Email spoofing 2

Hi guys

I am having two email spoofing problems that I will discuss in separate post. The second problem I have is I am receiving an email up to 50 times a day that appears to be ‘to’ and ‘form’ me. The source is below. I have changed the ‘Edit Sender Permitted From’ to ‘Disallow (-all)’ and restarted both postfix and bind but that has not made any difference. I have sent the email to but again it did not stop the email.

Can you please suggest anything that I can do to stop this spam?

From - Fri May 31 09:59:14 2013 X-Account-Key: account4 X-UIDL: 0000141b4cda4628 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on X-Spam-Level: X-Spam-Status: No, score=-76.4 required=5.0 tests=BAYES_50,FILL_THIS_FORM, FILL_THIS_FORM_LONG,HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RCVD_IN_RP_RNBL, RCVD_IN_SORBS_WEB,RDNS_NONE,SPF_SOFTFAIL,TVD_RCVD_IP,T_RCVD_IN_SEMBLACK, URIBL_BLACK,URIBL_RHS_DOB,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Original-To: Delivered-To: Received: from (unknown []) by (Postfix) with ESMTP id 540633660487 for ; Fri, 31 May 2013 05:46:50 +0800 (WST) Received: from apache by with local (Exim 4.63) (envelope-from <>) id 51JDB3-J4Q6FZ-A6 for ; Thu, 30 May 2013 23:46:49 +0200 To: Subject: Environmental organization is expanding and currently recruiting worldwide reps Date: Thu, 30 May 2013 23:46:49 +0200 From: Message-ID: <> X-Priority: 3 X-Mailer: PHPMailer 5.1 ( MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="Windows-1252"

Commission of 5 percent on 200K USD monthly turnover derived
from sales of intellectual property products on the internet

Features required:

  • Company ownership
  • Timely performance of all tasks
  • Continuous availability for Email, Skype and telephone feedback

Considering your interest, please furnish us with the following:

  • Full Name
  • Age
  • Location
  • Telephone
  • Email

Please reply to:

Kind Regards,
Marketing, Liaison and HR Department

I think the problem is that the user is whitelisted in your spamassassin config, because spamassassin added the following flag


The score for that is -100, so you get the following:

score=-76.4 required=5.0

Hi helpmin

Yes the User is probably whitelisted however correct me if I am wrong I thought that setting ‘Edit Sender Permitted From’ to ‘Disallow (-all)’ would prevent mail being sent to the virtual server to and from the User from an external IP Address.

So the way I read it is if ‘Edit Sender Permitted From’ is set to ‘Disallow (-all)’ and if your IP Address is and the User or any one on sends an email To: User and From: User the email would be sent. However if the mail is sent from any other IP Address then only two of the three conditions are correct and the mail would be dropped. Which should prevent this particular type of email spoofing.

In the mail above the Received: from is not my servers IP Address and is probably a fake IP address but the mail is still arriving.

Hi, you asked:

Can you please suggest anything that I can do to stop this spam?

I suggested to “not whitelist” the user, because spamassassin would reliably flag those emails as SPAM.

Unfortunately I am not familar with that “disallow” option (where did you find it in Virtualmin)?

But you could also check the SMTP Client Restrictions in the postfix config section.

Hi helpmin

I think we may be talking at cross purposes. The user/email address that is receiving the spoofed email on my server is a real user/email on my server and therefor is white listed. Is it not?

In response to your question (where did you find it in Virtualmin)?
Webmin> Servers> BIND DNS Server> Select any FQD from the zone list then Sender Permitted From> and scroll to the bottom of the page, select the Sender Permitted From Record for this server and toward the bottom of the page you will find Action for other senders.

Ah, OK. SPF :slight_smile: You are probably trying to do it the right way. And basically what you are saying is that you are trying to change how SPF records are be treated.

You set it to -all, which should be a “hard fail”. That is probably just fine, however Bind itself doesn’t do any email filtering (based on the my understanding of DNS). It just provides information for example to MTAs. So it looks like your MTA (postfix) is not “SPF records” aware. You probably need to install/configure a package like postfix-policyd-spf-perl.

Unfortunately I am not not knowledgeable at all about that topic (and not able to assist). But I am glad I subscribed to this topic. I am going to learn something very useful here. Hopefully Eric will see this topic and shine more light on this :slight_smile: