ConfigServer Community Forum

It seems like Mailscanner should automatically block email that has no "From:" address. We are getting a ton of these now and they are all 100% spam. We can block the IP but we obviously can't block the "From:" address if there is nothing to block. Are we missing a setting somewhere? If there is no "From:" address how can it be legitimate mail and why doesn't Mailscanner automatically block it?

Thanks,
Greg

For this type of blocking you can create your own SpámAssassin rule.

If you provide the header of one of those emails not the body and in text not jpg of one of the spam emails, write it here and I will give you an SpamAssassin rule to use.

Don't forget to delete any senstive info of yours or your customers

Sergio

Thank you for your help. It appears Mailscanner gets the 'From:' line from the 'envelope-from' of the header. The 'From:' line I am referring to is the one that has the Blacklist Email /Whitelist Email buttons next to it when viewing the email, so there is no way to block the email or domain if the 'envelope-from' is missing. So I guess I need to know how to automatically block an email that doesn't contact the 'envelope-from.' Here is one like that I just received. Many of these look spams look like they may be from Google, but are originating from multiple foreign countries.

Received: from [194.116.216.251] (port=43824 helo=orange.fr)
by xxxxx.xxxxx.xxxxx with esmtp (Exim 4.96)
id 1pnJJ8-0007eG-2W
for xxxxx@xxxxxxx;
Fri, 14 Apr 2023 07:17:43 -0600
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65])
by mx.google.com with SMTPS id j24-20020ac874d8000000b003e04e7ae5f4sor5273019qtr.66.2023.04.08.21.28.42
for <xxxxx@xxxxxxx>
(Google Transport Security);
Sat, 08 Apr 2023 21:28:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of xxxxx@xxxxxxx designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=c3k3ibCS;
spf=pass (google.com: domain of xxxxx@xxxxxxx designates 209.85.220.65 as permitted sender) smtp.mailfrom=xxxxx@xxxxxxx;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112; t=1681014522;
h=to:subject:message-idfrom:mime-version:from:to:cc:subject
message-id:reply-to;
bh=Tzf+Q/KHa5VPKPlg2avsHwRX4f1920WvnTvjocJpvQA=;
b=c3k3ibCSxkXJh5A3jtBHAIXOkU/3K4+mOOXKv/2TDvggXykTEZOhOSRnyd1sLARTVt
YPTEPf41X2DzooT27NzSrD+eRk6i8t5YCiSmXo7VE3ipVMR9xPE4bx2T4Sji5MMIcWYi
mFJFBJFp6cmzXSQMSVwaAFVabZ3IvPR64gJMHUiU+ekcasvJv9VS2nslf/JYKNkfZBmi
aHewCYno5GenwRLinZ/Xh+xRFcvpwNJHOx8KuLQOq3V8JEuOchg6HHuSm/5XbdfOcNlf
0DabdW/O81kEUJclkYwtzo8OH4Y2DWVyoxT5jRQt+e6bk06VLBGhqNwZA3PIwBOSzCOs
XSTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1681014522;
h=to:subject:message-idfrom:mime-version:x-gm-message-state
:from:to:cc:subjectmessage-id:reply-to;
bh=Tzf+Q/KHa5VPKPlg2avsHwRX4f1920WvnTvjocJpvQA=;
b=2gJo6COsMcWQMLTQhizXBJpXBHOij8rNKkl6AHfYnqESQHItcHq6sesBWUKrbiB0TJ
9/rt+uLnlsyCou9Uy6ZgFnLyDPPJ/Dm3MgPD211Kjrd/7WrfQrJIG5ZV350Q+TDSkMLM
biBk6xzsg0nGzI8Ya9e08n7pJf47/pRsLGENnsazsYD9rGEoA1D3YteOB20eUtEZp4zr
mLiGEUgu/cB2ecfngw8BnslPLfHmg9kg9N9TLaJyaNDl5gs9yo/CKwXS9yokjQ/NNbjy
A2o48kp8TVnskiT9c/GfMwrhilUeAl9v6/E9IYwqTcUZ2viUzo9785ekImvj2EXYgTMa
x0bQ==
X-Gm-Message-State: AAQBX9dJv/WGWiz6F0mfx+rFf+Z08Xjf5q02h1Rchs8aJa8q0tb6w+O7 dXieyVcZDQ4KBbi/YdYXf6jZoRsR2xuRDLyDNqfLe0xy5VGxH3Zz
X-Google-Smtp-Source: AKy350Y6Vc7dDGXT4phw0TJ1iBd/40ALBnvdBuGi4O4ZChxMEFG94VlrFZCgpcaKUdcQYBUQctGwTUisaePcozZaRn0=
X-Received: by 2002:a05:622a:56:b0:3e3:9502:8e0e with SMTP id y22-20020a05622a005600b003e395028e0emr2640449qtw.3.1681014521897; Sat, 08 Apr 2023 21:28:41 -0700 (PDT)
MIME-Version: 1.0
From: 'Missed delivery' <package-uSp@MisseddeliverypackagePmEEMfBte.com>
Date: Wed, 12 Apr 2023 21:29:44 +0200
Message-ID: <CAEg6P1RFEG7+3TR-acOf-C1k0phGcZywWeOOE-GQQuogqpaTyJKinM5n@mail.gmail.com>
Subject: RE: Your missed delivery.
To: xxxxx@xxxxxxx
Content-Type: multipart/alternative; boundary="00000000000070a62f05f8dfb15a"

The following is a very simple SpamAssassin rule, but will help as an example.

With this rule you are going to block any email sent by the domain: MisseddeliverypackagePmEEMfBte.com.
You can create a better rule using URLs that came in the body of the email, that for me is a better approach, but the use of the domain as I said is just an example, so do the following:

- Go to directory /etc/mail/spamassassin (on this directory you will save any SpamAssassin rule that you create).
- Now create a file called "SergioAS_headers.cf" (all SpamAssassin rules should be inside a file type .cf)
- The file should have the following lines:
"header" line is to check any header that you define from your raw email.
"describe" is just to know what is about this rule
"score" number should be something higher (22 is high for spam score) and that will make that ConfigServer MailScanner block the email as spam.

Here is a code that you have to write on the file /etc/mail/spamassassin/SergioAS_headers.cf Sergio

Thank you Sergio, I appreciate your attempt to help but this rule will not solve this problem. I already have hundreds of such rules for specific domains, but the problem with the emails in question is they are not from any particular domain. They are all missing the "envelope-from" section of the header. And since Mailscanner appears to get its 'From:' address from the "envelope-from" line, and 100% of this type of spam are missing this line, I'm trying to figure out a rule that automatically blocks any email WITHOUT the "envelope-from" line in the header.

Greg