Spam that appears to come from my own domain via copfilter

[skullhex]

I am running ipcop 1.4.21 in production and am having an issue with what appears to be spam with dangerous attachments appearing to be sent from domains on the server to people on the domains. The emails appear to come from or are using the email address used for the copfilter email. The emails are directed through spamassassin then antigen before delivery to the recipient. If i increase the level of scanning it will stop legitimate emails which creates bigger issues. Below is a typical email header that I hope might help someone help me.
================================================================================
Return-Path: fax@lembkeforjudge.com
Received: from mail.placebo.com ([192.168.11.211])
by placebo.com
; Wed, 9 Apr 2014 13:35:27 -0400
Received: from aexp.com ([125.60.156.206]) by mail.placebo.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 9 Apr 2014 13:33:33 -0400
Received: from (125.60.156.206) by outlook.placebo.com (10.0.4.54) with Microsoft SMTP Server
(TLS) id 15.0.712.24 via Frontend Transport; Wed, 9 Apr 2014 09:33:31 -0800
Received: from p3plsmtpa07-08.prod.phx3.secureserver.net (p3plsmtpa00-00.prod.phx3.secureserver.net [173.201.192.54]) by
us-mta-1.us.mimecast.lan; Wed, 9 Apr 2014 09:33:31 -0800
Received: from MFP36154589 ([68.14.231.54]) by p3plsmtpa04-02.prod.phx3.secureserver.net with id gLSc1n0084GVDEDK6U5M0C;Wed, 9 Apr 2014 09:33:31 -0800
Date: Wed, 9 Apr 2014 09:33:31 -0800
From: "Administrator" <Administrator@placebo.com>
Subject: New Fax: 3 pages
To: dltbzkakx@placebo.com
Message-ID: <TTEC99dff903-e765-560e-b586-bcac3d6e1aaa@>
MIME-Version: 1.0
X-Mailer: Uacett 4.0
X-MC-Unique: VGIFXS1MRFCGPGUAH1CDGR-1
Content-Type: multipart/mixed;
boundary="TTEC99dff903-e765-560e-b586-bcac3d6e1aaa"
Return-Path: scans@logicllp.com
X-MS-Exchange-Organization-Network-Message-Id: TTEC99dff903-e765-560e-b586-bcac3d6e1aaa@logicllp.com
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: outlook.placebo.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginalArrivalTime: 09 Apr 2014 17:33:34.0804 (UTC) FILETIME=[D563D940:01CF5419]
X-MS-Antispam-Report: v=2.1 cv=Q/jrveGa c=1 sm=1 tr=0 a=x7H2LGeBozfWQORW+*beep*==:117 a=x7H2LGeBozfWQORW+*beep*==:17 a=cNM7DhYYYE0A:10 a=8pG9DwIyVKoA:10 a=fgzsk4ygAAAA:8 a=0-cTjWCDAAAA:8 a=xpKI89doAAAA:8 a=TZb1taSUAAAA:8 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=AgFaqcCIyERpBp7MQRYA:9 a=Ft8UYL4EG9YA:10 a=YyfxusTsEIEA:10 a=FdLMb1OMWbgA:10 a=aJuc8aQBgsYA:10 a=1pNLmpva4ozvFrPZH10A:9 a=DCSRzTsvkd1WYFfZQ_kA:14 a=IKIoO-ieCDEA:10

[karesmakro]

Hi,

can you check please, if you have an open relay: http://www.spamhelp.org/shopenrelay/

and I recommend you, to replace your ip address and mail address from the open internet!

You can also send me a pn, if you have sensitive information

regards

[skullhex]

Thanks for the quick reply. Those IP addresses are not mine but I did not change them. I did check my IP and it is not an open relay. Not sure what direction to look in but the amount of dangerous attachments is serious.

[karesmakro]

I think, I misunderstood your first post. This is called email address forgery http://en.wikipedia.org/wiki/Email_spoofing
The question is, does clamav recognice the content as virus and is it scanned by spamassassin? For spamassassin, you can check the log file on the page Tests & Logs (spamd.log), Clamav you can check, by copy the content to e.g. /tmp and run the command

Code: Select all

/var/log/copfilter/default/opt/clamav/default/bin/clamdscan --fdpass /tmp/<yourfile>

did you whitelisted your mail address on ipcop?

[skullhex]

Yes I believe it is spoofing. I do not have any domains in the whitelist. Clamav is stopping some but just as much is getting through. I have tried to setup SPF but unless it is setup incorrectly it does not appear to be working.

[karesmakro]

What's about renattach? You say, the mail has malicous content. Just activate renattach and it should block the executables

[skullhex]

Thank you karesmakro. Your help is appreciated greatly. I am going to run the spam command procedure which should help. I can't use renattach because my users already complained about emailing and receiving emails that they wanted which contained .exe files. I am not sure what else I can do to mitigate this issue which continues to plague me as I type this.

[karesmakro]

Could you please Check, if SPF is activated on your local.cf and how the score is set. (/var/log/copfilter/default/opt/mail-spamassassin/etc/mail/spamassassin)
There should be something like

Code: Select all

score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000

could you save one of this mails to ipcop e.g. to /tmp and send me the output to karesmakro at copfilter dot org

Code: Select all

/var/log/copfilter/default/opt/mail-spamassassin/default/bin/spamassassin -D < /tmp/<mailname> > /tmp/spamcheck.log 2>&1

thanks

[skullhex]

I don't see the SPF lines in the local.cf.What should I do? Can they be entered manually? Also If you could explain the steps to run the test you ask for? I am moderately skilled but this is not my area of expertise and I don't want to "blow out" a firewall in production.

[karesmakro]

Before you going to change something, I'll start my test machine today evening and take a look at the state of spamassassin.
The command I told you, does help, which rules are working and where to make the approach.

The steps would be, to save the email from your Mail-Programm in a file.
- copy the file with (for e.g.) winscp to the /tmp directory
- after then run the command I described
- copy back the output of spamcheck.log back to your pc and post me

this command does not make any settings on your machine nor interrupts any processes on your machine!
After this command you can of course delete the file in tmp directory