petersconsult
Member
Hello all..
i have DKIM, SPF, and SpamAssassin enabled on all accounts, but i don't understand how emails like this one below are getting through...
i'm afraid that, somehow, my server is acting as an open relay..
Here is an actual example of the headers of a spam/ransom message that got through, and you can clearly see that SpamAssassin didn't even check it, that SPF and DKIM each should have failed, yet it got through..
Please, if anyone has any idea, please any suggestions are desperately welcome..
Here are the raw headers of the message:
Here is the result of the command:
exigrep 1h2Hkr-0003Sf-O8 /var/log/exim_mainlog
Again, clearly all checks have been bypassed...
How does this happen?
i have DKIM, SPF, and SpamAssassin enabled on all accounts, but i don't understand how emails like this one below are getting through...
i'm afraid that, somehow, my server is acting as an open relay..
Here is an actual example of the headers of a spam/ransom message that got through, and you can clearly see that SpamAssassin didn't even check it, that SPF and DKIM each should have failed, yet it got through..
Please, if anyone has any idea, please any suggestions are desperately welcome..
Here are the raw headers of the message:
Code:
Return-Path: <[email protected]>
Delivered-To: --my-email-address--
Received: from --my-host-name--
by --my-host-name-- with LMTP
id eP2NFSuPglznMwAAugyn/Q
(envelope-from <[email protected]>)
for <--my-email-address-->; Fri, 08 Mar 2019 16:50:03 +0100
Return-path: <[email protected]>
Envelope-to: --my-email-address--
Delivery-date: Fri, 08 Mar 2019 16:50:03 +0100
Received: from [27.254.148.50] (port=55104 helo=WIN-41GNGA78579.home)
by --my-host-name-- with esmtp (Exim 4.91)
(envelope-from <[email protected]>)
id 1h2Hkr-0003Sf-O8
for --my-email-address--; Fri, 08 Mar 2019 16:50:03 +0100
Received: from [210-245-51-office-net-static-ip.fpt.vn] ([210.245.51.64]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700
Subject: --my-first-name--
From: <--my-email-address-->
Content-Type: multipart/related;
boundary="17E4BDA2FE-0DF9-A276D708F5-787407A80C-E69887"
MIME-Version: 1.0
Abuse-Reports-To: [email protected]
Message-ID:
<3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d>
To: --my-email-address--
List-Unsubscribe:
<mailto:[email protected]?subject=Unsubscribe>
User-Agent: ORYANOO 6.2
Date: Fri, 8 Mar 2019 15:32:57 +0100
X-Complaints-To: <[email protected]>
X-aid: 8635314994
Organization: Esgxuwpq
Here is the result of the command:
exigrep 1h2Hkr-0003Sf-O8 /var/log/exim_mainlog
Code:
2019-03-08 16:50:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Hkr-0003Sf-O8
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 <= [email protected] H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 P=esmtp S=258040 id=3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d T="--my-first-name--" for --my-email-address--
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> eP2NFSuPglznMwAAugyn/Q Saved"
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 Completed
Again, clearly all checks have been bypassed...
How does this happen?