How to block "on behalf of" spam messages

Hi guys,

I am using SpamAssassin Mail Filter to block mail domains with wildcards, but those domains start to send emails somehow with on behalf of.
For example, i already have marked this domain like *@163.com but still receive spam emails.
How to block that?

Source email

Return-Path: <ilrdzb@wilx.com>
X-Original-To: XXX
Delivered-To: "XXX"@XXX
Received: from apteka-sloneczna.pl (unknown [182.136.235.217])
	by XXX (Postfix) with ESMTP id DFF40A007F84
	for <XXX>; Sat,  6 Apr 2024 20:46:43 +0200 (CEST)
Date: Sun, 7 Apr 2024 02:46:50 +0800 (CST)
From: 15009567621 <15009567621@163.com>
Sender: ilrdzb <ilrdzb@wilx.com>
To: admin <XXX>
Message-ID: <161250356.3936903.1712429210283@apteka-sloneczna.pl>
Subject: welded pipe
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Should work, have you applied the settings, like restart SpamAssassin?

You could also put a permanent drop rule for the IP range in firewallid.

try this rule see if it works

image1298×477 24 KB

I just apply this header & body test.

btw i am using Denied addresses tab in Allowed and Denied Addresses section like this.

Nope, seems not working

are other rules working, you should he spamassin rules in the header with the points it added.
Not sure how to test the “on behalf of” email. How do I duplicate sending that?

Why not just setup a rule using usermin ?

image1827×919 133 KB

how to find this? I am using roundcube for email client.

As is said it’s a usermin option but whatever you do there will be reflected in all email clients… to get there goto yourdomain.com:20000

I have only this options there

Manage Folders
Address Book
Edit Signature
Change Password
Mail Preferences
Account Information

also on Filter and Forward Mail got this

2024-04-09 23_22_06-Filter and Forward Mail — Usermin 2.005 (Debian Linux 12) — Mozilla Firefox1764×453 43.8 KB

The header you have shown doesn’t indicate Spamassassin is running, is it?
like
X-Spam-Hostname-Processed-On:
X-Spam-Ip-Sent-From:
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
X-Spam-Report:
X-Spam-Status: No, score=-2.4 required=8.0 tests=

In Denied addresses
I also include *.163.com

In the Header Body tests I would try:

Screenshot 2024-04-09 at 4.34.00 PM1634×234 8.78 KB

or even just ( behalf )

I find the test name has to be CAPS_AND_UNDERSCORES to work. The lower case i in Match expression makes it not case sensitive.

Guys, no success, i am bombed every day with this…

2024-04-15 17_30_44-eM Client852×406 29.3 KB

2024-04-15 17_31_32-SpamAssassin Mail Filter_Header and Body Tests — Webmin 2.105 (Debian Linux 12)1342×224 20.2 KB

How is your smtpd_sender_restrictions in the postfix main.cf file?

i am not sure, not present, here is the etc/postfix/main.cf file

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = maxel.mk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, maxel.mk, localhost.mk, , localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map

Do you have X-Spam-whatever lines in the header of those emails to indicate that SpamAssassin is checking your rules? If so what do they say? If not SpamAssassin is not configured to check and will not do anything.

you can check source at first post

Sorry, i got the wrong one, the one i ment is this one, mine is like this and blocks a lot of spam:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_unknown_recipient_domain

should i put this in main.cf ? also is this correct syntax, coz i see its separated with space and your is with commas?