Spam getting through

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
Hi all,

I'm starting to have an issue where it appears that people sending spam are using the PMG servers to send.

For instance, once person this morning got an email that was sent from the PMG directly:

From: Faucher@mx1.digidns.ca,

the PMG is mx.digidns.ca and mx1.digidns.ca

Question is, what do I need to do in order to stop that from happening?

Thanks
 
  • Like
Reactions: thiagotgc
Someone (spammer) just fakes the from field - you cannot prevent that. Well, unless you setup and SPF record for your domain ...
 
Someone (spammer) just fakes the from field - you cannot prevent that. Well, unless you setup and SPF record for your domain ...

Thanks for that but I do indeed have an SPF record setup for my domain (digidns.ca).
"v=spf1 mx -all"

So what else exactly am I missing here with regards to this type of spam getting though the filter? Do I also need to setup a subdomain (mx.digidns.ca and mx1.digidns.ca) to stop that spam from coming through? I wouldn't think I do.
Thanks for your help!
 
So what else exactly am I missing here with regards to this type of spam getting though the filter?

The thing is, the fact that you have an SPF record doesn't mean that the mails can't be faked from your address. How do the headers look on the spoofed emails regarding SPF?
 
A SPF record does not prevent spam, it only will ensure, that the receiving mail server may(!) be able to detect, that the mail has not been sent from you. Big issue is, that there exist many techniques out there, which should help fighting spam but work completely different. So SPF, DKIM, Whitelists (like dnswl) should help to prevent spam, but the most ones, who really configure or use that (correct), are spammers, which know, that some systems may look for SPF records, (valid) DKIM signatures or whitelist entries to assume "clean" mail, meanwhile "valid" users often don't set SPF or forgot about, what they set, don't use DKIM, don't list their systems at Whitelists. It's what I saw from spam headers yet and found in years fighting spam with own systems like ESVA, EFA, other MailScanner derivates and now PMG. E.g. SPF is not usable for more and more companies using services like Hosted Exchange, Google Suite, Mailchimp, Amazon SES etc. as they have no control of the "IP park" they use and always would need to adjust their SPF records, also some of this won't support DKIM, and they and also the users or providers won't list their servers at e.g. dnswl. For myself e.g. I just was able to list my systems at dnswl, but my private systems also often change provider and I always need to update.
 
The thing is, the fact that you have an SPF record doesn't mean that the mails can't be faked from your address. How do the headers look on the spoofed emails regarding SPF?

The legit domain here is: user@realdomain.ca
The spam email came in from: despacho@eccochemical.com

One of the headers looks like this:

Return-Path: <despacho@eccochemical.com>
X-Spam-Status: No, hits=0.0 required=8.5
tests=TOTAL_SCORE: 0.000
X-Spam-Level:

Received: from mx.digidns.ca ([192.168.11.4])
by hc1.digidns.ca (Kerio Connect 9.2.7 patch 3) with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for rick@realdomain.ca;
Mon, 10 Dec 2018 09:51:45 -0500

Received: from mx.digidns.ca (localhost.localdomain [127.0.0.1])
by mx.digidns.ca (Proxmox) with ESMTP id 912EF1616E8
for <rick@realdomain.ca>; Mon, 10 Dec 2018 09:51:45 -0500 (EST)

Received-SPF: pass (eccochemical.com: 209.140.25.90 is authorized to use 'despacho@eccochemical.com' in 'mfrom' identity (mechanism 'ip4:209.140.25.90' matched)) receiver=mx.digidns.ca; identity=mailfrom; envelope-from="despacho@eccochemical.com"; helo=server9.1ahost.com; client-ip=209.140.25.90

Received: from server9.1ahost.com (server9.1ahost.com [209.140.25.90])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx.digidns.ca (Proxmox) with ESMTPS id ABAC7161539
for <rick@realdomain.ca>; Mon, 10 Dec 2018 09:51:44 -0500 (EST)

Received: from 185.189-204-140.bestel.com.mx ([189.204.140.185]:62497 helo=10.14.43.24)
by server9.1ahost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.87)
(envelope-from <despacho@eccochemical.com>)
id 1gWMuA-0006mq-B6
for rick@realdomain.ca.ca; Mon, 10 Dec 2018 10:51:32 -0400

Date: Mon, 10 Dec 2018 08:51:30 -0600
From: David Niemela <david@realdomain.ca> <despacho@eccochemical.com>
 
For myself e.g. I just was able to list my systems at dnswl, but my private systems also often change provider and I always need to update.

By listing my servers as this service, this apparently helps control the flow of spam coming into the server? By the looks of it I add in a domain:

domain: digitaltransitions.ca
with IP's allowed to send (which I would think are my mx servers IP addresses: 208.93.232.25, 208.93.232.26)

Would that be correct or does it need to be added in another way?
 
We had a similar case in the german forum recently:
https://forum.proxmox.com/threads/s...rten-absender-im-from-feld.49214/#post-230619

What seemed to have worked there was a filter rule, which puts mails having 2 e-mail addresses in the From header into quarantine:
* create a new What Object
* add a "Match Field" object, with Field "From" and Value:
Code:
^.*<.*>.*<.*>.*$
* create a new filter rule putting all mails matching this What Object into quarantine.

Keep in mind that this is just a rough heuristic (e-mail header-encodings can and will bite you here (as exemplified in the german thread)).
so if you run into an email having the first address encoded with base64 or with quoted printable - you might need to add another regex to match the From: header, e.g. for mails, which contain a first from address, which is UTF-8 base64 encoded:
Code:
^.*UTF-8.*<.*>.*$
worked.

hope this helps
 
By listing my servers as this service, this apparently helps control the flow of spam coming into the server? By the looks of it I add in a domain:

domain: digitaltransitions.ca
with IP's allowed to send (which I would think are my mx servers IP addresses: 208.93.232.25, 208.93.232.26)

Would that be correct or does it need to be added in another way?

This just helps, what potential recipients may have an additional sign, if the mail coming in is legit from your domain or it isn't. As SPF, DNSWL, DKIM and other techniques are preferred used by spammers to get through (as that's their job and profit) meanwhile legit senders often don't take this effort or are not able to take it at all (e.g. using Mail Service providers, where they don't have control over their IP pool and don't get informed, if they change anything to their IP pool), it's no good spam/no-spam sign as the inventors of this techniques hoped, it would be. E.g. most DKIM signed messages passing my PMG are spam meanwhile most legit mail doesn't use DKIM at all. Same for SPF, if a record exist, some are wrong, but for spam senders (e.g. also or especially Google Mail, Yahoo Mail, Hotmail/Outlook.com, ...) SPF exists and is valid. So you won't be able to prevent spam that way, if you set this "best practices", you just adopt "best practices" and may hope, that a recipient of a faked mail, which seems to be from your system and may result in unsolicited responses or NDR, may be blocked, because you set SPF or whitelist and the recipient use this technique to prevent the mail get through. However, as of the reasons above, you can't expect, that the recipient will do that as although it's best practice, it's unusable, because of weak adoption on legit side and great adoption on spammers side.
 
We had a similar case in the german forum recently:
https://forum.proxmox.com/threads/s...rten-absender-im-from-feld.49214/#post-230619

What seemed to have worked there was a filter rule, which puts mails having 2 e-mail addresses in the From header into quarantine:
* create a new What Object
* add a "Match Field" object, with Field "From" and Value:
Code:
^.*<.*>.*<.*>.*$
* create a new filter rule putting all mails matching this What Object into quarantine.

Keep in mind that this is just a rough heuristic (e-mail header-encodings can and will bite you here (as exemplified in the german thread)).
so if you run into an email having the first address encoded with base64 or with quoted printable - you might need to add another regex to match the From: header, e.g. for mails, which contain a first from address, which is UTF-8 base64 encoded:
Code:
^.*UTF-8.*<.*>.*$
worked.

hope this helps
Thank you very much for this.

So just to be sure I'm on the right track,

I have created a new "What" object, which contains:
Name: Double Email in From Header
With the Match Fields:
From: ^.*<.*>.*<.*>.*$
From: ^.*UTF-8.*<.*>.*$

Then I create a new mail Filter Rule: "Double From Quarantine"
Action: Quarantine
What Objects: Double Email in From Header


Does that seem correct and similar to how you did it?

Thank you very much for all the help here to everyone!!
 
I got the same Problem and was looking for a solution. So i tested the above solution with the reg exp, which seems to be ok (you can test it right here: https://www.regextester.com/99823)

Unfortunately, the rule is triggered by mails with just one From-Address too. What am I doing wrong?
 

Attachments

  • Rules.PNG
    Rules.PNG
    7.9 KB · Views: 108
  • field.PNG
    field.PNG
    2.1 KB · Views: 99
* the rule seems deactivated? (but I guess you did that afterwards)
* please post the (anonymized) header of the mail, which was quarantined, but had only one address in the from header
 
Hi, thanks for you reply. The following header has been modified by our exchange/McAfee, but the From-Field has not been touched. Did it work for you, dthompson?

Received: from mail.meinefirma.de (172.28.0.6) by myexchange.meinefirma.de
(192.168.0.5) with Microsoft SMTP Server id 14.3.408.0; Thu, 13 Dec 2018
12:48:09 +0100
Received: from mail.meinefirma.de (localhost.localdomain [127.0.0.1]) by
mail.meinefirma.de (Proxmox) with ESMTP id D5D2C8610B5 for <me@meinefirma.de>;
Thu, 13 Dec 2018 12:48:09 +0100 (CET)
Received: from mailout01.t-online.de (mailout01.t-online.de [194.25.134.80])
by mail.meinefirma.de (Proxmox) with ESMTP id 414C3861089 for
<me@meinefirma.de>; Thu, 13 Dec 2018 12:48:09 +0100 (CET)
Received: from fwd13.aul.t-online.de (fwd13.aul.t-online.de [172.20.27.62]) by
mailout01.t-online.de (Postfix) with SMTP id 9FF9142428C9 for
<me@meinefirma.de>; Thu, 13 Dec 2018 12:48:03 +0100 (CET)
Received: from spica14.aul.t-online.de
(SrP4pgZJohQqvzMuPm3YyPkXSxPiPuaZd66o3BDkyEY4XyRJouufKcn4x2EePRIgPS@[172.20.102.139])
by fwd13.aul.t-online.de with esmtp id 1gXPT6-4ZyIOO0; Thu, 13 Dec 2018
12:47:52 +0100
Received: from 192.122.26.66:5059 by cmpweb21.aul.t-online.de with HTTP/1.1
(Lisa V5-4-8-0.14638 on API V5-16-0-0)
Received: from 172.20.102.128:37701 by spica14.aul.t-online.de:8080; Thu, 13
Dec 2018 12:47:52 +0100 (CET)
Date: Thu, 13 Dec 2018 12:47:52 +0100

From: "sender@senderdomain.com" <sender@senderdomain.com>
Sender: "sender@senderdomain.com" <sender@senderdomain.com>
Reply-To: "sender@senderdomain.com" <sender@senderdomain.com>
To: "IT, IT" <me@meinefirma.de>
Message-ID: <1544701671967.53369.74beea24e0b2be89bc40fbd3e55655c647a73049@spica.telekom.de>
Subject: testmail
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_64277_1934465080.1544701672294"
Importance: normal
X-MSMail-Priority: normal
X-Priority: 3
X-UMS: email
X-ID: SrP4pgZJohQqvzMuPm3YyPkXSxPiPuaZd66o3BDkyEY4XyRJouufKcn4x2EePRIgPS@t-dialin.net
X-TOI-MSGID: c20b2c9f-03f2-4bff-8faf-b1ef7e855dc7
Return-Path: sender@senderdomain.com
X-MS-Exchange-Organization-AuthSource: myexchange.meinefirma.de
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;60099453;0;novirus
 
I had many false positives .....
but I get a lot of emails every day with viruses like that ...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!