SPAM(spoofing) help

Thomas Spuhler thomas.spuhler at btspuhler.com
Tue Apr 29 22:58:55 CEST 2014 

One of my users is getting spammed badly (200+ e-mails) from what I believe wrongly configured e-mail 
servers.
What my user is getting is messages of undeliverable e-mails.

Below is the header section (with the name slightly modified with xxxx) of such an e-mail.

I somebody sent out a lot of spam in the name of may users and now all the non-delivery me user.

I found one such message from AOL where AOL actually checked the IP of the sender with the FDN, but 
the message said something along the lines, send FQDN doesn't match IP address, but it's OK to send 
the e-mail anyway.
I have temporarily disabled my user's address (which came from an old Kolab installation and had 
only first at btspuhler.com.

But what are the suggestion in this case? In some cases it could help to increase the score of 
URIBL_BLACK=

Below is the e-mail header part that came back.

-----------

 Mail delivery failed: returning message to sender

Return-Path: <>
Received: from aargau.btspuhler.com ([unix socket])  by
aargau.btspuhler.com (Cyrus v2.4.17-Mageia-RPM-2.4.17-12.mga4) with
LMTPA;  Tue, 29 Apr 2014 12:45:28 -0700
X-Sieve: CMU Sieve 2.4
Received: from [127.0.0.1] (localhost [127.0.0.1]) by
aargau.btspuhler.com (Postfix) with ESMTP id 7C48920C7E9 for
<Brigxxxx.spuhler at btspuhler.com>; Tue, 29 Apr 2014 12:45:26 -0700 (MST)
X-Virus-Scanned: amavisd-new at btspuhler.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=1 required=4.7
tests=[DKIM_ADSP_NXDOMAIN=0.8, URIBL_BLACK=1.7] autolearn=no
Received: from aargau.btspuhler.com ([127.0.0.1]) by localhost
(aargau.btspuhler.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id R3mWpTadzIpE for <Brigxxxx.spuhler at btspuhler.com>; Tue, 29 Apr 2014
12:45:22 -0700 (MST)
Received: from OssCfzEximVm-1.gci.net (m-5.gci.net [209.165.130.185]) by
aargau.btspuhler.com (Postfix) with ESMTPS id 157E520C7D3 for
<Brigxxxx at btspuhler.com>; Tue, 29 Apr 2014 12:45:17 -0700 (MST)
Received: from osscfzoutscnvm-2.gci.net ([209.165.130.155]
helo=OssLbzOutscnVm-2.gci.net) by OssCfzEximVm-1.gci.net with esmtp
(Exim 4.72) id 1WfDxs-0005px-DC for Brigxxxx at btspuhler.com; Tue, 29 Apr
2014 11:45:16 -0800
X-AuditID: 0aa50b18-b7ef76d000000ba1-10-535ffa567d93
Received: from osslbzexim-invm-4.gci.net (Unknown_Domain [10.165.11.16])
by OssLbzOutscnVm-2.gci.net (GCI Messaging Gateway) with SMTP id
E7.15.02977.65AFF535; Tue, 29 Apr 2014 11:15:34 -0800 (AKDT)
Received: from exim by osslbzexim-invm-4.gci.net with local (Exim 4.72)
id 1WfDxs-0001nr-8d for Brigxxxx at btspuhler.com; Tue, 29 Apr 2014
11:45:16 -0800
Date: Tue, 29 Apr 2014 11:45:16 -0800
Message-Id: <E1WfDxs-0001nr-8d at osslbzexim-invm-4.gci.net>
X-Failed-Recipients: rose at ak.net
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon at osslbzexim-invm-4.gci.net>
To: Brigxxxx at btspuhler.com
Subject: Mail delivery failed: returning message to sender
X-Brightmail-Tracker:
H4sIAAAAAAAAA+NgFtrLLMWRmVeSWpSXmKPExsXCtZRbQDfsV3ywwfJVxhZ3931ndWD0mP17
AXsAY5SETVJlQWJxsW5xQWKuvp1NSmpOZllqkb5dgkRGy8w7LAWLmpkqPqztZWlgvHaSsYuR
k0NCwETi2Yy7bBC2mMSFe+uBbC4OIYETjBLrZt9ghHBmM0qcPPeTGaSKRUBVYsOdL6wgNq+A
pcS187+ZIboVJKb09rOD2IwCMhKnJt0Am8om4CLRsq0DbJuIgJTEyo2XweqFBawkNm5vZ5nA
yL2AkWEVo4R/cbFPUpV/aUlxcl5Yrq6RXnpypl5easkmRoivJXYwfum1PMQowMGoxMPLsS4+
WIg1say4MvcQowQHs5IIr/xboBBvSmJlVWpRfnxRaU5q8SHGKqCDJzJLiSbnA8MwryTe0NjU
xNLAxNTIyNLUhCrCSuK8+09LBwkJpCeWpGanphakFsEsZ+LglGpgFGeaqyCSq2NS0l/63GnF
JXaOu3ZRkVuzlvIH7boSGJJtcYNXyrzC9tuT1ghn3rq/xYYFX1htbKfOPqy/d3mHp823KVJX
BLuvJxo4V37Rurryd8fpDZ+87dfKsb4+/POMjVrfYrPNX3ynqtlM/c7gyL6+OIhV/guvuipH
/k7GbNnKXpsaX2UlluKMREMt5qLiRADoJkuIUAIAAA==

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  rose at ak.net
    Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <Brigxxxx at btspuhler.com>
Received: from [209.165.131.114] (helo=osscszeximroutersvr-1.gci.net)
	by osslbzexim-invm-4.gci.net with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <Brigxxxx at btspuhler.com>)
	id 1WfDxs-0001nl-6M
	for rose at ak.net; Tue, 29 Apr 2014 11:45:16 -0800
Received: from [209.165.131.62] (helo=osscszinscnvm-3.gci.net)
	by osscszeximroutersvr-1.gci.net with esmtp (Exim 4.72)
	(envelope-from <Brigxxxx at btspuhler.com>)
	id 1WfDxr-0004oW-DN
	for rose at ak.net; Tue, 29 Apr 2014 11:45:15 -0800
X-AuditID: d1a5833e-b7f346d000000caf-fb-53600147e1bd
Authentication-Results: symauth.gci.net; spf=softfail; senderid=softfail
Received: from xtinmta06-42.exacttarget.com ( [207.67.38.42])
	by osscszinscnvm-3.gci.net (GCI Messaging Gateway) with SMTP id
35.78.03247.74100635; Tue, 29 Apr 2014 11:45:12 -0800 (AKDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20120116;
d=memberemail.com;
 h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type;
 bh=rZr4VgVYD2mK/g+SvADnCSeJzOg=;
 b=hNUdzYCqkjH15rDGrS8MupltpzxlwlF9E2vA3c7rbfdxbYIoM8QHMURuhYjdeg0ls68VBI47woyl

mT2wH7QMnFnLpc5R5mXYzTDULWobrOHnHK/JRLstu3f9nr96rKPDkT0zf+f8/feO6/QnNbkjD39m
   54ClGCqIK5dp9j9QhGY=
Received: by xtinmta06-42.exacttarget.com id hc00ke163hse for
<rose at ak.net>; Tue, 29 Apr 2014 13:45:10 -0600 (envelope-from
<Brigxxxx at btspuhler.com>)
thread-index: Ac9j44gZghtmj+hiQIG1KBahn7CdCA==
Thread-Topic: Forwarded:  End of Summer Travel SALE
From: <Brigxxxx at btspuhler.com>
To: <rose at ak.net>
Subject: Forwarded:  End of Summer Travel SALE
Date: Tue, 29 Apr 2014 13:45:10 -0600
Message-ID: <2D6413379DB24C209E5F78F9662CFDE9 at xt.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_5AFA_01CF63B1.3D8102E0"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
X-Brightmail-Tracker:
H4sIAAAAAAAAA7WUf1BUVRTHuft22SfsxcdD4LjJj96UY8wsCcSIE9qv0WwaJseNMrPgyT53
	d1ze7ux7i+g0jWGTSA0DEmIbFv5MmkZ+aRkqGZM/wikRK0KZjbRy0tAcU/An3bs/8NGfNc3s
	3Dn38z33nDPnnH0sw49gMyuVq5JXFl1CdIz+xFPTMywLULF15vZ+Pq+/95LhcbTg/NC7zEK0
	pDjfIYk2yZsuySVum1O2zxGesT5nycvLnW3JEtJlsVSaI5Rb7CVOiyLJxFH0qQ4hvUx0+Yhg
	XTg/3eperi4XnS7h4bn5NsnlLJO8Wqu42DH2U4ve8+E5VN6wrz56Ddr/CapCk1jgHoET26t1
	1EbcAth8vE0f4knQG2iJpjbPHUDQVempQjGsnrusg+a1Z/T0wnP1CDZ2+A3UawqXCbfbDxhD
	dg607rwetKO5VKjrb0YhHg/HjjUTzrIJxL/umkSxnnsQTl7ZYKAYc7Pg28M2ijHx/vq9X4L1
	MNzLsGugI1zzDOi5UYNCPAP21XQh+nQSx0NVJ1DMcRwcqqgNRgQuD/pHi2vQFL8mqF8T1K8J
	5CcvGFLaW21hnAafDTcyIdsCY+cjdog3IePHKNmtKCXKaqeslMhlpZacTDKoTFlS2xGZ+8kd
	a+fuQ8dHZncjjkWCCcfvLbLyBrFMWVXajVawOiER77xOUNwyt22VQ1QcRV6fS1KEKXg3xXgc
	L/O5Vghm/HxUsZVPGKeytFJxSSpZNCEVm0ZfsfLJ45riUzzOEqfbpxT5vK5uBCxDwqYN07A2
	cdVqyesOJetGdToyhlrGnFjillVJVouycmZl5+TOzp6VTX7/K46N4Nzsmf/1kvVvLkIynv5E
	5iKes4uqtEKSPJI30hYda+xGK1lWALx5jLQt3ivZpfLlTpca8SGPbSNE4bRKcFQp+P0mIiRp
	Bc207sdtdFpmrfzPgenYSfSI6UZ21kRGN0xrwIpHLFWc9nD+BHz7FqGmCA3mnopb6JrwEajJ
	m4IX0rxJEWlizh7UgNjWI7ve1LENp0YGEbuJnrxedstS6DQn4wAtg6MBHD55vBPmJLx+5VIr
	P1kj0GLM00I8UcPv1WNOxxupOlWjTiwp8vXsQynmBIyioqJ4ExlRqVMNdyCsn0Zx4QrD4AKq
	1JG/XAK+Sus1OWX1Xtd4/A6FsWEYbBrg2uCMw0zTs2l4Me1ZYliZWF/2VkS+nfVp8HmTEca2
	LIXB9a/BtsFvEAxeqdbBBxtHdXB3+zoG9t9tYGDwz04GNv3exUDX0AADN9+uN0Cgp8kAB3fv
	NED70V5y7f3DAAe2XDLArU19RrhaOWqEY1duGqHvhp+FipaBGAhcPBsDpzuOxsKPjVUm6Oi9
	ZYLv3mjEEGhtxjD6fQ+GsV+HMVyrrIqDM1tPx10gG6QjG2QtCG6QKqraDWoqCG5QmIY3aAOF
	fARO2KAaKiVFpIntMK9B/sYlxtV91ss9oxdOxVbVHCnKeLTy1RcCL+6qzfxh8e25hXvmbY35
	UnjA/cW8gsP+zkB1jr3uN7Ors7XDU7Fl5FxiXPxDL+GDX00eejq/pmLP8Tv404tP7rnkSZ6x
	t+3nx872rV+0rPDOusm4IH9bYUv1R3mLhp8dOHSfPn7H2NCakb9Sc19fK+gVh5iVwXgV8W/N
	pyktigcAAA==
x-gci-senderauth: SPF Softfail

This is a multi-part message in MIME format.




-----------------------------------------
-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20140429/32caf680/attachment-0001.sig>

More information about the users mailing list