spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geoff.sa_users_161...@alphaworks.co.uk
Subject Re: Spam with attachments and UNPARSEABLE_RELAY
Date Fri, 25 Nov 2016 11:37:27 GMT
On 25/11/2016 11:22, Matus UHLAR - fantomas wrote:
>>> On 24.11.16 10:23, Geoff Soper wrote:
>>>> Subject: Spam with attachments and UNPARSEABLE_RELAY
>>>>
>>>> For a few weeks I've been suffering spam messages with attachments 
>>>> getting through with a suspicious score of 0.0. Upon inspection, 
>>>> they all had the following lines in the header:
>
> On 25.11.16 10:18, geoff.sa_users_161124@alphaworks.co.uk wrote:
>> 1. See attached example. I've removed the username and replaced it 
>> with <removed>.
>> 2. Other mail is getting correctly identified as spam so that's 
>> something...
>
>> Return-Path: <Gardner.Esmeralda@microauto.com>
>> X-Spam-Report:
>>     *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable 
>> relay lines
>
>> Received: (nullmailer pid 36796 invoked by uid 7637323);
>>     Fri, 25 Nov 2016 12:23:11 +0500
>> X-No-Auth: unauthenticated sender
>> Received: from internal (unknown [x.x.x.x])
>> Received: (nullmailer pid 36796 invoked by uid 7637323);
>>     Fri, 25 Nov 2016 12:23:11 +0500
>> X-PHP-Originating-Script: 7637323:SendMail.class.php
>
> This says that the mail was received from webpage on your server, and the
> local mailer "nullmailer" seems have delivered it directly to you.
>
> in fact, you don't know anything about this mail - it was apparently
> received via HTTP, but the SendMail.class.php running under uid 
> 7637323 did
> not provide even remote IP address.
>
> apparently SA can't parse nullmailer headers - apparently because 
> nullmailer
> provides no useful headers.
>
> in this case it's really hard to detect anything, since all information
> about mail is lost in PHP.
> Maybe PHP could at least provide client's IP (maybe all in 
> x-forwarded-for
> path) and that could help us.
>

Thanks for this analysis, this rings alarm bells. Can you be sure that 
this is definitely coming from a PHP on my server? I'll start 
investigating on the assumption that it is.

Many thanks,
Geoff

Mime
View raw message