spam missing from domain.

Questions and answers about how to do stuff
Post Reply
mattch
Posts: 44
Joined: 28 Mar 2018 22:26

spam missing from domain.

Post by mattch »

Hello! Im trying to wrap my head around this one and how to prevent it. Ive never seen this type of spam sneak through.

When it was delivered to my mailbox, the from address was my efa domain:
It appears that part of the from domain is missing in the header so efa appends its own? But also part of header shows from domain.
mydomain.com is my email domain. efa is my.efa.domain.com. i already block external spoofing for mydomain.com.

efa email headers:

Code: Select all

	Received: from celeborn.hostbox12.com (celeborn.hostbox12.com [209.236.116.247])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (no client certificate requested)
     by my.efa.domain.com (MailScanner Milter) with SMTP id 4NgwFC4Y58zB9tDb
     for <rjones@mydomain.com>; Mon, 26 Dec 2022 19:16:47 -0500 (EST)
X-Greylist: greylisting inactive for rjones@mydomain.com in SQLgrey-1.8.0
Authentication-Results: my.efa.domain.com; dkim=permerror (bad message/signature format)
Received: from [20.64.171.118] (port=51839 helo=vidyabhavancollege.edu.in)
     by celeborn.hostbox12.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     (Exim 4.95)
     (envelope-from <support@vidyabhavancollege.edu.in>)
     id 1p9xeB-0001SB-OQ
     for rjones@mydomain.com;
     Tue, 27 Dec 2022 05:46:45 +0530

From: DealerServices
To: rjones@mydomain.com
Subject: Licensee Profile Information Required
Date: 26 Dec 2022 19:16:44 -0500

Message-ID: <20221226191644.18A75BF9BFBBDF68@from.header.has.no.domain>
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----=_NextPart_000_0012_2FDBD48D.BCCBF492"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - celeborn.hostbox12.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - vidyabhavancollege.edu.in
X-Get-Message-Sender-Via: celeborn.hostbox12.com: authenticated_id: support@vidyabhavancollege.edu.in
X-Authenticated-Sender: celeborn.hostbox12.com: support@vidyabhavancollege.edu.in
X-Source:
X-Source-Args:
X-Source-Dir:

From:	support@vidyabhavancollege.edu.in	[Add to Allowlist | Add to Blocklist]
To:	rjones@mydomain.com
Subject:	Licensee Profile Information Required

Code: Select all

1.90	BAYES_00	Bayes spam probability is 0 to 1%
-0.40	DCC_REPUT_00_12	DCC reputation between 0 and 12 % (mostly ham)
1.40	HTML_IMAGE_ONLY_28	HTML: images with 2400-2800 bytes of words
0.00	HTML_MESSAGE	HTML included in message
-0.00	RCVD_IN_MSPIKE_H2	Average reputation (+2)
0.00	SPF_HELO_NONE	SPF: HELO does not publish an SPF Record
-0.00	SPF_PASS	SPF: sender matches SPF record
1.77	URI_TRY_3LD	"Try it" URI, suspicious hostname
outlook email headers:

Code: Select all

Received: from my.efa.domain.com (192.168.1.25) by server.flut.local
 (192.168.1.5) with Microsoft SMTP Server id 14.3.498.0; Mon, 26 Dec 2022
 19:16:50 -0500
X-Spam-Status: No
DKIM-Filter: OpenDKIM Filter v2.11.0 my.efa.domain.com 4NgwFG4Z6BzB9tDl
X-pclv-MailScanner-EFA-Watermark: 1672705008.87345@WKC+oOSSN+qfEOsFU59BSQ
X-pclv-MailScanner-EFA-From: support@vidyabhavancollege.edu.in
X-pclv-MailScanner-EFA: Found to be clean
X-pclv-MailScanner-EFA-ID: 4NgwFC4Y58zB9tDb
X-pclv-MailScanner-EFA-Information: Please contact admin@mydomain.com for more information.
Received: from celeborn.hostbox12.com (celeborn.hostbox12.com
 [209.236.116.247])	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
 (256/256 bits))	(no client certificate requested)	by my.efa.domain.com
 (MailScanner Milter) with SMTP id 4NgwFC4Y58zB9tDb	for
 <rjones@mydomain.com>; Mon, 26 Dec 2022 19:16:47 -0500 (EST)
X-Greylist: greylisting inactive for rjones@mydomain.com in SQLgrey-1.8.0
Received: from [20.64.171.118] (port=51839 helo=vidyabhavancollege.edu.in)	by
 celeborn.hostbox12.com with esmtpsa  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	(Exim 4.95)	(envelope-from
 <support@vidyabhavancollege.edu.in>)	id 1p9xeB-0001SB-OQ	for
 rjones@mydomain.com;	Tue, 27 Dec 2022 05:46:45 +0530
 
From: <DealerServices@my.efa.domain.com>
To: <rjones@mydomain.com>
Subject: Licensee Profile Information Required
Date: Mon, 26 Dec 2022 19:16:44 -0500

Message-ID: <20221226191644.18A75BF9BFBBDF68@from.header.has.no.domain>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0012_2FDBD48D.BCCBF492"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - celeborn.hostbox12.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - vidyabhavancollege.edu.in
X-Get-Message-Sender-Via: celeborn.hostbox12.com: authenticated_id: support@vidyabhavancollege.edu.in
X-Authenticated-Sender: celeborn.hostbox12.com: support@vidyabhavancollege.edu.in
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: support@vidyabhavancollege.edu.in
X-MS-Exchange-Organization-AuthSource: server.flut.local
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
the from address delivered was "DealerServices@my.efa.domain.com" instead of
From: support@vidyabhavancollege.edu.in
Attachments
the email from section
the email from section
the email.png (13.75 KiB) Viewed 3168 times
Zwabber
Posts: 69
Joined: 14 Feb 2016 21:26

Re: spam missing from domain.

Post by Zwabber »

Have a look at this 2 topics;
viewtopic.php?t=1278
viewtopic.php?f=14&t=1237
Post Reply