Community Discussions and Support
Mercury/32 SMTP From address blank??? How can i avoid this...

[quote user="Heishiro Mitsurugi"]

I had zen.spamhaus.org, but for some reason it stopped working from some time ago. I have it programmed but disabled. 

I was reading on reasons why it won't work and one of them was something about using public dns like 8.8.8.8. No clue on what has to do with it, but cause it was not working i disabled it. I just enabled it again to see if it does something or not.[/quote]

Some public DNS servers used to give a reply even when the DNSBL result was false - thus disabling the standard DNS blacklist use.  Most have been corrected now.  Get back here if you still have problems.

[quote user="Heishiro Mitsurugi"] <P>I had zen.spamhaus.org, but for some reason it stopped working from some time ago. I have it programmed but disabled. </P> <P>I was reading on reasons why it won't work and one of them was something about using public dns like 8.8.8.8. No clue on what has to do with it, but cause it was not working i disabled it. I just enabled it again to see if it does something or not.[/quote]</P> <P>Some public DNS servers used to give a reply even when the DNSBL result was false - thus disabling the standard DNS blacklist use.  Most have been corrected now.  Get back here if you still have problems.</P>

Hello everyone. 

I'm testing a Mercury/32 server, and i have received spam on it from some time now.

 I have strict relay policies, and also spamcop block list, and graywall, but has come to my attention some emails received this way:

 T 20130522 103901 519b8cd8 HELO 111.254.39.40

T 20130522 103902 519b8cd8 MAIL FROM:<>

E 20130522 103902 519b8cd8 Host 111.254.39.40 blocked by Spamcop - message redirected.

T 20130522 103903 519b8cd8 RCPT TO:<user@my.domain>

T 20130522 103903 519b8cd8 DATA

T 20130522 103904 519b8cd8 DATA - 10 lines, 353 bytes.

T 20130522 103904 519b8cd8 QUIT

 Of course, i changed the recipient address to user@my.domain in order to post it here. But, as you can see, the MAIL FROM: <> is strange.

The question is: Is there a way that i can avoid the sender to skip entering a from address?

Thanks in advance for any help you can provide on this.

 

Heishiro. 

&lt;p&gt;Hello everyone.&amp;nbsp;&lt;/p&gt;&lt;p&gt;I&#039;m testing a Mercury/32 server, and i have received spam on it from some time now.&lt;/p&gt;&lt;p&gt;&amp;nbsp;I have strict relay policies, and also spamcop block list, and graywall, but has come to my attention some emails received this way:&lt;/p&gt;&lt;p&gt;&amp;nbsp;T 20130522 103901 519b8cd8 HELO 111.254.39.40&lt;/p&gt;&lt;p&gt;T 20130522 103902 519b8cd8 MAIL FROM:&amp;lt;&amp;gt;&lt;/p&gt;&lt;p&gt;E 20130522 103902 519b8cd8 Host 111.254.39.40 blocked by Spamcop - message redirected.&lt;/p&gt;&lt;p&gt;T 20130522 103903 519b8cd8 RCPT TO:&amp;lt;user@my.domain&amp;gt;&lt;/p&gt;&lt;p&gt;T 20130522 103903 519b8cd8 DATA&lt;/p&gt;&lt;p&gt;T 20130522 103904 519b8cd8 DATA - 10 lines, 353 bytes.&lt;/p&gt;&lt;p&gt;T 20130522 103904 519b8cd8 QUIT&lt;/p&gt;&lt;p&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;&amp;nbsp;Of course, i changed the recipient address to user@my.domain in order to post it here. But, as you can see, the MAIL FROM: &amp;lt;&amp;gt; is strange.&lt;/span&gt;&lt;/p&gt;&lt;p&gt;The question is: Is there a way that i can avoid the sender to skip entering a from address?&lt;/p&gt;&lt;p&gt;Thanks in advance for any help you can provide on this.&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;Heishiro.&amp;nbsp;&lt;/span&gt;&lt;/p&gt;

[quote user="Heishiro Mitsurugi"]

Hello everyone. 

I'm testing a Mercury/32 server, and i have received spam on it from some time now.

 I have strict relay policies, and also spamcop block list, and graywall, but has come to my attention some emails received this way:

 T 20130522 103901 519b8cd8 HELO 111.254.39.40

T 20130522 103902 519b8cd8 MAIL FROM:<>

E 20130522 103902 519b8cd8 Host 111.254.39.40 blocked by Spamcop - message redirected.

T 20130522 103903 519b8cd8 RCPT TO:<user@my.domain>

T 20130522 103903 519b8cd8 DATA

T 20130522 103904 519b8cd8 DATA - 10 lines, 353 bytes.

T 20130522 103904 519b8cd8 QUIT

 Of course, i changed the recipient address to user@my.domain in order to post it here. But, as you can see, the MAIL FROM: <> is strange.

The question is: Is there a way that i can avoid the sender to skip entering a from address?[/quote]

"MAIL FROM: <>" is a legal form of sender address which is normally used to send Delivery notifications and other postmaster messages which do not get a reply.  Of course spammers take advantage and send some of their messages in this form too, but it does not follow that all messages with this from address are spam.

This message is being caught by Spamcop - isn't that sufficient?

 

[quote user=&quot;Heishiro Mitsurugi&quot;] &lt;P&gt;Hello everyone.&amp;nbsp;&lt;/P&gt; &lt;P&gt;I&#039;m testing a Mercury/32 server, and i have received spam on it from some time now.&lt;/P&gt; &lt;P&gt;&amp;nbsp;I have strict relay policies, and also spamcop block list, and graywall, but has come to my attention some emails received this way:&lt;/P&gt; &lt;P&gt;&amp;nbsp;T 20130522 103901 519b8cd8 HELO 111.254.39.40&lt;/P&gt; &lt;P&gt;T 20130522 103902 519b8cd8 MAIL FROM:&amp;lt;&amp;gt;&lt;/P&gt; &lt;P&gt;E 20130522 103902 519b8cd8 Host 111.254.39.40 blocked by Spamcop - message redirected.&lt;/P&gt; &lt;P&gt;T 20130522 103903 519b8cd8 RCPT TO:&amp;lt;user@my.domain&amp;gt;&lt;/P&gt; &lt;P&gt;T 20130522 103903 519b8cd8 DATA&lt;/P&gt; &lt;P&gt;T 20130522 103904 519b8cd8 DATA - 10 lines, 353 bytes.&lt;/P&gt; &lt;P&gt;T 20130522 103904 519b8cd8 QUIT&lt;/P&gt; &lt;P&gt;&lt;SPAN style=&quot;FONT-SIZE: 10pt&quot;&gt;&amp;nbsp;Of course, i changed the recipient address to user@my.domain in order to post it here. But, as you can see, the MAIL FROM: &amp;lt;&amp;gt; is strange.&lt;/SPAN&gt;&lt;/P&gt; &lt;P&gt;The question is: Is there a way that i can avoid the sender to skip entering a from address?[/quote]&lt;/P&gt; &lt;P&gt;&quot;MAIL FROM: &amp;lt;&amp;gt;&quot; is a legal form of sender address which is normally used to send Delivery notifications and other postmaster messages which do not get a reply.&amp;nbsp; Of course spammers take advantage and send some of their messages in this form too, but it does not follow that all&amp;nbsp;messages with this from address&amp;nbsp;are spam.&lt;/P&gt; &lt;P&gt;This message is being caught by Spamcop - isn&#039;t that sufficient?&lt;/P&gt; &lt;P mce_keep=&quot;true&quot;&gt;&amp;nbsp;&lt;/P&gt;

Hello PaulW

Thanks for your response. The log part i posted before was from one email that spamcom.net detected, but for example:

 T 20130523 053157 519cdde0 Connection from 95.37.50.107

T 20130523 053157 519cdde0 HELO 95.37.50.107

T 20130523 053157 519cdde0 MAIL FROM:<>

T 20130523 053158 519cdde0 RCPT TO:<anotheruser.mydomain>

T 20130523 053158 519cdde0 DATA

T 20130523 053159 519cdde0 DATA - 9 lines, 360 bytes.

T 20130523 053159 519cdde0 QUIT

T 20130523 053159 519cdde0 Connection closed with 95.37.50.107, 2 sec. elapsed. 

Just counting emails received this morning, i have 79 emails following the same pattern. Spamcop catches some of them, but not all of them.

So what i was wondering is that if there's a way for me to block that behaviour using filters or something.

Thanks in advance.

  

&lt;p&gt;Hello PaulW&lt;/p&gt;&lt;p&gt;Thanks for your response. The log part i posted before was from one email that spamcom.net detected, but for example:&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;span style=&quot;font-size: 10pt;&quot;&gt;T 20130523 053157 519cdde0 Connection from 95.37.50.107&lt;/span&gt;&lt;/p&gt;&lt;p&gt;T 20130523 053157 519cdde0 HELO 95.37.50.107&lt;/p&gt;&lt;p&gt;T 20130523 053157 519cdde0 MAIL FROM:&amp;lt;&amp;gt;&lt;/p&gt;&lt;p&gt;T 20130523 053158 519cdde0 RCPT TO:&amp;lt;anotheruser.mydomain&amp;gt;&lt;/p&gt;&lt;p&gt;T 20130523 053158 519cdde0 DATA&lt;/p&gt;&lt;p&gt;T 20130523 053159 519cdde0 DATA - 9 lines, 360 bytes.&lt;/p&gt;&lt;p&gt;T 20130523 053159 519cdde0 QUIT&lt;/p&gt;&lt;p&gt;T 20130523 053159 519cdde0 Connection closed with 95.37.50.107, 2 sec. elapsed.&amp;nbsp;&lt;/p&gt;&lt;p&gt;Just counting emails received this morning, i have 79 emails following the same pattern. Spamcop catches some of them, but not all of them. &lt;/p&gt;&lt;p&gt;So what i was wondering is that if there&#039;s a way for me to block that behaviour using filters or something.&lt;/p&gt;&lt;p&gt;Thanks in advance.&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;span style=&quot;font-size: 10pt;&quot;&gt;&amp;nbsp;&lt;/span&gt;&lt;/p&gt;

[quote user="Heishiro Mitsurugi"]

Hello PaulW

Thanks for your response. The log part i posted before was from one email that spamcom.net detected, but for example:

 T 20130523 053157 519cdde0 Connection from 95.37.50.107

T 20130523 053157 519cdde0 HELO 95.37.50.107

T 20130523 053157 519cdde0 MAIL FROM:<>

T 20130523 053158 519cdde0 RCPT TO:<anotheruser.mydomain>

T 20130523 053158 519cdde0 DATA

T 20130523 053159 519cdde0 DATA - 9 lines, 360 bytes.

T 20130523 053159 519cdde0 QUIT

T 20130523 053159 519cdde0 Connection closed with 95.37.50.107, 2 sec. elapsed. 

Just counting emails received this morning, i have 79 emails following the same pattern. Spamcop catches some of them, but not all of them.

So what i was wondering is that if there's a way for me to block that behaviour using filters or something.

Thanks in advance.[/quote]

I would add zen.spamhaus.org in your spam control alongside Spamcop.

(I also filter on that type of HELO - I've never seen a legitimate message from a server that puts an IP address in the HELO/EHLO.)

 

[quote user=&quot;Heishiro Mitsurugi&quot;] &lt;P&gt;Hello PaulW&lt;/P&gt; &lt;P&gt;Thanks for your response. The log part i posted before was from one email that spamcom.net detected, but for example:&lt;/P&gt; &lt;P&gt;&amp;nbsp;&lt;SPAN style=&quot;FONT-SIZE: 10pt&quot;&gt;T 20130523 053157 519cdde0 Connection from 95.37.50.107&lt;/SPAN&gt;&lt;/P&gt; &lt;P&gt;T 20130523 053157 519cdde0 HELO 95.37.50.107&lt;/P&gt; &lt;P&gt;T 20130523 053157 519cdde0 MAIL FROM:&amp;lt;&amp;gt;&lt;/P&gt; &lt;P&gt;T 20130523 053158 519cdde0 RCPT TO:&amp;lt;anotheruser.mydomain&amp;gt;&lt;/P&gt; &lt;P&gt;T 20130523 053158 519cdde0 DATA&lt;/P&gt; &lt;P&gt;T 20130523 053159 519cdde0 DATA - 9 lines, 360 bytes.&lt;/P&gt; &lt;P&gt;T 20130523 053159 519cdde0 QUIT&lt;/P&gt; &lt;P&gt;T 20130523 053159 519cdde0 Connection closed with 95.37.50.107, 2 sec. elapsed.&amp;nbsp;&lt;/P&gt; &lt;P&gt;Just counting emails received this morning, i have 79 emails following the same pattern. Spamcop catches some of them, but not all of them. &lt;/P&gt; &lt;P&gt;So what i was wondering is that if there&#039;s a way for me to block that behaviour using filters or something.&lt;/P&gt; &lt;P&gt;Thanks in advance.[/quote]&lt;/P&gt; &lt;P&gt;I would add zen.spamhaus.org in your spam control alongside Spamcop.&lt;/P&gt; &lt;P&gt;(I also filter on that type of HELO - I&#039;ve never seen a legitimate message from a server that puts an IP address in the HELO/EHLO.)&lt;/P&gt; &lt;P mce_keep=&quot;true&quot;&gt;&amp;nbsp;&lt;/P&gt;

I had zen.spamhaus.org, but for some reason it stopped working from some time ago. I have it programmed but disabled. 

I was reading on reasons why it won't work and one of them was something about using public dns like 8.8.8.8. No clue on what has to do with it, but cause it was not working i disabled it. I just enabled it again to see if it does something or not.

 On blocking the HELO, i'm going to try it out to see if i can make the filter.

Thanks a lot for your answer PaulW 

&lt;p&gt;I had zen.spamhaus.org, but for some reason it stopped working from some time ago. I have it programmed but disabled.&amp;nbsp;&lt;/p&gt;&lt;p&gt;I was reading on reasons why it won&#039;t work and one of them was something about using public dns like 8.8.8.8. No clue on what has to do with it, but cause it was not working i disabled it. I just enabled it again to see if it does something or not.&lt;/p&gt;&lt;p&gt;&amp;nbsp;On blocking the HELO, i&#039;m going to try it out to see if i can make the filter.&lt;/p&gt;&lt;p&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;Thanks a lot for your answer PaulW&amp;nbsp;&lt;/span&gt;&lt;/p&gt;
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft