[postfix-users] Relay von Local?

Matthias Schmidt beta at admilon.net
Sa Aug 25 03:51:00 CEST 2012 

Hallo,
seit gestern bekomm ich von postfix solche Mails (s.u.).
Ich versteh's nicht ganz, die Mails sollten ja bereits hier abgewiesen werden:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

das sind die weiteren smtpd Einstellungen:
smtpd_pw_server_security_options = login,gssapi,cram-md5
data_directory = /var/lib/postfix
smtpd_client_restrictions = 
	permit_sasl_authenticated 
		permit_mynetworks
		check_sender_access hash:/etc/postfix/whitelist
		reject_non_fqdn_hostname
		reject_unknown_reverse_client_hostname  
		reject_rbl_client cbl.abuseat.org 
		reject_rbl_client zen.spamhaus.org		
		permit
smtpd_sender_restrictions = 
	check_sender_access regexp:/etc/postfix/tag_as_originating.re
	permit_mynetworks
	permit_sasl_authenticated
	permit_tls_clientcerts
	check_sender_access regexp:/etc/postfix/tag_as_foreign.re


Das sind die Mails:

Content type: Spam
Internal reference code for the message is 57201-02/ghorrefFg9hP

First upstream SMTP client IP address: [83.19.178.206]
 cys206.internetdsl.tpnet.pl
According to a 'Received:' trace, the message apparently originated at:
 [61.8.92.97], Unknown [61.8.92.97]

Return-Path: <bub8 at jetxos.net>
From:
 Uk.HALIFAX.internet.msg-notify###!-!securespecial at AT-MY-bgtr-279882394343150-TESTTESTNOW-LOCALHOSt.net
Message-ID: <0ed1e2164567685-18915-37-e3 at infonet.com>
X-Mailer: Groupinculus
Subject: Fraudulent banking activity! [HLF-ID;87n- August2012]
Not quarantined.

The message WAS NOT relayed to:
<beth_92 at hotmail.co.uk>:
  250 2.7.0 Ok, discarded, id=57201-02 - SPAM

SpamAssassin report:
Spam detection software, running on the system "mcgregor.admilon.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
websensei at admilon.net for details.

Content preview:  Untitled Document We have detected fraudulent activity on
 your Halifax Internet banking account on 24/08/2012. For your protection,
 you must verify this activity before you can continue using your account.
 [...] 

Content analysis details:   (15.6 points, 25.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
0.0 FSL_HELO_NON_FQDN_1    FSL_HELO_NON_FQDN_1
0.9 DKIM_ADSP_NXDOMAIN     No valid author signature and domain not in DNS
2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE
1.5 HTML_IMAGE_ONLY_20     BODY: HTML: images with 1600-2000 bytes of words
0.3 HTML_MESSAGE           BODY: HTML included in message
0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                           [score: 0.4904]
0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                           above 50%
                           [cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                           [cf: 100]
4.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
0.0 HELO_NO_DOMAIN         Relay reports its domain incorrectly
0.0 TO_EQ_FM_HTML_ONLY     To == From and HTML only
0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML
0.0 TO_EQ_FM_DIRECT_MX     To == From and direct-to-MX
1.7 TO_EQ_FM_HTML_DIRECT   To == From and HTML only, direct-to-MX
Return-Path: <bub8 at jetxos.net>
Received: from [83.19.178.206] (cys206.internetdsl.tpnet.pl [83.19.178.206])
	by mcgregor.admilon.net (Postfix) with ESMTPA id DA5C51D0A388
	for <beth_92 at hotmail.co.uk>; Sat, 25 Aug 2012 00:47:00 +0900 (JST)
X-GB-From: Uk.HALIFAX.internet.msg-notify###!-!securespecial at AT-MY-bgtr-279882394343150-TESTTESTNOW-LOCALHOSt.net
X-OriginalArrivalTime: Fri, 24 Aug 2012 15:46:48 GMT
X-SEF-Processed: 5_0_0_116__9573_53_13_39_07_03
X-Mailer: Groupinculus
Subject: Fraudulent banking activity! [HLF-ID;87n- August2012]
To: beth_92 at hotmail.co.uk
X-GB-AV: none found (0 seconds)
X-GB-AS-summary: 10,1,0,d41d8cd98f00b204,d41d8cd98f00b204,bub1 at jetos.net,7834,3775,3425,3776,4070
X-GB-Rule: 40
X-TM-AS-Product-Ver: IMSS-faoggldegmhmu=7.1.0.4101-6.8.0.61.8.92.97-22055.450
From: Uk.HALIFAX.internet.msg-notify###!-!securespecial at AT-MY-bgtr-279882394343150-TESTTESTNOW-LOCALHOSt.net
X-GB-AS: unknown, (score 10, 0 seconds)
X-MIMETrack: Itemize by SMTP Server on notes/Unitar(Release 8.5.2|Sat,Fri, 24 Aug 2012 15:46:48 GMT GMT) at
X-TM-IMSS-Message-ID: <trfmuovk0851-52e3 at infonet.com>
1241;: $21412:$;21412;4;2142949;::$219429:::424204021
Received: from Unknown [61.8.92.97] by srv02.wicerhla.co.uk - SurfControl E-mail Filter (5.0.1); Fri, 24 Aug 2012 15:46:48 GMT
X-GB-To: beth_92 at hotmail.co.uk
X-imss-scan-details: No--0.158-5.0-18-1
Defensive: Filters
MIME-Version: -2.1
Message-ID: <0ed1e2164567685-18915-37-e3 at infonet.com>
X-TM-AS-Result: No--0.730-5.0-31-1
Content-Type: text/html
Date: Fri, 24 Aug 2012 15:46:48 GMT
X-GB-Received: From (beth_92 at hotmail.co.uk-61.8.92.97) ---> ftp <---
X-Sender: Buuuucifer

Kann ich das irgendwie unterbinden?

Danke und noch ein schönes Wochenende
Matthias

Mehr Informationen über die Mailingliste postfix-users