Hello, I have a ispconfig 3.2.8p1 multiple server conf.with ubuntu 20.04 I've just received an email coming from address : [email protected] For confidentiality, I write dom.tld, but, you have to understand that is coming from my server : ns1.dom.tld is the name of my postfix mail server. I am a lot confused ! I check ispc web interface, there is no mail domain ns1.dom.tld. Idem, in /var/vmail, there is no directory called ns1.dom.tld I try to look for something on my server Code: grep -r info@ns1 /var/log/* It gives nothing. Below is email source. Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from ns1.dom.tld by ns1.dom.tld with LMTP id ek+BAlgd+WJTvQ0AFl6CoA (envelope-from <[email protected]>) for <[email protected]>; Sun, 14 Aug 2022 18:05:44 +0200 Received: from localhost (localhost [127.0.0.1]) by ns1.dom.tld (Postfix) with ESMTP id F0472B034EF for <[email protected]>; Sun, 14 Aug 2022 18:05:43 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ns1.dom.tld X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version" X-Spam-Flag: NO X-Spam-Score: 2.657 X-Spam-Level: ** X-Spam-Status: No, score=2.657 tagged_above=1 required=4.5 tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, INVALID_DATE=0.432, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.972, SPOOFED_FREEMAIL=1, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from ns1.dom.tld ([127.0.0.1]) by localhost (ns1.dom.tld [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PnOsyAI83TEq for <[email protected]>; Sun, 14 Aug 2022 18:05:40 +0200 (CEST) Received: from vm3725095.24ssd.had.wf (vm3725095.24ssd.had.wf [185.92.149.231]) by ns1.dom.tld (Postfix) with ESMTP id 46F96B0025E for <[email protected]>; Sun, 14 Aug 2022 18:05:38 +0200 (CEST) From: "Evaluez et vendez" <[email protected]> To: [email protected] Subject: =?UTF-8?B?8J+RiSA6IFZvcyB2ZW50ZXMgZGUgdm9pdHVyZXMgOiBleHBsaXF1w6llcyDDqXRhcGUgcGFyIMOpdGFwZSDwn5qX?= Message-ID: <[email protected]> MIME-Version: 1.0 List-Unsubscribe: <[email protected]> Sender: [email protected] MIME-version: 1.0 Date: 8/14/2022 Importance: high X-Priority: 1 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Antivirus: Avast (VPS 220814-2, 14/8/2022), Inbound message X-Antivirus-Status: Clean ----text removed becaus unusefull---- I don't understand headers... Mail is coming from vm3725095.24ssd.had.wf [185.92.149.231], but, my server is mentionned just below, and, address "From" is [email protected] I did Code: grep -r 185.92.149.231 /var/log/* it gives Code: mail.log:Aug 14 18:05:31 ns1 postfix/postscreen[984672]: CONNECT from [185.92.149.231]:51150 to [hiddenIP]:25 mail.log:Aug 14 18:05:37 ns1 postfix/postscreen[984672]: PASS NEW [185.92.149.231]:51150 mail.log:Aug 14 18:05:37 ns1 postfix/smtpd[984678]: connect from vm3725095.24ssd.had.wf[185.92.149.231] mail.log:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: NOQUEUE: filter: RCPT from vm3725095.24ssd.had.wf[185.92.149.231]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<vm3725095.24ssd.had.wf> mail.log:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: NOQUEUE: filter: RCPT from vm3725095.24ssd.had.wf[185.92.149.231]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<vm3725095.24ssd.had.wf> mail.log:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: 46F96B0025E: client=vm3725095.24ssd.had.wf[185.92.149.231] mail.log:Aug 14 18:05:40 ns1 postfix/smtpd[984678]: disconnect from vm3725095.24ssd.had.wf[185.92.149.231] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 mail.log:Aug 14 18:05:44 ns1 amavis[941430]: (941430-18) Passed BAD-HEADER-8 {RelayedInbound}, [127.0.0.1] [185.92.149.231] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: PnOsyAI83TEq, Hits: 2.657, size: 1595, queued_as: F0472B034EF, 3877 ms mail.log:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max connection rate 1/60s for (smtpd:185.92.149.231) at Aug 14 18:05:37 mail.log:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max connection count 1 for (smtpd:185.92.149.231) at Aug 14 18:05:37 mail.log:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max message rate 1/60s for (smtpd:185.92.149.231) at Aug 14 18:05:38 syslog:Aug 14 18:05:31 ns1 postfix/postscreen[984672]: CONNECT from [185.92.149.231]:51150 to [hiddenIP]:25 syslog:Aug 14 18:05:37 ns1 postfix/postscreen[984672]: PASS NEW [185.92.149.231]:51150 syslog:Aug 14 18:05:37 ns1 postfix/smtpd[984678]: connect from vm3725095.24ssd.had.wf[185.92.149.231] syslog:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: NOQUEUE: filter: RCPT from vm3725095.24ssd.had.wf[185.92.149.231]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<vm3725095.24ssd.had.wf> syslog:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: NOQUEUE: filter: RCPT from vm3725095.24ssd.had.wf[185.92.149.231]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<vm3725095.24ssd.had.wf> syslog:Aug 14 18:05:39 ns1 postfix/smtpd[984678]: 46F96B0025E: client=vm3725095.24ssd.had.wf[185.92.149.231] syslog:Aug 14 18:05:40 ns1 postfix/smtpd[984678]: disconnect from vm3725095.24ssd.had.wf[185.92.149.231] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 syslog:Aug 14 18:05:44 ns1 amavis[941430]: (941430-18) Passed BAD-HEADER-8 {RelayedInbound}, [127.0.0.1] [185.92.149.231] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: PnOsyAI83TEq, Hits: 2.657, size: 1595, queued_as: F0472B034EF, 3877 ms syslog:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max connection rate 1/60s for (smtpd:185.92.149.231) at Aug 14 18:05:37 syslog:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max connection count 1 for (smtpd:185.92.149.231) at Aug 14 18:05:37 syslog:Aug 14 18:09:00 ns1 postfix/anvil[985066]: statistics: max message rate 1/60s for (smtpd:185.92.149.231) at Aug 14 18:05:38 I think issue is with "Passed BAD-HEADER-8 {RelayedInbound}" How can I block that kind of emails... I should move to rspamd... Is that issue possible with Rspamd ? Thank you for your help
Is there a mailbox [email protected] on that server ns1.dom.tld? If yes, then someone just sent you an email to your server and not with your server. This does not mean that the email is sent from or with your server. Email addresses in the from field can be freely chosen by the sender, they are no indication for which server or domain sent them. What you should do if you have not done that yet, is to set up DKIM for dom.tld and set strict SPF and DMARC records to help other mail systems in verifying that an email with a from dom.tld address has been sent by a server that is authorized to do so. Amavis detected the message and assigned it a score of 2.65, so it was already detected as spam by amavis. But you seem to use a very high spam score of 4.5 in your amavis policy, that's why it was not marked as spam.
Google has a message header tool that helps showing where the e-mail came from; https://support.google.com/mail/answer/29436?hl=fi If you do not want to use that, then you read the Received: headers from the e-mail from beginning to end. When you reach the last Received: line that is written by an e-mail server you trust, the from shows where e-mail arrived. Received-lines after that may be forged by the sender so are not trusthworthy. This part Code: Received: from ns1.dom.tld ([127.0.0.1]) by localhost (ns1.dom.tld [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PnOsyAI83TEq for <[email protected]>; Sun, 14 Aug 2022 18:05:40 +0200 (CEST) Received: from vm3725095.24ssd.had.wf (vm3725095.24ssd.had.wf [185.92.149.231]) by ns1.dom.tld (Postfix) with ESMTP id 46F96B0025E for <[email protected]>; Sun, 14 Aug 2022 18:05:38 +0200 (CEST) shows your server ns1.dom.tld got the email from vm3725095.24ssd.had.wf. So, like @till wrote, just ordinary e-mail arriving to your server.
I understand now. I received from vm3725095.24ssd.had.wf, and, this sender says that : "From: "Evaluez et vendez" <[email protected]>" Amavis detect it and said : "X-Spam-Score: 2.657" My settings for spam detection are unchanged from ISPC "default" I have : Spamfilter policy = Normal and in amavis Spam score is quite high 4.5 What would be a more reasonnable score : I am thinking about 2.5 Looking at Rspamd setting it is even higher : but may be rspamd scoring is more severe... What do you thing as a good spam scoring for amavis and rspamd ? See below images
