Received blank sender. Which email/ domain to block?

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
thomas10
Normal user
Normal user
Posts: 54
Joined: 2013-10-30 03:13

Received blank sender. Which email/ domain to block?

Post by thomas10 » 2018-07-26 09:19

Hi All,

Need some help here. One of the user has received one spam mail without sender email stated. I tend to block the email/domain name but I'm not sure which is the one. Below is the message log.
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on GCF
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0 tests=BAYES_50,DATE_IN_PAST_12_24, FROM_NO_USER,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,URIBL_BLOCKED,
URI_WP_HACKED_2 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *
See http://wiki.apache.org/spamassassin/Dns ... nsbl-block *
for more information. * [URIs: mydomain.com] * 0.8 FROM_NO_USER
From: has no local-part before @ sign * 1.0 DATE_IN_PAST_12_24 Date: is
12 to 24 hours before Received: date * 0.0 HTML_MESSAGE BODY: HTML
included in message * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to
60% * [score: 0.5000] * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font
color similar or identical to * background * 2.5 URI_WP_HACKED_2 URI
for compromised WordPress site, possible malware
Received: from mx.mail (mail.tteia.org.tw [211.20.132.239]) by mydomain.com with
ESMTP ; Thu, 26 Jul 2018 14:59:37 +0800
Received: by mx.mail (Postfix, from userid 2002) id D2F4A1634BE; Thu, 26 Jul 2018 10:29:39
+0800 (CST)
Received: from [66.154.98.234] (unknown [66.154.98.234]) by mx.mail (Postfix) with
ESMTPA id 26449162EC0 for <user email account>; Thu, 26 Jul 2018
09:20:04 +0800 (CST)
Content-Type: multipart/alternative; boundary="===============0652816647=="
MIME-Version: 1.0
Subject: [SPAM] [5.1] =?utf-8?B?5pyA5b6M5LiA5qyh6K2m5ZGK77yB5oKo55qE6YO1566x5bey6LaF6YGO6YWN?=
=?utf-8?B?6aGN56uL5Y2z5Y2H57Sa5oiW5Lif5aSx6YO1566xIG1heXZpcw==?=.
To: user email account
From: "EMAIL ADMIN" <>
Date: Wed, 25 Jul 2018 03:56:32 -0700
Message-Id: <20180726022939.D2F4A1634BE@mx.mail>
X-Spam-Prev-Subject: =?utf-8?b?5pyA5b6M5LiA5qyh6K2m5ZGK77yB5oKo55qE6YO1566x5bey6LaF6YGO6YWN?=
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 2)
X-hMailServer-Reason-2: Tagged as Spam by SpamAssassin - (Score: 5)
X-hMailServer-Reason-Score: 7
X-hMailServer-LoopCount: 1
Is it the mail.tteia.org.tw I have highlighted in Bold? But how come there are 2 different IPs? (66.154.98.234 and 211.20.132.239)
Please help.

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Received blank sender. Which email/ domain to block?

Post by SorenR » 2018-07-26 10:16

Look at the Received header as the tracking list for the last package you ordered online..

For each stop on the way there is a Received line. Only the last one (first from the top) is the one to look at, the rest can be ignored.

Insert this somewhere in Sub OnAcceptMessage(oClient, oMessage) in your EventHandlers.vbs

Code: Select all

      Dim i, strEnvelope1, strEnvelope2
      For i = 0 To oMessage.Recipients.Count-1
         If (i = 0) Then
            strEnvelope1 = oMessage.Recipients(i).Address
            strEnvelope2 = oMessage.Recipients(i).OriginalAddress
         Else
            strEnvelope1 = strEnvelope1 & ", " & oMessage.Recipients(i).Address
            strEnvelope2 = strEnvelope2 & ", " & oMessage.Recipients(i).OriginalAddress
         End If
      Next
      oMessage.HeaderValue("X-Envelope-To") = strEnvelope1
      oMessage.HeaderValue("X-Envelope-OriginalTo") = strEnvelope2
      oMessage.HeaderValue("X-Envelope-From") = oMessage.FromAddress
      oMessage.Save
X-Envelope-To = Recipient (after alias and/or catch-all translation)
X-Envelope-OriginalTo = The ORIGINAL Recipient (RCPT TO: as seen in the SMTP logs)
X-Envelope-From = The ORIGINAL Sender (MAIL FROM: as seen in the SMTP logs)

There are two sets of addresses in an email, just like a letter. The From/To on the envelope (front and back) and the From/To in the actual letter. The second can be spoofed to Hell in a Jiffy.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8116
Joined: 2011-09-08 17:48

Re: Received blank sender. Which email/ domain to block?

Post by jimimaseye » 2018-07-26 10:22

In Admin - Settings - Protocols - SMTP - RFC Compliance there is an "Allow Empty Sender Adderss" checkbox. You can enable/disable to suit.

But in the case of the example above, there is plenty of Spam markers that should have caught this message anyway.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8116
Joined: 2011-09-08 17:48

Re: Received blank sender. Which email/ domain to block?

Post by jimimaseye » 2018-07-26 10:23

BTW:
thomas10 wrote:
2018-07-26 09:19
X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *
viewtopic.php?f=22&t=32648
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

thomas10
Normal user
Normal user
Posts: 54
Joined: 2013-10-30 03:13

Re: Received blank sender. Which email/ domain to block?

Post by thomas10 » 2018-07-27 04:04

Thanks Soren and Jimi.

jimi, Will do on the setting.
but for the URIBL_BLOCKED issue, I don't have any DNS server here. I believe this means some sort of the quota has been exceeded and that's why it is being blocked. I read your suggested post, but how to add the records as mentioned in your last post there?

User avatar
mattg
Moderator
Moderator
Posts: 20103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Received blank sender. Which email/ domain to block?

Post by mattg » 2018-07-27 06:58

You probably need a local non-forwarding DNS, or do what jimimaseye linked to

I use Bind9 on my Ubuntu box, but equally the DNS service on windows server will work.
You are likely using your ISP's server, and many people are, which results in an over quota situation
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8116
Joined: 2011-09-08 17:48

Re: Received blank sender. Which email/ domain to block?

Post by jimimaseye » 2018-07-27 08:54

thomas10 wrote:
2018-07-27 04:04
Thanks Soren and Jimi.

jimi, Will do on the setting.
but for the URIBL_BLOCKED issue, I don't have any DNS server here. I believe this means some sort of the quota has been exceeded and that's why it is being blocked. I read your suggested post, but how to add the records as mentioned in your last post there?
mattg wrote:
2018-07-27 06:58
You probably need a local non-forwarding DNS, or do what jimimaseye linked to

I use Bind9 on my Ubuntu box, but equally the DNS service on windows server will work.
Yes, I simply enabled the 'DNS Server' function in the Server, as a forwarder, and added the entries as a conditional forwarder. (Obviously, the servers DNS settings against the IP Protocol need to point to itself instead of the router or ISPs DNS). This will speed up any spamassassin scanning too.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

thomas10
Normal user
Normal user
Posts: 54
Joined: 2013-10-30 03:13

Re: Received blank sender. Which email/ domain to block?

Post by thomas10 » 2018-08-01 03:41

ok, will take your advice on it. Hopefully everything will be ok. Hmail rocks.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Received blank sender. Which email/ domain to block?

Post by RvdH » 2018-08-01 13:21

If you use BIND9 as DNS server, you can easily add these lines to named.conf to disable forwarders.

Code: Select all

/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };
zone "sbl.spamhaus.org" { type forward; forward first; forwarders {}; }; 
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply