odd spam - how to protect against it?

Discussion in 'Installation/Configuration' started by chief, Dec 29, 2020.

  1. chief

    chief Member

    Debian stretch, ispcoinfig 3.1.15p3
    I have received this email, its from <[email protected]> but states one of my customers company name..
    it goes on to state some info from October 2018, what the odd thing is from the header.. it states a domain name but the IP for the domain is 127.0.0.1 then states 10.0.0.3 and next to it is unknown 125.165.240.211. how does the email come in and show in the header that localhost sent the email when clearly it came from external.. help and advice please on how to combat or just block it / them..

    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by mail.tlsystems.co.uk (Postfix) with ESMTP id 87E7517605FE
    for <[email protected]>; Tue, 29 Dec 2020 07:43:13 +0000 (GMT)
    X-Virus-Scanned: Debian amavisd-new at mail.example.tld
    Received: from mail.tlsystems.co.uk ([127.0.0.1])
    by localhost (mail.tlsystems.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id S1OF_lf-NyCd for <[email protected]>;
    Tue, 29 Dec 2020 07:43:11 +0000 (GMT)
    X-Greylist: delayed 561 seconds by postgrey-1.36 at mail.tlsystems.co.uk;
    Tue, 29 Dec 2020 07:43:10 GMT
    Received: from mail.azizgroupbd.com (mail.azizgroupbd.com
    [182.163.126.123]) by mail.tlsystems.co.uk (Postfix) with ESMTPS id
    1F25E17602B1 for <[email protected]>; Tue, 29 Dec 2020 07:43:10 +0000
    (GMT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.azizgroupbd.com (Postfix) with ESMTP id F1CD8322AFB
    for <[email protected]>; Tue, 29 Dec 2020 13:31:47 +0600 (+06)
    Received: from mail.azizgroupbd.com ([127.0.0.1])
    by localhost (mail.azizgroupbd.com [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id UC3qRaVwYxNd for <[email protected]>;
    Tue, 29 Dec 2020 13:31:47 +0600 (+06)
    Received: from localhost (localhost [127.0.0.1])
    by mail.azizgroupbd.com (Postfix) with ESMTP id A1D3B322AF0
    for <[email protected]>; Tue, 29 Dec 2020 13:31:47 +0600 (+06)
    X-Virus-Scanned: amavisd-new at azizgroupbd.com
    Received: from mail.azizgroupbd.com ([127.0.0.1])
    by localhost (mail.azizgroupbd.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id fKHkq5yxaT_m; Tue, 29 Dec 2020 13:31:47 +0600 (+06)
    Received: from [10.0.0.3] (unknown [125.165.240.211])
    by mail.azizgroupbd.com (Postfix) with ESMTPSA id BC857322AFB
    for <[email protected]>; Tue, 29 Dec 2020 13:31:43 +0600 (+06)
    Date: Tue, 29 Dec 2020 14:33:40 +0700
    From: "customer name" <[email protected]>
    To: "dave" <[email protected]>
    Subject: ..................................

    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----=_NextPart_007_14171_3822803888.95367842"
    Message-Id: <[email protected]>
    X-Evolution-Source: e07adfb9aa77fa1d2e20908de8e37362cddcdb3b
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Where does it show this? Maybe you are confusing your localhost and the senders localhost?
    Post listings in CODE tags, easier to read that way.
     
    chief likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can write custom spam filters to try to catch those, but it'll probably never have perfect results (eg. a match for your company name without a matching company domain in the address).

    The headers look normal, the sending server was mail.azizgroupbd.com [182.163.126.123] and it was processed by your mail system, which adds additional Received headers as it passes through content filters (amavis), correctly using localhost connections. All Received headers prior to those added by your server can be faked, but I suspect they were not, the message simply passed through amavis on the sending side as well, prior to delivering to your server.
     
  4. chief

    chief Member

    I was a bit concerned as it has in the body of the email, data relating back to 2018.
    Is there a way to increase the security or to encypt email outbound? or does this then lead to recipients not being able to read these emails? or is connecting via SSL/TLS the best current method..

    thanks
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Your concern is others viewing mail in transit? Tls will help with that, though the receiving end must support it as well (most servers do). You can encrypt at the endpoint (mail client), but of course the recipients must be setup as well, so only practical in limited situations, not general email to arbitrary recipients.
     

Share This Page