How to block "on behalf of" spam messages

OS type and version Debian 12
Virtualmin version 7.10.0 Pro

Hi guys,

I am using SpamAssassin Mail Filter to block mail domains with wildcards, but those domains start to send emails somehow with on behalf of.
For example, i already have marked this domain like * but still receive spam emails.
How to block that?

2024-04-06 22_11_13-

Source email

Return-Path: <>
X-Original-To: XXX
Delivered-To: "XXX"@XXX
Received: from (unknown [])
	by XXX (Postfix) with ESMTP id DFF40A007F84
	for <XXX>; Sat,  6 Apr 2024 20:46:43 +0200 (CEST)
Date: Sun, 7 Apr 2024 02:46:50 +0800 (CST)
From: 15009567621 <>
Sender: ilrdzb <>
To: admin <XXX>
Message-ID: <>
Subject: welded pipe
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Should work, have you applied the settings, like restart SpamAssassin?

You could also put a permanent drop rule for the IP range in firewallid.

try this rule see if it works

I just apply this header & body test.

btw i am using Denied addresses tab in Allowed and Denied Addresses section like this.
2024-04-07 22_44_27-SpamAssassin Mail Filter_Allowed and Denied Addresses — Webmin 2.105 (Debian Lin

Nope, seems not working
2024-04-08 03_50_45-eM Client

are other rules working, you should he spamassin rules in the header with the points it added.
Not sure how to test the “on behalf of” email. How do I duplicate sending that?

Why not just setup a rule using usermin ?

how to find this? I am using roundcube for email client.

As is said it’s a usermin option but whatever you do there will be reflected in all email clients… to get there goto

I have only this options there

Manage Folders
Address Book
Edit Signature
Change Password
Mail Preferences
Account Information

also on Filter and Forward Mail got this

The header you have shown doesn’t indicate Spamassassin is running, is it?
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
X-Spam-Status: No, score=-2.4 required=8.0 tests=

In Denied addresses
I also include *

In the Header Body tests I would try:

or even just ( behalf )

I find the test name has to be CAPS_AND_UNDERSCORES to work. The lower case i in Match expression makes it not case sensitive.

Guys, no success, i am bombed every day with this…

2024-04-15 17_32_00-SpamAssassin Mail Filter_Allowed and Denied Addresses — Webmin 2.105 (Debian Lin

How is your smtpd_sender_restrictions in the postfix file?

i am not sure, not present, here is the etc/postfix/ file

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6

# TLS parameters
smtpd_tls_security_level = may

smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname,,, , localhost
relayhost = 
mynetworks = [::ffff:]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map

Do you have X-Spam-whatever lines in the header of those emails to indicate that SpamAssassin is checking your rules? If so what do they say? If not SpamAssassin is not configured to check and will not do anything.

you can check source at first post

Sorry, i got the wrong one, the one i ment is this one, mine is like this and blocks a lot of spam:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_unknown_recipient_domain

should i put this in ? also is this correct syntax, coz i see its separated with space and your is with commas?