users receiving a lot of Porno emails

Questions and answers about how to do stuff
Post Reply
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

users receiving a lot of Porno emails

Post by bas60 »

emails seem to get through to the user

Noticed a spam core of -1.97 to -3 on some of these !

Have asked user to forward me these emails and couple of them were picked up by EFA .... on the same spamfilter but different domain!

Any ideas welcome
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: users receiving a lot of Porno emails

Post by ovizii »

unless we can see the headers and scores these emails have received we can't say much.
Please ask that user to forward you the emails which slipped through as attachments so you can see the original headers as he received them.
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

Does any of this help.
I released this from the EFA - to my email address. This one came through as clean..
(I've replaced the domains)

This one had a spamassain score of 2.41

Return-path: <postmaster@efadomain.com>
Received: from mwall2.efadomain.com ([::ffff:192.168.1.57])
by mail.efadomain.com with ESMTP; Thu, 21 Jul 2016 06:45:36 +0100
Received: by mwall2.efadomain.com (Postfix, from userid 48)
id EE6B080079; Thu, 21 Jul 2016 06:45:33 +0100 (BST)
X-Greylist: greylisting inactive for james@mydomain.co.uk in SQLgrey-1.8.0
Received: from h2077322.stratoserver.net (h2077322.stratoserver.net [85.214.227.48])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mwall2.efadomain.com (Postfix) with ESMTPS id DDE1E8005A
for <james@mydomain.co.uk>; Wed, 20 Jul 2016 23:36:32 +0100 (BST)
Received: from u2077322 by h2077322.stratoserver.net with local (Exim 4.85)
(envelope-from <jessica_barnett@40rocks.de>)
id 1bQ06S-0008R9-3Q
for james@mydomain.co.uk; Thu, 21 Jul 2016 00:36:32 +0200
To: james@mydomain.co.uk
Subject: Hot Indian Pussy 42
Date: Thu, 21 Jul 2016 00:36:32 +0200
From: Jessica Barnett <jessica_barnett@40rocks.de>
Message-ID: <d3d2f6fd95c83cba59d42155414ec0b7@40rocks.de>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_d3d2f6fd95c83cba59d42155414ec0b7"
Content-Transfer-Encoding: 8bit
X-efadomain-MailScanner-EFA-Information: Please contact admin@efadomain.com for more information
X-efadomain-MailScanner-EFA-ID: EE6B080079.A5F9D
X-efadomain-MailScanner-EFA: Found to be clean
X-efadomain-MailScanner-EFA-From: postmaster@efadomain.com
X-efadomain-MailScanner-EFA-Watermark: 1469684735.87222@2T6wxAcRerlGco53PlP+hw
X-Spam-Status: No

--b1_d3d2f6fd95c83cba59d42155414ec0b7
Content-Type: text/plain; charset=us-ascii

Office slut Lily Paige is poked on computer desk [ http://mohantarneja.com/file.php?a=111& ... Gg&5=zyS9N ] Find the video here.


--b1_d3d2f6fd95c83cba59d42155414ec0b7
Content-Type: text/html; charset=us-ascii

<html>
<body>
<div style="font-family:Arial,sans-serif;color:#000000;font-size:14px;">
Office slut Lily Paige is poked on computer desk <a href="http://mohantarneja.com/file.php?a=111& ... yS9N">Find the video here.</a>
</div>
</body>
</html>



--b1_d3d2f6fd95c83cba59d42155414ec0b7--
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

This one had a score of -1.12

Return-path: <postmaster@efadomain.com>
Received: from mwall2.efadomain.com ([::ffff:192.168.1.57])
by mail.efadomain.com with ESMTP; Thu, 21 Jul 2016 06:43:46 +0100
Received: by mwall2.efadomain.com (Postfix, from userid 48)
id 7915D80079; Thu, 21 Jul 2016 06:43:43 +0100 (BST)
X-Greylist: greylisting inactive for james@mydomain.co.uk in SQLgrey-1.8.0
Received: from list (ns3044074.ip-94-23-201.eu [94.23.201.41])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mwall2.efadomain.com (Postfix) with ESMTPS id 1B04D8005A
for <james@mydomain.co.uk>; Thu, 21 Jul 2016 00:16:20 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=kacakiddasiteleri.com; s=default; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Message-ID:From:Date:Subject:To:Sender:Reply-To:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=g8Cl6AhGgKyvY+9GNsL+9BbVSTVGZN2JDhYTnDcHFH4=; b=YnH//Z6VT1mynl9G130MCVmBdw
LxR0Ncv9UapVDBBzkUNUxjIvMBQWzWyMjTLq+vbMAOIusIgAjtrEjzGg8w3y4UWuDnTA/zQz+3RvZ
wiH+ZwvU8IeHUiF7uL8AnH2E9CxKQJx5ilRpZs8Lwyd+ScSXGx5BvGzlCMU2W+IddG0Pyoojl65rN
lUHwFhg035BMTZCwFADuyyzhwzaIXUFaxJC+XCVqiozCkOm5jKJxYu4vxq0CPDfCMDPt1IJsK7bZm
AbzNwNl43S81hBqYSKi/aGhTLIuyKmtPzEKhqVKawcteh1ihifI9wk3oNiHuboU515SGdt76SElyM
0G8WrBDA==;
Received: from kacak by list with local (Exim 4.87)
(envelope-from <pat_beck@kacakiddasiteleri.com>)
id 1bQ0iw-0004CQ-1k
for james@mydomain.co.uk; Thu, 21 Jul 2016 02:16:18 +0300
To: james@mydomain.co.uk
Subject: Japanese Amateur really cute
X-PHP-Script: kacakiddasiteleri.com/ for 127.0.0.1, 127.0.0.1
Date: Thu, 21 Jul 2016 02:16:18 +0300
From: Pat Beck <pat_beck@kacakiddasiteleri.com>
Message-ID: <1bcf7405a9e51b78cef3a03d9ff4ae70@kacakiddasiteleri.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_1bcf7405a9e51b78cef3a03d9ff4ae70"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - list
X-AntiAbuse: Original Domain - mydomain.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [507 497] / [47 12]
X-AntiAbuse: Sender Address Domain - kacakiddasiteleri.com
X-Get-Message-Sender-Via: list: authenticated_id: kacak/from_h
X-Authenticated-Sender: list: pat_beck@kacakiddasiteleri.com
X-Source: /usr/local/sop/fcgi-bin/lsphp-5.5.35
X-Source-Args: lsphp5:ome/kacak/public_html/git/pulibet/gallery.php
X-Source-Dir: kacakiddasiteleri.com:/public_html/git/pulibet
X-efadomain-MailScanner-EFA-Information: Please contact admin@efadomain.com for more information
X-efadomain-MailScanner-EFA-ID: 7915D80079.A4F9B
X-efadomain-MailScanner-EFA: Found to be clean
X-efadomain-MailScanner-EFA-From: postmaster@efadomain.com
X-efadomain-MailScanner-EFA-Watermark: 1469684626.30737@ZLUiYiPE4inzTv4LGEUdGw
X-Spam-Status: No

--b1_1bcf7405a9e51b78cef3a03d9ff4ae70
Content-Type: text/plain; charset=us-ascii

Blondie Lilly Banks tickles her fancy right in the empty street [ http://www.dekalboutdoortheater.org/css ... um&6=BJKnQ ] Find the video here.


--b1_1bcf7405a9e51b78cef3a03d9ff4ae70
Content-Type: text/html; charset=us-ascii

<html>
<body>
<div style="font-family:Arial,sans-serif;color:#000000;font-size:14px;">
Blondie Lilly Banks tickles her fancy right in the empty street <a href="http://www.dekalboutdoortheater.org/css ... JKnQ">Find the video here.</a>
</div>
</body>
</html>



--b1_1bcf7405a9e51b78cef3a03d9ff4ae70--
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: users receiving a lot of Porno emails

Post by pdwalker »

You installation of Spamassassin does not appear to be configured to show the detailed spam reports with your messages.

For example, in my messages, I will see the following headers:

Code: Select all

X-efaDomain-MailScanner-EFA-SpamScore: sssss
X-efaDomain-MailScanner-EFA-SpamCheck: spam, SpamAssassin (not cached,
	score=5.203, required 4, BAYES_50 0.80, DCC_CHECK 1.10,
	DIGEST_MULTIPLE 0.29, DKIM_SIGNED 0.10,
	FREEMAIL_FORGED_FROMDOMAIN 0.20, FREEMAIL_FROM 0.00,
	HEADER_FROM_DIFFERENT_DOMAINS 0.00, HTML_MESSAGE 0.00,
	HTML_OBFUSCATE_05_10 0.26, ML_SPF_PASS -0.68,
	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89,
	RAZOR2_CHECK 0.92, R_SB_FR 0.01, R_SB_FR_P03 -0.20, SPF_FAIL 0.00,
	SPF_HELO_PASS -0.00, T_DKIM_INVALID 0.01)
X-efaDomain-MailScanner-EFA: Found to be clean
We cannot see them in your messages.

Can you grab the spam report from the message details through the efa web interface, or can you reconfigure your installation to include the spam report headings?

I believe the options are (in /etc/MailScanner.conf)

Code: Select all

Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

Looks like the other emails have been deleted

This one was in Pink with Score of 6.36 - but having added the two lines and rebooted EFA
I get different layout but spamassassin is mentioned
does this help?

Return-path: <postmaster@efadomain.com>
Received: from mwall2.efadomain.com ([::ffff:192.168.1.57])
by mail.efadomain.com with ESMTP; Thu, 21 Jul 2016 15:44:11 +0100
Received: by mwall2.efadomain.com (Postfix, from userid 48)
id 0694B80057; Thu, 21 Jul 2016 15:44:07 +0100 (BST)
X-Greylist: greylisting inactive for james@mydomain.co.uk in SQLgrey-1.8.0
Received: from h1434261.stratoserver.net (kulturfenster-berlin.de [85.214.139.183])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mwall2.efadomain.com (Postfix) with ESMTPS id 2B34080056
for <james@mydomain.co.uk>; Thu, 21 Jul 2016 12:16:47 +0100 (BST)
Received: by h1434261.stratoserver.net (Postfix, from userid 10003)
id 23BBACCF239; Thu, 21 Jul 2016 13:16:46 +0200 (CEST)
To: james@mydomain.co.uk
Subject: Brutal dildo in babes cunt showering
X-PHP-Originating-Script: 10003:start72.php(1942) : eval()'d code
Date: Thu, 21 Jul 2016 13:16:46 +0200
From: Stacy Carpenter <stacy_carpenter@meinschoeneweide.de>
Message-ID: <381d9d4d79e66dded8992b85695d52c6@meinschoeneweide.de>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_381d9d4d79e66dded8992b85695d52c6"
Content-Transfer-Encoding: 8bit
X-efadomain-MailScanner-EFA-Information: Please contact admin@efadomain.com for more information
X-efadomain-MailScanner-EFA-ID: 0694B80057.A9B9F
X-efadomain-MailScanner-EFA: Found to be clean
X-efadomain-MailScanner-EFA-SpamCheck: not spam (whitelisted),
SpamAssassin (not cached, score=6.025, required 4, BAYES_00 -1.90,
HEADER_FROM_DIFFERENT_DOMAINS 0.00, HTML_MESSAGE 0.00,
KAM_BADPHP 2.50, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.89, RAZOR2_CHECK 0.92,
RCVD_IN_BRBL_LASTEXT 1.45, SPF_SOFTFAIL 0.67, URIBL_BLOCKED 0.00)
X-efadomain-MailScanner-EFA-From: postmaster@efadomain.com
X-efadomain-MailScanner-EFA-Watermark: 1469717049.73861@97RsMA5pX+wSYWTkv8j1CQ
X-Spam-Status: No

--b1_381d9d4d79e66dded8992b85695d52c6
Content-Type: text/plain; charset=us-ascii

That insane chick swallows like pervert! [ http://capturedojo.com/themes.php?g=111 ... Mz&6qeaf=J ] Check it out!


--b1_381d9d4d79e66dded8992b85695d52c6
Content-Type: text/html; charset=us-ascii

<html>
<body>
<div style="font-family:Arial,sans-serif;color:#000000;font-size:14px;">
That insane chick swallows like pervert! <a href="http://capturedojo.com/themes.php?g=111 ... f=J">Check it out!</a>
</div>
</body>
</html>



--b1_381d9d4d79e66dded8992b85695d52c6--
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: users receiving a lot of Porno emails

Post by pdwalker »

yes.

look here:

Code: Select all

X-efadomain-MailScanner-EFA: Found to be clean
X-efadomain-MailScanner-EFA-SpamCheck: not spam (whitelisted),
it looks like you are whitelisting the spammers, thus the spam is being marked as clean.
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

Hi

I saw that but the user has actually blacklisted these spammers
so I don't understand why they are white listed ?

is it possible some other user on the system has white listed ?
is there anyway to find out ?
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

I have hundreds of of Domains
all with mailxxx.yyy.com etc

I can't see anyone white-listing these !

has my system been perhaps hacked ?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: users receiving a lot of Porno emails

Post by ovizii »

I have hundreds of of Domains
where do you have those?
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

when I click on Graylist > Domains
a list come up headed whitelist
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: users receiving a lot of Porno emails

Post by ovizii »

that is just greylisting, doesn't concern this issue: https://en.wikipedia.org/wiki/Greylisting

What this:

Code: Select all

X-efadomain-MailScanner-EFA-SpamCheck: not spam (whitelisted),
means is:
Go to your EFA web interface, select B/W Lists and check if those domains are there under the Whitelist section.
If they are, remove them.

Not sure where they would show if a user had whitelisted them, might still show there...
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

No none of these are in there - 1st thing I checked since more than 1 user getting these

I also checked B/W lists each of the Users getting these emails - not there either

one entry I'm not 100% sure about - 127.0.0.1 - (local host )
should this be in there ??

(Guess I can check by setting a new EFA !)
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: users receiving a lot of Porno emails

Post by ovizii »

afaik localhost should be there so EFA does whitelist emails originating on your EFA appliance itself.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: users receiving a lot of Porno emails

Post by pdwalker »

I have no idea what is causing your problem. I'd need to log into your system and see what's going on in order to work out why these domains are whitelisted.
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: users receiving a lot of Porno emails

Post by bas60 »

my IT manager said we should simply start again with a new install since its a VM

We have about 80 users 7 domains

are there any options for export users ?
Post Reply