Received blank sender. Which email/ domain to block?

[thomas10]

Hi All,

Need some help here. One of the user has received one spam mail without sender email stated. I tend to block the email/domain name but I'm not sure which is the one. Below is the message log.

Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on GCF
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0 tests=BAYES_50,DATE_IN_PAST_12_24, FROM_NO_USER,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,URIBL_BLOCKED,
URI_WP_HACKED_2 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *
See http://wiki.apache.org/spamassassin/Dns ... nsbl-block *
for more information. * [URIs: mydomain.com] * 0.8 FROM_NO_USER
From: has no local-part before @ sign * 1.0 DATE_IN_PAST_12_24 Date: is
12 to 24 hours before Received: date * 0.0 HTML_MESSAGE BODY: HTML
included in message * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to
60% * [score: 0.5000] * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font
color similar or identical to * background * 2.5 URI_WP_HACKED_2 URI
for compromised WordPress site, possible malware
Received: from mx.mail (mail.tteia.org.tw [211.20.132.239]) by mydomain.com with
ESMTP ; Thu, 26 Jul 2018 14:59:37 +0800
Received: by mx.mail (Postfix, from userid 2002) id D2F4A1634BE; Thu, 26 Jul 2018 10:29:39
+0800 (CST)
Received: from [66.154.98.234] (unknown [66.154.98.234]) by mx.mail (Postfix) with
ESMTPA id 26449162EC0 for <user email account>; Thu, 26 Jul 2018
09:20:04 +0800 (CST)
Content-Type: multipart/alternative; boundary="===============0652816647=="
MIME-Version: 1.0
Subject: [SPAM] [5.1] =?utf-8?B?5pyA5b6M5LiA5qyh6K2m5ZGK77yB5oKo55qE6YO1566x5bey6LaF6YGO6YWN?=
=?utf-8?B?6aGN56uL5Y2z5Y2H57Sa5oiW5Lif5aSx6YO1566xIG1heXZpcw==?=.
To: user email account
From: "EMAIL ADMIN" <>
Date: Wed, 25 Jul 2018 03:56:32 -0700
Message-Id: <20180726022939.D2F4A1634BE@mx.mail>
X-Spam-Prev-Subject: =?utf-8?b?5pyA5b6M5LiA5qyh6K2m5ZGK77yB5oKo55qE6YO1566x5bey6LaF6YGO6YWN?=
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 2)
X-hMailServer-Reason-2: Tagged as Spam by SpamAssassin - (Score: 5)
X-hMailServer-Reason-Score: 7
X-hMailServer-LoopCount: 1

Is it the mail.tteia.org.tw I have highlighted in Bold? But how come there are 2 different IPs? (66.154.98.234 and 211.20.132.239)
Please help.

[SorenR]

Look at the Received header as the tracking list for the last package you ordered online..

For each stop on the way there is a Received line. Only the last one (first from the top) is the one to look at, the rest can be ignored.

Insert this somewhere in Sub OnAcceptMessage(oClient, oMessage) in your EventHandlers.vbs

Code: Select all

      Dim i, strEnvelope1, strEnvelope2
      For i = 0 To oMessage.Recipients.Count-1
         If (i = 0) Then
            strEnvelope1 = oMessage.Recipients(i).Address
            strEnvelope2 = oMessage.Recipients(i).OriginalAddress
         Else
            strEnvelope1 = strEnvelope1 & ", " & oMessage.Recipients(i).Address
            strEnvelope2 = strEnvelope2 & ", " & oMessage.Recipients(i).OriginalAddress
         End If
      Next
      oMessage.HeaderValue("X-Envelope-To") = strEnvelope1
      oMessage.HeaderValue("X-Envelope-OriginalTo") = strEnvelope2
      oMessage.HeaderValue("X-Envelope-From") = oMessage.FromAddress
      oMessage.Save

X-Envelope-To = Recipient (after alias and/or catch-all translation)
X-Envelope-OriginalTo = The ORIGINAL Recipient (RCPT TO: as seen in the SMTP logs)
X-Envelope-From = The ORIGINAL Sender (MAIL FROM: as seen in the SMTP logs)

There are two sets of addresses in an email, just like a letter. The From/To on the envelope (front and back) and the From/To in the actual letter. The second can be spoofed to Hell in a Jiffy.

[jimimaseye]

In Admin - Settings - Protocols - SMTP - RFC Compliance there is an "Allow Empty Sender Adderss" checkbox. You can enable/disable to suit.

But in the case of the example above, there is plenty of Spam markers that should have caught this message anyway.

[jimimaseye]

BTW:

X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *

viewtopic.php?f=22&t=32648

[thomas10]

Thanks Soren and Jimi.

jimi, Will do on the setting.
but for the URIBL_BLOCKED issue, I don't have any DNS server here. I believe this means some sort of the quota has been exceeded and that's why it is being blocked. I read your suggested post, but how to add the records as mentioned in your last post there?

[mattg]

You probably need a local non-forwarding DNS, or do what jimimaseye linked to

I use Bind9 on my Ubuntu box, but equally the DNS service on windows server will work.
You are likely using your ISP's server, and many people are, which results in an over quota situation

[jimimaseye]

Thanks Soren and Jimi.

jimi, Will do on the setting.
but for the URIBL_BLOCKED issue, I don't have any DNS server here. I believe this means some sort of the quota has been exceeded and that's why it is being blocked. I read your suggested post, but how to add the records as mentioned in your last post there?

You probably need a local non-forwarding DNS, or do what jimimaseye linked to

I use Bind9 on my Ubuntu box, but equally the DNS service on windows server will work.

Yes, I simply enabled the 'DNS Server' function in the Server, as a forwarder, and added the entries as a conditional forwarder. (Obviously, the servers DNS settings against the IP Protocol need to point to itself instead of the router or ISPs DNS). This will speed up any spamassassin scanning too.

[thomas10]

ok, will take your advice on it. Hopefully everything will be ok. Hmail rocks.

[RvdH]

If you use BIND9 as DNS server, you can easily add these lines to named.conf to disable forwarders.

Code: Select all

/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };
zone "sbl.spamhaus.org" { type forward; forward first; forwarders {}; };