I tried various configurations to stop such emails but so far failed.
I think I found out reason hMail server lets such email pass through but I cannot find way to stop it.
here is what I get.
- I have set that mail from local to local address may be sent only by authenticated connections. Actually it is set to require authentication for all SMTP using local address as sender. Mail from external address is not required only when recipient is local address.
- Mail containing local email address in From: are still passing by without authentication
- Password is, off course, not compromised
- Mail content is image so I cannot catch suspicious text phrases
Spammer connects to hMail server and uses external mail address during SMTP. Example:
Code: Select all
"SMTPD" 3924 153824 "2019-06-17 07:15:57.954" "184.108.40.206" "RECEIVED: MAIL FROM:<firstname.lastname@example.org> SIZE=237324"
However, email itself contains From: field set as local email address.
Person that receives email is confused how it received email from himself. That is when panic questions start.
This is classic example of faking From: which has to be handled.
Here is an example of header from such spam message (note that some information is altered for privacy issues). The only suspicious content I could catch on is invalid HELO but I decided to keep it lower than SPAM threshold as, often, wrong HELO content does not mean email is evil.
Code: Select all
----- From - Mon Jun 17 08:26:47 2019 X-Account-Key: account1 X-UIDL: 79841 X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: email@example.com Received: from WIN-OI0Q27COD8G.home (ns1.bay-t.com.tr [220.127.116.11]) by mail.uzxxx.net with ESMTP ; Mon, 17 Jun 2019 07:15:59 +0200 Received: from  ([18.104.22.168]) by home with MailEnable ESMTP; Mon, 17 Jun 2019 08:09:01 +0300 X-aid: 5175934663 Message-ID: <CEAE9-7D6760-6D@www884.bay-t.com.tr> Abuse-Reports-To: <firstname.lastname@example.org> Date: Mon, 17 Jun 2019 07:09:07 +0200 Subject: [SPAM] Your account is hacked X-Complaints-To: email@example.com X-Mailer: ColdFusion 11 Application Server List-Help: <http://www.bay-t.com.tr/lists/?p=preferences&uid=oyw4bsesa2i94044d3st3ab1qqubyosr> Content-Type: multipart/related; boundary="ivnpndb-78CDBC64757F486A9" MIME-Version: 1.0 X-CSA-Complaints: firstname.lastname@example.org X-Sender: email@example.com To: firstname.lastname@example.org From: <email@example.com> List-Unsubscribe: <mailto:firstname.lastname@example.org?subject=Unsubscribe> X-hMailServer-Spam: YES X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 3) X-hMailServer-Reason-Score: 3 This is a multi-part message in MIME format ----