@Michael- If you look at the raw content of these malicious messages you should find that while the From header references the user's email address, the Return-Path is specific to the actual spammer. This is a pretty common tactic, and your best bet is: 

- Implement SPF records for the affected domain. 

- Implement DKIM/DMARC for the affected domain. 

- Enable SPF/DKIM/DMARC checks in SmarterMail and assign significant weight for failure. 

In the meantime, you can copy the sending user's original email address and implement an SMTP Block to prevent further messages from that address in particular. If you need any help getting this squared away please don't hesitate to submit a ticket with us. Have a good one!

I wanted to add that I see spam filter catching it but it the system releases the email with the message Safe sender is in GAL. so it releases the spam..

Return-Path: <admin@doamin.com>
Received: from [196.249.99.45] (UnknownHost) by mail.domain.com with SMTP;
   Mon, 25 Oct 2021 04:14:48 -0700
From: <admin@domain.com>
To: <admin@domain.com>
Date: 25 Oct 2021 15:42:43 +0200
MIME-Version: 1.0
Subject: You have an outstanding payment.
Message-ID: <6176BBD3.9147.2F4D1B@admin.domain.com>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.52)
Content-type: text/plain; charset="iso-8859-3"
Content-transfer-encoding: 8BIT
Content-description: Mail message body
X-SmarterMail-Spam: Reverse DNS Lookup [ReverseFailed]: 20, Null Sender: 0, Cyren [Confirmed]: 40, Message Sniffer [code:53]: 30, ISpamAssassin [raw:2]: 3, SPF [Neutral]: 0, DK [None]: 0
X-SmarterMail-SpamDetail: 2.4 RDNS_NONE Delivered to internal network by a host with no rDNS
X-CTCH-RefId: str=0001.0A702F21.617691B6.001E,ss=4,re=0.000,recu=0.000,reip=0.000,pt=C_6299,cl=4,cld=1,fgs=12
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

Hello there!

Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: 
In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online).
Clearly, I have effortlessly logged in to email account of yours 

 

I have that stuff turned on and it should of been deleted coming in.  All I need is a weight of 30 to be completely deleted.  It is being released at the end as a trusted sender after all those failures.

I had something similar to this happen the other day. The recipient had their own email address as a contact in their SM account and a spammer was spoofing it so it was coming through as (Trusted Sender - Contact). I had them remove their own address from their contacts, but this still did not solve the issue because their address was in the GAL. Since this particular customer didn't care about and does not use the GAL, I had them remove the address from the GAL too. It was still happening after that which I thought was weird so I restarted the SM service and  I asked them to reach back out to me if another one made it through like this. I have not heard back in a few days so I'm thinking this may have resolved it, but I will need to follow up with him today to be sure.

If needing to remove addresses from the GAL is the only way to stop this then it's probably something SmarterTools dev may want to look into because removing addresses is not a real solution unfortunately :(

this is exactly what I tried didn't fix it..  Also you can't remove them from the GAL if they use IMAP.  It's just how it works.. 

Thanks for your follow-up on this Michael. I don't think we need to disable anything just yet. I'd like to take a look at the SMTP and Delivery log traffic further on this one to see how they're managing to bypass the spam checks. We don't bypass based on the from address alone, so I think there must be some whitelisting in place somewhere that is allowing this through. For now, can you share screenshots of your Settings>Protocols>SMTP In card? If you could head over to Manage>Troubleshooting>View Logs and review the SMTP and Delivery log results for the from address/return-path this might also shed some light on the situation. I hope this helps!

Delivery Log:

[2021.10.25] 04:14:50.251 [97096445] Delivery started for admin@domain.com at 4:14:50 AM
[2021.10.25] 04:15:02.252 [97096445] Added to SpamCheckQueue (1 queued; 0/50 processing)
[2021.10.25] 04:15:02.252 [97096445] [SpamCheckQueue] Begin Processing.
[2021.10.25] 04:15:02.252 [97096445] Blocked Sender Checks started.
[2021.10.25] 04:15:02.252 [97096445] Blocked Sender Checks completed.
[2021.10.25] 04:15:02.298 [97096445] Unable to parse Command Line Path:
[2021.10.25] 04:15:02.298 [97096445] Command line exe finished.
[2021.10.25] 04:15:02.298 [97096445] Spam Checks started.
[2021.10.25] 04:15:02.314 [97096445] [Cyren Client] Start Scanning Message. Enabled Services: AntiSpam, MailFrom: admin@domain.com, SenderIP: 196.249.99.45, MessagePath: D:\SmarterMail\Spool\SubSpool3\497096445.eml
[2021.10.25] 04:15:02.361 [97096445] [Cyren Client] Done Scanning Message. MessagePath: D:\SmarterMail\Spool\SubSpool3\497096445.eml Results AV: Did not run., AS: Confirmed
[2021.10.25] 04:15:11.502 [97096445] Spam Check results: [REVERSE DNS LOOKUP: 20,ReverseFailed], [NULL SENDER: 0,passed], [_CYREN: 40,Confirmed], [_MESSAGESNIFFER: 30,code:53], [_INTERNALSPAMASSASSIN: 2:3], [_SPF: 0,Neutral], [_DK: 0,None], [HOSTKARMA - BLACKLIST: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [HOSTKARMA - WHITELIST: 0,passed], [SORBS - ABUSE: 0,passed], [SORBS - DYNAMIC IP: 0,passed], [SORBS - PROXY: 0,passed], [SORBS - SOCKS: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - PBL2: 0,passed], [SPAMHAUS - SBL: 0,passed], [SPAMHAUS - XBL: 0,passed], [SPAMHAUS - XBL2: 0,passed], [SURBL: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [URIBL: 0,passed]
[2021.10.25] 04:15:11.502 [97096445] Spam Checks completed.
[2021.10.25] 04:15:11.502 [97096445] Removed from SpamCheckQueue (0 queued or processing)
[2021.10.25] 04:15:14.253 [97096445] Added to LocalDeliveryQueue (1 queued; 0/50 processing)
[2021.10.25] 04:15:14.253 [97096445] [LocalDeliveryQueue] Begin Processing.
[2021.10.25] 04:15:14.253 [97096445] Starting local delivery to admin@domain.com
[2021.10.25] 04:15:14.253 [97096445] Skipping spam filtering: Trusted Sender (system level)
[2021.10.25] 04:15:14.268 [97096445] Process delivery status notification step from local recipient success. Recipient: [admin@domain.com], Notify: [], Delivered: [True], Forwarded: [True], Deleted: False
[2021.10.25] 04:15:14.268 [97096445] Delivery for admin@domain.com to admin@domain.com has completed (Forwarded Delivered) Filter: None
[2021.10.25] 04:15:14.268 [97096445] End delivery to admin@domain.com (MessageID: <6176BBD3.9147.2F4D1B@admin.domain.com>)
[2021.10.25] 04:15:14.268 [97096445] Starting local delivery to webmaster@elinkworld.com
[2021.10.25] 04:15:14.284 [97096445] Skipping spam filtering: Trusted Sender (system level)
[2021.10.25] 04:15:14.284 [97096445] Process delivery status notification step from local recipient success. Recipient: [webmaster@elinkworld.com], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2021.10.25] 04:15:14.284 [97096445] Delivery for admin@domain.com to webmaster@elinkworld.com has completed (Delivered) Filter: None
[2021.10.25] 04:15:14.284 [97096445] End delivery to webmaster@elinkworld.com (MessageID: <6176BBD3.9147.2F4D1B@admin.domain.com>)
[2021.10.25] 04:15:14.284 [97096445] Removed from LocalDeliveryQueue (0 queued or processing)
[2021.10.25] 04:15:17.253 [97096445] Removing Spool message: Killed: False, Failed: False, Finished: True
[2021.10.25] 04:15:17.253 [97096445] Delivery finished for admin@domain.com at 4:15:17 AM    [id:497096445]

SMTP Log:

Nothing in SMTP log for IP addressed used.

As far as whitelist they might have their own address in the whitelist or trusted users etc..  I will check.  I see some of the addresses were setup to show in GAL not sure that helps. 

The Delivery log in this case is pointing at a system-level Trusted Sender record that is allowing the messages through. I recommend checking Settings>Antispam>Options>Trusted Senders as there is likely an entry here for this domain which is allowing the bypass. Also, can you take one more screenshot of the bottom of the Settings>Protocols>SMTP In card? The toggles there at the bottom are the critical ones. Beyond that you'll also want to verify your domains are all configured to require SMTP Authentication. Thanks Michael!

Ok there was 2 domains in the listed trusted senders.. I just removed both.. weird I don't remember setting that at all and this is the first time I had weird spam issues. 

here is the bottom of the smtpin screenshot.. sorry forgot to upload that last time.

Thanks, and not to worry! The two toggles I was worried about were: 

and

These are both in great shape, so I am betting it was the system level trusted sender values that were causing trouble. Have you seen any further instances of this since doing so?

Still looking and will report if and when I hear from user.