problem with auto reply and spam

jcorreia

Well-Known Member
Apr 25, 2005
53
0
156
Hi,
we have changed our email domain, so we have a autoreply e forward from the old email to the new.
Since last week we are receiving spam from our own auto reply. All the subject are like "RE: ***SPAM*** Score:18.8 Administrative Assistant Position" and the email body is what we configured in the auto reply.

Fom the subject and body we can conclude that spamassassin is working and the "RE:" is from our auto reply. For it to be emailing us because the spammer is sending the from on the email from my own email. We do have SPF enabled to.

There is some flaw here that spammmers learned to exploit. I´ve checked email headers from original spam message in boxtraper and the spam that do have this behavior (because only some emails do this...not all) have two "received: " in the headers like this

HTML:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 28 Nov 2011 03:43:59 +0000
Received: from 201-223-52-83.baf.movistar.cl ([201.223.52.83]:57897)
	by server.atlier-informatica.net with esmtp (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1RUs8L-00008R-Sw
	for [email protected]; Mon, 28 Nov 2011 03:43:59 +0000
Received: from 201.223.52.83(helo=atlier-informatica.com.pt)
	by atlier-informatica.com.pt with esmtpa (Exim 4.69)
	(envelope-from )
	id 1MM2DL-7081tj-OV
	for <[email protected]>; Sun, 27 Nov 2011 23:44:02 -0400
From: <[email protected]>
To: <[email protected]>
Date: Sun, 27 Nov 2011 23:44:02 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Mailer: oejscehmin 54
Message-ID: <[email protected]>
X-Spam-Status: Yes, score=24.1
X-Spam-Score: 241

notice the second received :
HTML:
Received: from 201.223.52.83(helo=atlier-informatica.com.pt)
	by atlier-informatica.com.pt with esmtpa (Exim 4.69)
	(envelope-from )
	id 1MM2DL-7081tj-OV
	for <[email protected]>; Sun, 27 Nov 2011 23:44:02 -0400
it´s false, that´s not my ip..... that, and this in conjuction

is bypassing SPF and send me the subjects of the spam filtered....


Can you confirm and fix this ?

I have WHM 11.30.4.6.


Thanks
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,606
33
238
somewhere over the rainbow
cPanel Access Level
Root Administrator
If you believe you've discovered a flaw or bug in how the auto responders function, please submit a report at http://go.cpanel.net/bugs location. This is where all internal cases are currently handled. Thanks!