Dear Christian,
1 - Which one do you want to forge and why?
I need to change only the header on MUA to MTA, i send you the log for this below and from where / what i use to send it.
Below is the mail.log when i use thunderbird from outside office send to my account hosted at google.May 10 01:51:11 WELLDONE2 postfix/smtpd[2773]: connect from unknown[111.94.40.87]
May 10 01:51:11 WELLDONE2 postfix/smtpd[2773]: setting up TLS connection from unknown[111.94.40.87]
May 10 01:51:11 WELLDONE2 postfix/smtpd[2773]: Anonymous TLS connection established from unknown[111.94.40.87]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 10 01:51:12 WELLDONE2 postfix/smtpd[2773]: 0A9DB1002EF9D: client=unknown[111.94.40.87], sasl_method=PLAIN, sasl_username=admin@welldone-communications.com
May 10 01:51:12 WELLDONE2 postfix/cleanup[2777]: 0A9DB1002EF9D: message-id=<
4FAABA36.7080500@welldone-communications.com>
May 10 01:51:12 WELLDONE2 postfix/qmgr[1867]: 0A9DB1002EF9D: from=<
admin@welldone-communications.com>, size=731, nrcpt=1 (queue active)
May 10 01:51:12 WELLDONE2 amavis[20059]: (20059-10) ESMTP::10024 /var/lib/amavis/amavis-20120509T191708-20059: <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc> SIZE=731 Received: from mail.welldone-communications.com ([127.0.0.1]) by localhost (WELLDONE2.localdomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:51:12 +0700 (WIT)
May 10 01:51:12 WELLDONE2 postfix/smtpd[2773]: disconnect from unknown[111.94.40.87]
May 10 01:51:12 WELLDONE2 amavis[20059]: (20059-10) Checking: Ct8nP0AKdurh [111.94.40.87] <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>
May 10 01:51:12 WELLDONE2 amavis[20059]: (20059-10) Open relay? Nonlocal recips but not originating:
bouvy@padepokan-suralaya.co.ccMay 10 01:51:15 WELLDONE2 postfix/smtpd[2782]: connect from localhost[127.0.0.1]
May 10 01:51:15 WELLDONE2 postfix/smtpd[2782]: 6CD7710048BD5: client=localhost[127.0.0.1]
May 10 01:51:15 WELLDONE2 postfix/cleanup[2783]: 6CD7710048BD5: message-id=<
4FAABA36.7080500@welldone-communications.com>
May 10 01:51:15 WELLDONE2 postfix/qmgr[1867]: 6CD7710048BD5: from=<
admin@welldone-communications.com>, size=1256, nrcpt=1 (queue active)
May 10 01:51:15 WELLDONE2 postfix/smtpd[2782]: disconnect from localhost[127.0.0.1]
May 10 01:51:15 WELLDONE2 amavis[20059]: (20059-10) FWD via SMTP: <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>,BODY=7BIT 250 2.0.0 Ok, id=20059-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CD7710048BD5
May 10 01:51:15 WELLDONE2 amavis[20059]: (20059-10) Passed, <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>, quarantine Ct8nP0AKdurh, Message-ID: <
4FAABA36.7080500@welldone-communications.com>,
May 10 01:51:15 WELLDONE2 amavis[20059]: (20059-10) Hits: -0.2
May 10 01:51:15 WELLDONE2 amavis[20059]: (20059-10) Passed CLEAN, <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>, Hits: -0.2, tag=0, tag2=5, kill=5, queued_as: 6CD7710048BD5, 0/Y/0/0
May 10 01:51:15 WELLDONE2 postfix/smtp[2778]: 0A9DB1002EF9D: to=<
bouvy@padepokan-suralaya.co.cc>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.4, delays=0.12/0.01/0/3.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=20059-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CD7710048BD5)
May 10 01:51:15 WELLDONE2 postfix/qmgr[1867]: 0A9DB1002EF9D: removed
May 10 01:51:16 WELLDONE2 postfix/smtp[2784]: certificate verification failed for smtp.telkom.net[222.124.18.79]:25: untrusted issuer /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com
May 10 01:51:23 WELLDONE2 postfix/smtp[2784]: 6CD7710048BD5: to=<
bouvy@padepokan-suralaya.co.cc>, relay=smtp.telkom.net[222.124.18.79]:25, delay=8, delays=0.01/0.01/0.81/7.1, dsn=5.7.1, status=bounced (host smtp.telkom.net[222.124.18.79] said: 554 5.7.1 Message refused by DeepHeader check. This email has been rejected. The email message was detected as spam. (in reply to end of DATA command))
May 10 01:51:23 WELLDONE2 postfix/cleanup[2783]: 6169E1002EF9D: message-id=<
20120509185123.6169E1002EF9D@mail.welldone-communications.com>
May 10 01:51:23 WELLDONE2 postfix/bounce[2815]: 6CD7710048BD5: sender non-delivery notification: 6169E1002EF9D
May 10 01:51:23 WELLDONE2 postfix/qmgr[1867]: 6169E1002EF9D: from=<>, size=3661, nrcpt=1 (queue active)
May 10 01:51:23 WELLDONE2 postfix/qmgr[1867]: 6CD7710048BD5: removed
May 10 01:51:23 WELLDONE2 dovecot: deliver(
admin@welldone-communications.com): msgid=<
20120509185123.6169E1002EF9D@mail.welldone-communications.com>: saved mail to INBOX
May 10 01:51:23 WELLDONE2 postfix/pipe[2816]: 6169E1002EF9D: to=<
admin@welldone-communications.com>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
May 10 01:51:23 WELLDONE2 postfix/qmgr[1867]: 6169E1002EF9D: removed
and my email is bounced back with notice on my MUA is below,
From - Thu May 10 01:44:08 2012
X-Account-Key: account6
X-UIDL: 0000be804d16c61c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <MAILER-DAEMON>
Delivered-To:
admin@welldone-communications.comReceived: by mail.welldone-communications.com (Postfix)
id 6169E1002EF9D; Thu, 10 May 2012 01:51:23 +0700 (WIT)
Date: Thu, 10 May 2012 01:51:23 +0700 (WIT)
From:
MAILER-DAEMON@mail.welldone-communications.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To:
admin@welldone-communications.comAuto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="6CD7710048BD5.1336589483/mail.welldone-communications.com"
Content-Transfer-Encoding: 7bit
Message-Id: <
20120509185123.6169E1002EF9D@mail.welldone-communications.com>
This is a MIME-encapsulated message.
--6CD7710048BD5.1336589483/mail.welldone-communications.com
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host mail.welldone-communications.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<
bouvy@padepokan-suralaya.co.cc>: host smtp.telkom.net[222.124.18.79] said: 554
5.7.1 Message refused by DeepHeader check. This email has been rejected.
The email message was detected as spam. (in reply to end of DATA command)
--6CD7710048BD5.1336589483/mail.welldone-communications.com
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; mail.welldone-communications.com
X-Postfix-Queue-ID: 6CD7710048BD5
X-Postfix-Sender: rfc822;
admin@welldone-communications.comArrival-Date: Thu, 10 May 2012 01:51:15 +0700 (WIT)
Final-Recipient: rfc822;
bouvy@padepokan-suralaya.co.ccOriginal-Recipient: rfc822;
bouvy@padepokan-suralaya.co.ccAction: failed
Status: 5.7.1
Remote-MTA: dns; smtp.telkom.net
Diagnostic-Code: smtp; 554 5.7.1 Message refused by DeepHeader check. This
email has been rejected. The email message was detected as spam.
--6CD7710048BD5.1336589483/mail.welldone-communications.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Return-Path: <
admin@welldone-communications.com>
Received: from localhost (localhost [127.0.0.1])
by mail.welldone-communications.com (Postfix) with ESMTP id 6CD7710048BD5
for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:51:15 +0700 (WIT)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at localdomain
Received: from mail.welldone-communications.com ([127.0.0.1])
by localhost (WELLDONE2.localdomain [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Ct8nP0AKdurh for <
bouvy@padepokan-suralaya.co.cc>;
Thu, 10 May 2012 01:51:12 +0700 (WIT)
Received: from [192.168.77.199] (unknown [111.94.40.87]) by mail.welldone-communications.com (Postfix) with ESMTPSA id 0A9DB1002EF9D
for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:51:12 +0700 (WIT)
Message-ID: <
4FAABA36.7080500@welldone-communications.com>
Date: Thu, 10 May 2012 01:40:54 +0700
From: Admin WDC <
admin@welldone-communications.com>
Reply-To:
admin@welldone-communications.comOrganization: Welldone Communications
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: 'Bouvy Teguh Artono' <
bouvy@padepokan-suralaya.co.cc>
Subject: test
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
test
--6CD7710048BD5.1336589483/mail.welldone-communications.com--
Below is the mail.log when i use webmail from outside office send to my account hosted at google.May 10 01:58:13 WELLDONE2 dovecot: imap-login: Login: user=<
admin@welldone-communications.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 10 01:58:13 WELLDONE2 postfix/smtpd[3059]: connect from localhost[127.0.0.1]
May 10 01:58:13 WELLDONE2 postfix/smtpd[3059]: 88D921002EF9D: client=localhost[127.0.0.1]
May 10 01:58:13 WELLDONE2 postfix/cleanup[3062]: 88D921002EF9D: message-id=<
e5a5b4119c95ec5f78ffc0839928536d@127.0.0.1>
May 10 01:58:13 WELLDONE2 postfix/qmgr[1867]: 88D921002EF9D: from=<
admin@welldone-communications.com>, size=641, nrcpt=1 (queue active)
May 10 01:58:13 WELLDONE2 dovecot: IMAP(
admin@welldone-communications.com): Disconnected: Logged out bytes=470/566
May 10 01:58:13 WELLDONE2 postfix/smtpd[3059]: disconnect from localhost[127.0.0.1]
May 10 01:58:13 WELLDONE2 amavis[23095]: (23095-08) ESMTP::10024 /var/lib/amavis/amavis-20120509T210042-23095: <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc> SIZE=641 BODY=8BITMIME Received: from mail.welldone-communications.com ([127.0.0.1]) by localhost (WELLDONE2.localdomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:58:13 +0700 (WIT)
May 10 01:58:13 WELLDONE2 amavis[23095]: (23095-08) Checking: ttopoRPDXh6r [127.0.0.1] <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>
May 10 01:58:13 WELLDONE2 amavis[23095]: (23095-08) Open relay? Nonlocal recips but not originating:
bouvy@padepokan-suralaya.co.ccMay 10 01:58:13 WELLDONE2 dovecot: imap-login: Login: user=<
admin@welldone-communications.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 10 01:58:13 WELLDONE2 dovecot: IMAP(
admin@welldone-communications.com): Disconnected: Logged out bytes=499/30523
May 10 01:58:14 WELLDONE2 dovecot: imap-login: Login: user=<
admin@welldone-communications.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 10 01:58:14 WELLDONE2 dovecot: IMAP(
admin@welldone-communications.com): Disconnected: Logged out bytes=392/3721
May 10 01:58:16 WELLDONE2 postfix/smtpd[3074]: connect from localhost[127.0.0.1]
May 10 01:58:16 WELLDONE2 postfix/smtpd[3074]: D244010048BCB: client=localhost[127.0.0.1]
May 10 01:58:16 WELLDONE2 postfix/cleanup[3062]: D244010048BCB: message-id=<
e5a5b4119c95ec5f78ffc0839928536d@127.0.0.1>
May 10 01:58:16 WELLDONE2 postfix/qmgr[1867]: D244010048BCB: from=<
admin@welldone-communications.com>, size=1166, nrcpt=1 (queue active)
May 10 01:58:16 WELLDONE2 amavis[23095]: (23095-08) FWD via SMTP: <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>,BODY=7BIT 250 2.0.0 Ok, id=23095-08, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D244010048BCB
May 10 01:58:16 WELLDONE2 postfix/smtpd[3074]: disconnect from localhost[127.0.0.1]
May 10 01:58:16 WELLDONE2 amavis[23095]: (23095-08) Passed, <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>, quarantine ttopoRPDXh6r, Message-ID: <
e5a5b4119c95ec5f78ffc0839928536d@127.0.0.1>,
May 10 01:58:16 WELLDONE2 amavis[23095]: (23095-08) Hits: -0.2
May 10 01:58:16 WELLDONE2 amavis[23095]: (23095-08) Passed CLEAN, <
admin@welldone-communications.com> -> <
bouvy@padepokan-suralaya.co.cc>, Hits: -0.2, tag=0, tag2=5, kill=5, queued_as: D244010048BCB, 0/Y/0/0
May 10 01:58:16 WELLDONE2 postfix/smtp[3063]: 88D921002EF9D: to=<
bouvy@padepokan-suralaya.co.cc>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.3, delays=0.01/0.01/0/3.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=23095-08, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D244010048BCB)
May 10 01:58:16 WELLDONE2 postfix/qmgr[1867]: 88D921002EF9D: removed
May 10 01:58:17 WELLDONE2 postfix/smtp[3075]: certificate verification failed for smtp.telkom.net[222.124.18.79]:25: untrusted issuer /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com
May 10 01:58:23 WELLDONE2 postfix/smtp[3075]: D244010048BCB: to=<
bouvy@padepokan-suralaya.co.cc>, relay=smtp.telkom.net[222.124.18.79]:25, delay=6.4, delays=0/0.01/0.39/6, dsn=2.0.0, status=sent (250 2.0.0 q49IwH65025141-q49IwH67025141 Message accepted for delivery)
May 10 01:58:23 WELLDONE2 postfix/qmgr[1867]: D244010048BCB: removed
my email got trough, and i see the receive source as below
Delivered-To:
bouvy@padepokan-suralaya.co.ccReceived: by 10.229.131.100 with SMTP id w36csp18207qcs;
Wed, 9 May 2012 11:58:29 -0700 (PDT)
Received: by 10.68.217.37 with SMTP id ov5mr12210106pbc.25.1336589908652;
Wed, 09 May 2012 11:58:28 -0700 (PDT)
Return-Path: <
admin@welldone-communications.com>
Received: from smtp-out0248-sv2.telkom.net (smtp-out0248-sv2.telkom.net. [125.160.10.248])
by mx.google.com with ESMTPS id ql3si147373pbc.183.2012.05.09.11.58.28
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 09 May 2012 11:58:28 -0700 (PDT)
Received-SPF: neutral (google.com: 125.160.10.248 is neither permitted nor denied by domain of
admin@welldone-communications.com) client-ip=125.160.10.248;
Authentication-Results: mx.google.com; spf=neutral (google.com: 125.160.10.248 is neither permitted nor denied by domain of
admin@welldone-communications.com) smtp.mail=admin@welldone-communications.com
Received: from [222.124.18.76] (helo=fm1.smtp.telkom.net)
by smtp-out0248-sv2.telkom.net with esmtps (TLSv1:AES256-SHA:256)
id 1SSC5i-0008VP-3C
for bouvy@padepokan-suralaya.co.cc; Thu, 10 May 2012 01:58:26 +0700
Received: from mail.welldone-communications.com (99.static.118-96-95.astinet.telkom.net.id [118.96.95.99] (may be forged))
by fm1.smtp.telkom.net with ESMTP id q49IwH65025141-q49IwH67025141
(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=CAFAIL)
for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:58:23 +0700
Received: from localhost (localhost [127.0.0.1])
by mail.welldone-communications.com (Postfix) with ESMTP id D244010048BCB
for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:58:16 +0700 (WIT)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at localdomain
Received: from mail.welldone-communications.com ([127.0.0.1])
by localhost (WELLDONE2.localdomain [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ttopoRPDXh6r for <
bouvy@padepokan-suralaya.co.cc>;
Thu, 10 May 2012 01:58:13 +0700 (WIT)
Received: from mail.welldone-communications.com (localhost [127.0.0.1]) by mail.welldone-communications.com (Postfix) with ESMTP id 88D921002EF9D
for <
bouvy@padepokan-suralaya.co.cc>; Thu, 10 May 2012 01:58:13 +0700 (WIT)
MIME-Version: 1.0
Date: Thu, 10 May 2012 01:58:13 +0700
From: <
admin@welldone-communications.com>
To: <
bouvy@padepokan-suralaya.co.cc>
Subject: test webmail to google
Message-ID: <
e5a5b4119c95ec5f78ffc0839928536d@127.0.0.1>
X-Sender:
admin@welldone-communications.comUser-Agent: RoundCube Webmail/0.3.1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
charset=UTF-8
test webmail to google
So i figure perhaps i could forged the header of outside office MUA like
Received: from [192.168.77.199] (unknown [111.94.40.87]
into something like webmail
Received: from mail.welldone-communications.com (localhost [127.0.0.1])
2 - SMTP error code is missing. Is it always "spam detected"?
Yes all email form outside office MUA going to outside account always giving this error as example,
Final-Recipient: rfc822;
bouvy@padepokan-suralaya.co.ccOriginal-Recipient: rfc822;
bouvy@padepokan-suralaya.co.ccAction: failed
Status: 5.7.1
Remote-MTA: dns; smtp.telkom.net
Diagnostic-Code: smtp; 554 5.7.1 Message refused by DeepHeader check. This
email has been rejected. The email message was detected as spam.
I am on outside office duty for several days now, but i will try to send the log using inside office MUA.
the only spamlister is spamrats and one singaporean spamlister. spamrat asking for only one records in PTR, the singaporean spamlister doesn't have any info on how to remove that.
the PTR records is still got two records and I still ask the ISP to change that.
Thank n regards
Bouvy