@pullmail.info>"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.172" "194.25.157.76" "SENT: 250 OK"
"SMTPD" 4092 1219358 "2017-02-14 16:59:45.378" "194.25.157.76" "RECEIVED: RCPT TO:<donald@peachss.co.za>"
"SMTPD" 4092 1219358 "2017-02-14 16:59:45.380" "194.25.157.76" "SENT: 250 OK"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.585" "194.25.157.76" "RECEIVED: DATA"
"SMTPD" 3308 1219358 "2017-02-14 16:59:45.586" "194.25.157.76" "SENT: 354 OK, send."
"SMTPD" 3920 1219358 "2017-02-14 16:59:47.840" "194.25.157.76" "SENT: 250 Queued (2.304 seconds)"
"SMTPD" 4092 1219358 "2017-02-14 16:59:48.060" "194.25.157.76" "RECEIVED: QUIT"
"SMTPD" 4092 1219358 "2017-02-14 16:59:48.060" "194.25.157.76" "SENT: 221 goodbye"

But I also noticed in the error log that spamassasin failed or wasn't running.
See attached error log.

SpamAssasin seems to be running but I think it may be the problem

Re: Spam from non existing domains

Posted: 2017-02-19 09:39
by mattg
Does the test button on the SpamAssassin screen work?

Re: Spam from non existing domains

Posted: 2017-02-20 07:11
by djhabana
Yes it seems to be working

Re: Spam from non existing domains

Posted: 2017-02-20 10:19
by mattg
How many messages per day are received by your hMailserver, how many a day are sent to your spamassassin?

Re: Spam from non existing domains

Posted: 2017-02-20 10:20
by jimimaseye
You have not given your complete settings. There is something very obvious as to why this may happen.

Please......
jimimaseye wrote:Screenshots do not show the full scoring picture. Sounds like a good candidate for a special diagnostic script that shows the full setup: viewtopic.php?f=20&t=30914
Also, I see from the log that there is a delay of 3 seconds between 16:59:42 and 16:59:45 where it then accepted the email. This is the point where it would have done the DNSBL checks.

Have you actually considered that maybe this domain/sender just simply didnt register/score with these DNSBL's because they were a new source? (There is not even a guarantee that they are registered at all - non-existent domains will appear on these lists....on account that they dont exist....IF, of course, they dont exist.)

ie: https://www.spamhaus.org/query/ip/194.25.157.76
194.25.157.76 is not listed in the SBL

194.25.157.76 is not listed in the PBL

194.25.157.76 is not listed in the XBL
This is why it was allowed to come in.


Regarding the spamassassin error log: no - there is nothing in that correlating to the time of this email.


(Dont forget to post that full diagnostic script - it may well show the cause for the other errors in your error.log).