Phising Emails

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
I am trying to figure out why some emails are not getting stopped by the spam filter and am looking for some help and guidance from the community.

We have some emails from a domain: unitecreative.ca who’s been complaining about phishing scams getting through roughly once to twice a day.

The email looks something like this, with a .doc file attachment, but changes over time (language, content):
==========================================================================
From:
David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
Date: November 15, 2018 at 10:35:02 PM EST
To: user1@unitecreative.ca
Subject: Your David Niemela Statement

Good Afternoon,

I have sent email to you confirming last invoice.

Best Regards,
-
David Niemela
user@unitecreative.ca
==========================================================================

That being said, they are getting emails from “themselves” at least that is in the From Address.

So for instance, David Niemela, who is an employee of unitecreative.ca is the “from” on emails, even though the actual sender is: "moiz@supremeuniversal.in" for example.

The PMG doesn’t think this is a problem and sends the message through with the attachment to the end user, which is someone else at unitecreative.ca

mx1 pmg-smtp-filter[23992]: 2D0235BEE3AF1A3F2E: SA score=0/5 time=1.403 bayes=4.9960036108132e-16 autolearn=no autolearn_force=no hits=BAYES_00,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_PASS

My question is how do I configure the server to reject these types of emails since they are frustrating to the person receiving them?

Currently my Block Spam is at a level of 5. Should I turn this down more to 4 or 3? I don’t want to block legitimate email though at the same time, so before I modify that section, I’m looking at pointers from anyone whose seen this similar type of spam getting through.

Thanks for any help you can provide!
 
Please check the email header (check the header via your email client), you should see the detailed score of each test. This helps for analysis.
 
Thanks for the quick reply.

Here is one of the headers from one of the phsishing emails:
What exactly am I looking for here in order to increase blocking these types of emails from arriving?


Return-Path: <moiz@supremeuniversal.in>
X-Spam-Status: No, hits=0.0 required=8.5
tests=TOTAL_SCORE: 0.000
X-Spam-Level:
Received: from mx1.digidns.ca ([192.168.11.5])
by hc1.digidns.ca (Kerio Connect 9.2.7 patch 3) with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for user1@unitecreative.ca;
Thu, 15 Nov 2018 22:35:15 -0500
Received: from mx1.digidns.ca (localhost.localdomain [127.0.0.1])
by mx1.digidns.ca (Proxmox) with ESMTP id 6916F2D024
for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:15 -0500 (EST)
Received-SPF: pass (supremeuniversal.in: 103.24.200.152 is authorized to use 'moiz@supremeuniversal.in' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mx1.digidns.ca; identity=mailfrom; envelope-from="moiz@supremeuniversal.in";
helo=saturnnew.worldindia.in; client-ip=103.24.200.152
Received: from saturnnew.worldindia.in (saturn.worldindia.com [103.24.200.152])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx1.digidns.ca (Proxmox) with ESMTPS id 7B4162D021
for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:12 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=supremeuniversal.in; s=default; h=Content-Type:MIME-Version:Subject:
Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=DAPgCfudbeMB6GJ5CGZZmelDgBK1m2XztObRzKUCzuE=; b=P3rkvzAQQHqRjxzSYep1C+Poj
O1T66aaoHhtJpG9JdPQ7ayAPVY4JtmgCJkzQ1k6p/kUuJY18BkAt7BEOTtrMqnyrnY6IU3umXljaL
1BCmNnZO6aR5cMzpNHnRUqzu41ZpkS2VL+J2Uzzp9Kugz6Bbb6l4ALQBN0XMfzYXJ+f9AGSfqT+lD
/KYN5zNLoKE5HwBHfKjlsW/5z6WLZ04DCT+XvSsRZUgTMAUeR65W55G+oMlAH8SbK4fDgEg2p1oky
oWofRZCCzhKHO9QbCeBqdB38CL+xeETxGJHN9PAa6/1RZRakzO4Z+nhlMOkaKB9wkYS4aajQedTeQ
BaEXQrQfw==;
Received: from [187.131.233.87] (port=14982 helo=10.14.14.3)
by saturnnew.worldindia.in with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <moiz@supremeuniversal.in>)
id 1gNUuH-00017n-9J
for user1@unitecreative.ca; Fri, 16 Nov 2018 09:04:59 +0530
Date: Thu, 15 Nov 2018 20:35:02 -0700
From: David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
To: user1@unitecreative.ca
Message-ID: <38916456115078217946.0013B0B3ECBDAD52@unitecreative.ca>
Subject: Your David Niemela Statement
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_53170_1211169914.23711279722654273795"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - saturnnew.worldindia.in
X-AntiAbuse: Original Domain - unitecreative.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - supremeuniversal.in
X-Get-Message-Sender-Via: saturnnew.worldindia.in: authenticated_id: moiz@supremeuniversal.in
X-Authenticated-Sender: saturnnew.worldindia.in: moiz@supremeuniversal.in
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
HEADER_FROM_DIFFERENT_DOMAINS 0.001 From and EnvelopeFrom 2nd level mail domains are different
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at http://www.dnswl.org/, no trust
SPF_PASS -0.001 SPF: sender matches SPF record


Thank you very much!!
 
Try using these DNSBL sites on your config helps alots

Code:
zen.spamhaus.org bl.spamcop.net psbl.surriel.com spamrbl.imp.ch noptr.spamrats.com escalations.dnsbl.sorbs.net bl.score.senderscore.com bl.spameatingmonkey.net rbl.realtimeblacklist.com dnsbl.dronebl.org ix.dnsbl.manitu.net b.barracudacentral.org truncate.gbudb.net bl.blocklist.de dnswl.spfbl.net dnswl.org
 
Try using these DNSBL sites on your config helps alots

Code:
zen.spamhaus.org bl.spamcop.net psbl.surriel.com spamrbl.imp.ch noptr.spamrats.com escalations.dnsbl.sorbs.net bl.score.senderscore.com bl.spameatingmonkey.net rbl.realtimeblacklist.com dnsbl.dronebl.org ix.dnsbl.manitu.net b.barracudacentral.org truncate.gbudb.net bl.blocklist.de dnswl.spfbl.net dnswl.org


Thank you very much. I will give those a shot!
 
Ehm, there are whitelists as well in this list, you may use weights to weight out blacklists on how good they work for you and subtract white lists, otherwise you block on whitelists as well

Can you explain to me how I do this? Also how do I tell which are whitelists and which are not?

Sorry for my lack of intelligence here.
 
you need to add *x after each entry, where *2 e.g. means to add 2 for a match on this list *1 means to add 1 for a match on this list and *-x, e.g. *-1 means to substract 1 for a match on this list or *-2 to substract -2 for a match on this list. So for whitelists you use -x and for blacklists you use x. You then also set the threshold level in the GUI, so at which score to reject a message. If you set to e.g. 2 it just needs one 2 list or 2 1 lists and no substraction at all. You can look out at my advanced thread for more information on how to optimize PMG. I also won’t recommend whitelists, as they are not as such good as been expected.
 
you need to add *x after each entry, where *2 e.g. means to add 2 for a match on this list *1 means to add 1 for a match on this list and *-x, e.g. *-1 means to substract 1 for a match on this list or *-2 to substract -2 for a match on this list. So for whitelists you use -x and for blacklists you use x. You then also set the threshold level in the GUI, so at which score to reject a message. If you set to e.g. 2 it just needs one 2 list or 2 1 lists and no substraction at all. You can look out at my advanced thread for more information on how to optimize PMG. I also won’t recommend whitelists, as they are not as such good as been expected.


exemple :
zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,db.wpbl.info,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24
 
o snap i did not know about the *2. also did not know that the whitelist would also be considered as blacklist?
 
o snap i did not know about the *2. also did not know that the whitelist would also be considered as blacklist?

yes, the entry is dns(r)bl, so it‘s about blacklists/blocklists based on dns checks. So if you set in this entry also whitelists, any hit of this ones will be considered as to block as postfix doesn’t know, that it’s a whitelist and also won’t check the fqdn of the list. Combined lists you may be able by f.q.d.n=IP to choose IP entries, which are for black- or blocklisting to only reject on this ones. So the „trick“ on whitelists (and I don‘t know any other way on how to use them) is the weighted ranking with postscreen (there should also be some recent milter addons, which also allowed weights) and a treshold then, so you can use the whitelists with minus/negative multiplier to substract scores again and then you check the whole score against the threshold. However, recently there were great statistics at inps.de and you may still find some in the Waybackmachine, but this site is gone (because of GDPR as stated by the owner). But you can also check your spam mails coming through, some are on whitelist, valid mail often isn’t, so the idea because of IPv6 to deprecate blacklists and replace by whitelists, failed similar to SPF and DKIM because of worse adoption on legit infrastructures, meanwhile brighter adoption on spammers side as some admins relay on this information. That’s the reason, why I don’t use whitelists to weight my handchoosen blacklists out. I weight them based on a multiple week check on false-positives as you can see in my blacklist optimization thread by adding them with log entry on each hit and then check the logs weekly for a reasonable timeframe, if they don’t already fell through by having too much false-positives already after days. Score 2 have no false-positives for weeks, Score 1 some rare ones, all others are out, also ones, who don’t show any hits at all. I check once with my private mail test installation as well as with my commercial test installation.
 
I am facing the same problem as PHISING, users send messages as legitimate users by entering an email "Alias" as a valid email name in my domain and proxmox is accepting, not scanning for viruses.
Anyone have any idea how to force proxmox to recognize these emails as external and virus scan.?


From: "Other <Other@XXXXXX.com.br>" <gransegreteria@cavalieridellarcadellalleanza.it>
To: "Another" <Another@XXXXXX.com.br>
Subject: REF. ATUALIZAR/ SOLICITAR DADOS - RAFAEL Fernandes Araujo
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_52991_700906407.3400350869681498544"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aruba.it; s=a1;
t=1572533332; bh=GLQazT+SBnxpaCQIeQD5YlZLATMi0bEiiCyI2sqT/Nw=;
h=Date:From:To:Subject:MIME-Version:Content-Type;
b=EIbqiji2vI9hXsiu60RKIPEJFa8xnmOkOFxpqTtHhnRaukJmt3SlR7A6tcIMy71SD
78WPFhQIGib9IQLCLbGsWKNpZcz5Hb3M2LWKsCi9RAJvn8/q/n/EEph5UYypOEC3DQ
TMSpKvdzNed9Wwh8fw5skGYUZHKtRI98bVE6O4H1wMcun3jv/4AfxqFwbKnBfUsqpN
eimHi0KC7ZylPrX53c7uG+q4EBOPbsoNJ+i1H586YPxTd0cWTTW+nXUlquVepM9N0i
h0fkxygU12lkxTR3KWJTt+apgZKHR6ASF9rNl8zQ1+GR/pqT1F43koChw7ccP8Jjb5
NqpdZVUWOgyPQ==
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
MISSING_MID 0.497 Missing Message-Id: header
RCVD_IN_BL_SPAMCOP_NET 1.347 Received via a relay in bl.spamcop.net
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_NONE 0.001 SPF: sender does not publish an SPF Record
 
Setup a filter rules to filter out the actual domain @cavalieridellarcadellalleanza.it or use regex for all domain that end with .it.
You can set to block or quarantine. It work for me and make sure the filter rules is at top priority.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.it(\W|$)
 
Thanks for the reply, sorry for not being clear.
What i meant does this filter block also emails that try to mask the sender?
ex: from:client@domain.com <fakeemail@domain.com>

filter to block any email that tries to mask the email with another email.
Thank you

I have the same problem. Receive alot of spam email which look like from our internal email users at first glance.
But actually the it is just an alias, the actuall email is from @kopran.com.
Setup a block/quarantine filter rule to block the actual domain which is @kopran.com.

Capture33.JPG
 
  • Like
Reactions: killmasta93
If you receive alot of spam mail from domain @xxx.best or @xxx.za, use regex to block/quarantine it too. It work for me so far...

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.best(\W|$)
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.za(\W|$)
 
  • Like
Reactions: killmasta93
Thanks for the reply, so adding the block rule to block @mydomain.com on PMG will block any domains that try to falsify mydomain.com correct? and would it be possible to block any email that have alias? Lets say an email is from noreply@paypal.com but it shows <fakemail@domain.com>
on the side would it possible to regex to block double email on the header?

Thank you
 
Thanks for the reply, so adding the block rule to block @mydomain.com on PMG will block any domains that try to falsify mydomain.com correct? and would it be possible to block any email that have alias? Lets say an email is from noreply@paypal.com but it shows <fakemail@domain.com>
on the side would it possible to regex to block double email on the header?

Thank you

No. It only block/quarantee what ever domain name you put in your filter list.
Example; you receive email with From: "abc@abc.com" <123@123.com>. You need to block/quarantee @123.com not @abc.com.
 
  • Like
Reactions: killmasta93

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!