1
Very Odd Spam Delivery 1D8B01E1-0334
Question asked by SpamHurts - 9/16/2015 at 11:43 PM
Unanswered
 Hve a customer, and they are getting strange spam. Here is the header:

 Return-Path: <>
Received: from 190.32.136.50 (UnknownHost [190.32.136.50]) by maila4.spamhurtz.com with SMTP;
Tue, 15 Sep 2015 08:57:40 -0700
Received: from unknown (HELO localhost) (http://europe-pharm.com/en/@101.88.178.146)
by 190.32.136.50 with ESMTPA; Tue, 15 Sep 2015 10:58:31 -0500
X-Originating-IP: 101.88.178.146
From: http://europe-pharm.com/en/
To: postmaster@mycustomer.com
 
That was the entire header. In fact, I could not see the header option in the preview pane, only when I opened the message could I see the option to view the header.
 
You can see that it appears to come from a sender named europe-pharm.com. 
Here is the SMTP log. 

[2015.09.15] 08:57:34 [190.32.136.50][37012863] rsp: 220 maila4.spamhurtz.com
[2015.09.15] 08:57:34 [190.32.136.50][37012863] connected at 9/15/2015 8:57:34 AM
[2015.09.15] 08:57:34 [190.32.136.50][37012863] cmd: HELO 190.32.136.50
[2015.09.15] 08:57:34 [190.32.136.50][37012863] rsp: 250 maila4.spamhurtz.com Hello [190.32.136.50]
[2015.09.15] 08:57:35 [190.32.136.50][37012863] cmd: MAIL FROM:<>
[2015.09.15] 08:57:35 [190.32.136.50][37012863] rsp: 250 OK <> Sender ok
[2015.09.15] 08:57:35 [190.32.136.50][37012863] cmd: RCPT TO:<postmaster@mycustomer.com>
[2015.09.15] 08:57:35 [190.32.136.50][37012863] rsp: 250 OK <postmaster@mycustomer.com> Recipient ok
[2015.09.15] 08:57:35 [190.32.136.50][37012863] cmd: DATA
[2015.09.15] 08:57:40 [190.32.136.50][37012863] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.15] 08:57:40 [190.32.136.50][37012863] rsp: 250 OK
[2015.09.15] 08:57:40 [190.32.136.50][37012863] Data transfer succeeded, writing mail to 92656942.eml
[2015.09.15] 08:57:40 [190.32.136.50][37012863] cmd: QUIT
[2015.09.15] 08:57:40 [190.32.136.50][37012863] rsp: 221 Service closing transmission channel
[2015.09.15] 08:57:40 [190.32.136.50][37012863] disconnected at 9/15/2015 8:57:40 AM
 
 
And here is what is very odd. When I search my delivery log for the 92656942, This is what comes up.
 
[2015.09.15] 08:57:37 [56942] Delivery started for  at 8:57:37 AM
[2015.09.15] 08:58:12 [56942] Skipping spam checks: No local recipients
[2015.09.15] 08:58:15 [56942] Sending remote mail for 
[2015.09.15] 08:58:15 [56942] Spam check results: [_COMMTOUCH: 35,Confirmed], [BARRACUDA BRBL: failed], [SPAMCOP: failed]
[2015.09.15] 08:58:15 [56942] This message cannot be delivered as it was marked as spam. Weight: 71
[2015.09.15] 08:58:15 [56942] Delivery for  to abuse@spamhurts.com has completed (Bounced)
[2015.09.15] 08:58:18 [56942] Delivery finished for  at 8:58:18 AM    [id:92656942]
 
 
 It says that it is addressed to "postmaster" but it delivers to the primary admin, and there is no catch all or alias. 
 
Please help me understand how this is happening. since it is not really being delivered, it is not getting filtered by my content filter. This is a tad stressful. 
 
Thank you in advance. 
Remember kids, every time a spam message gets blocked, a nerd gets their glasses. spamhurts/July 15

3 Replies

Reply to Thread
0
Employee Replied
Employee Post
Hello.  This Community Post will describe the change made to postmaster account.
0
Joe Wolf Replied
This recent change where postmaster@ messages are being delivered to the domain administrator has been a spam nightmare.  Many of the domain administrators have no idea why they're receiving them (and they shouldn't be receiving them).
Thanks, -Joe
0
Employee Replied
Employee Post
Joe, we have a custom build available that introduces two new settings that allow system admins to enable/disable the option to send postmaster@ messages to the primary domain admin. If you would like it, please contact sales@smartertools.com.

This change/fix will be included in the next minor release also.

Reply to Thread