This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sender equals receiver?

Today I noted a lot of "blocked" Emails (In the Mail-Manager / SMTP-Logs), where the sender-address equals the receiver-address. All of them are internal addresses. 

There are several Block-Reasons: 

- RBL (different RBLs) 
- RDNS/HELO-Check

I have doubts, that hundrets of users are sending emails to themself (which are blocked), but nobody complains about it :-) 

I know, that external spam-senders are frequently using the "destination-address" as "sender-address" as well to bypass some
"bad designed" whitelist rules which should exclude every check for the "owned domain". 

So, is there any chance to see some more information on these cases? (Without finding each case in the raw-SMTP logs?)
It would be nice to see, if all these attempts are performed from the same sending-server, or if its just a "common pattern".



This thread was automatically locked due to age.
  • In the SMTP log you see the sender IP. But maybe generated by proxy

  • Hello,

    i encounter the exact same issue since monday 2nd april. Does anyone have an idea ?

     

    Thank you

  • Salut Pierre and welcome to the UTM Community!

    If one of these emails is quarantined, show us the headers from the email.  Obfuscate private information like ourdomain.com and 80.x.y.224.  If all were rejected, then show us the lines from the SMTP log that contain the lines related to one such email.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  Delivering this data would be way easier, if there was a sepearate searchfield for "sender/receiver/subject" - but it's just one (search-)field in the MailManager.

    At least for my case I wasn't able to spot such an "Email" within the last 30.000 entries of the past 7 days, due to the inability of filtering these emails. 

    That doesn't mean there wasn't a case like this, just can't find it, as "every mail" will be listed when filtering for our domain...
    (It's either matched In- or Outbound for EVERY email ever send/received - who would expect that?)

    2 Searchfields: 

    "receiver contains mydomain.com"
    "sender contains mydomain.com" 

    Would perfectly fine deliver EVERY Email in question - but isn't possible with the current MailManager Implementation...

    (And if you consider this a CR, which I highly recommend: Setup generic Filters per column, i.e.: Date, Size, Reason, From, to, Subject, etc....)

    The current Search-Implementation in the "MailManager" is nothing but a "joke".

    ps.: Oh, you are only a "Partner" - but Maybe you can trigger some "Wheels" to get things roling? The inability of filtering SMTP-Logs is really a shame for an
    appliance worth some thousand bucks...

  • Hallo,

    There are ways to accomplish this both at the command line and on the 'Search Log Files' tab.  I prefer the command line:

    zgrep '@mydomain.com" to=".*@mydomain.com"' /var/log/smtp/2018/03/* |more

    You also could use the Search feature with

    @mydomain.com" to=.*@mydomain.com">.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The spammers are forging the FROM information, and UTM is blocking the mail.   This is a good thing, right?  Usually the posts on this subject are about mail getting through.