spam from the own user

Problem reported by Victor Braun Rodrigues - 11/9/2017 at 4:42 AM

Resolved

SM 15.7.6474

Since we migrated from version 14 to 15 we started receiving spam supposedly sent by the email account itself, how to solve it?

12 Replies

Reply to Thread

Linda Pagillo Replied

11/9/2017 at 6:50 AM

Hi Victor. Can you post a header from one of those spam messages please?

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer

ScottF Replied

11/9/2017 at 7:18 AM

There is a thread on this problem already. See:

https://portal.smartertools.com/community/a87739/vulnerability-local-domains-being-spoofed.aspx

Victor Braun Rodrigues Replied

11/9/2017 at 9:31 AM

tks Linda, here one header

From - Tue Nov 7 07:37:04 2017
X-Account-Key: account3
X-UIDL: sm_00070124_a706495fb71b4f469b52e4033eb58327
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <www-data@cloud1998705.nitrado.cloud>
Received: from antispam-d.eveo.com.br (antispam-d.eveo.com.br [187.108.193.143]) by mail3.gosites.com.br with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Tue, 7 Nov 2017 02:36:46 -0200
Received: from cloud1998705.nitrado.cloud ([5.83.162.197])
by antispam-d.eveo.com.br with esmtp (Exim 4.89)
(envelope-from <www-data@cloud1998705.nitrado.cloud>)
id 1eBvMa-0005MO-4J
for gosites@gosites.com.br; Tue, 07 Nov 2017 02:19:54 -0200
Received: by cloud1998705.nitrado.cloud (Postfix, from userid 33)
id 6DB577EFEA; Tue, 7 Nov 2017 05:19:05 +0100 (CET)
To: gosites@gosites.com.br
Subject: {RHHJMT} Como foi pedido Curriculum Vitae-Camila Mendes - [ 411919303 ]
X-PHP-Originating-Script: 0:s.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: <gosites@gosites.com.br
>
Message-Id: <20171107041905.6DB577EFEA@cloud1998705.nitrado.cloud>
Date: Tue, 7 Nov 2017 05:19:05 +0100 (CET)
X-Sender-Warning: cloud1998705.nitrado.cloud has no MX records
Authentication-Results: antispam-d.eveo.com.br; dmarc=none header.from=gosites.com.br
X-SpamExperts-Class: unsure
X-SpamExperts-Evidence: Combined (0.58)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZggOFHBxYsDMIdVAkwBrLMa0u8G98/UgOFR
rRXtKAAmOSJ4FxkoV9MEM2g1d+E/OYDTPpuFqUUQz+mM8JAD4ECWUW0HjGdoUeVnjb/QwXeAGXTk
VQ4HyjjJ0PiMsggSFFCaCRPDiKO7Iku/PLIDcoVx9ZwDW1XYb6wnQu7xWCFgM1rl5JatvxMn9Fbi
0P6ZQI4jAh+TpYcw1ozo6U81iWF3D5d5g1gU7a6hXFAJQs+si3LYM3A6BXfvel8OEFDbU519+JEt
UaspVYdavoLhRnrLNp+sq3L0D78C/jelX5CBusJOm0DhhbaCw0fn+Saj9BPky3SXBOu5ZIOIeNH0
wYEpA56wnx1wZKdVO3wfZtaeXxZGXvTVoq99hK1XsFHTYeb82Rj9tkECNMhjiNEILs6iGo10yHrl
YhCkOtJvv/jjo/oBUi9j4guwjtuvWRr9lUzgU9jtghNmkxc/ANj0evA6UsJCpbUCs6Vs/BaTVz+4
zX06Qg/qdfxQqT8m5XqHIheImFLsMxJbtSiwzD5LElsnYYAd+3EkXV/kvHkhjFb7jj52+6yNFX3q
g/VyYVvTk4dZlfiPJk7i7nqoINZh34VguV6ROn4opq8DnRCgSmq69GXJweRuMt7Xy8Qaz/C/mBL1
XcjznCcGX/phhCbs0USPSQrikj8BuJwovGfCqVd0VGSKOBkwW+D7ei8Z/QFY6gUXDNo97AtYGN00
/fKrrCQbPz0RB263/Ch/r7Jn1zE+Hh8eOqOfO5GqjB+trjwP8z2zRv6WnaEQOXYzjm7lPcBlVb4L
pkOIraEYDeQ0xB0Y6YAJ3dHgaRQYTiRGk4UIccY=
X-Report-Abuse-To: spam@antispam-b.eveo.com.br
X-SmarterMail-Spam: Commtouch 30 [value: Confirmed], ISpamAssassin 0 [raw: 0], SPF_None, DK_None, DKIM_None
X-CTCH-RefId: str=0001.0A020201.5A012CCF.00AE,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

Linda Pagillo Replied

11/9/2017 at 11:42 AM

Thanks Victor. Question... Why do you have gosites@gosites.com.br as a trusted sender at the system level when that address lives on your server?

Victor Braun Rodrigues Replied

11/9/2017 at 12:03 PM

good question Linda, we have ... i remove it now and see

kevind Replied

11/9/2017 at 2:10 PM

Unfortunately, removing Trusted Senders doesn't help much. Our users still receive spam sent by their own email address. But now it might get scored by a RBL, Commtouch, etc.

Linda Pagillo Replied

11/9/2017 at 2:32 PM

If it gets scored you can filter it out as spam.

Employee Replied

11/9/2017 at 2:47 PM

Employee Post

Hello Victor. This message would have been identified as spam, however the sending domain is listed as a system-wide trusted sender, so any spam results are ignored. See the very last line of this header.

Victor Braun Rodrigues Replied

11/9/2017 at 4:58 PM

I think this should not occur since the sender is not who's in the from effectively ... but apparently it worked, I'm still monitoring

thanks for all

Andrea Free Replied

8/13/2018 at 10:42 AM

Employee Post

Hello Victor,

This is, unfortunately, a known issue in SmarterMail 15.x. However, it has been resolved in SmarterMail 16.3.6543:

Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.

Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com

kevind Replied

8/14/2018 at 10:07 AM

FWIW, I would vote to see this fixed in v15.

Andrea Free Replied

8/14/2018 at 4:07 PM

Employee Post

Kevin, I reached out to the development team with this request, and I'm afraid we aren't able to implement this change in SmarterMail 15.x. Unfortunately, the foundation of the product doesn't support this change in version 15.x or earlier.

Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com

Back to Community Threads

Please leave this box unchecked

12 Replies

Reply to Thread

Tags

Related Knowledge Base Articles