another one got through. why, how?!

R

Riesling.Dry

Renowned Member
Jul 17, 2014
90
7
73
User got this SPAM over the weekend. Countless, basically identical mails got through and we had similar cases in the past.
He has catchall email for this Domain and X-Original-To went to random addresses @his.Domain, while the To:-address is on a totally unrelated Domain.
How did the SPAMMERs manage to bypass PMG's checks and how can further similar incidents be avoided?
Needless to say, that the SPAMMERs Domain and the content of the emails change every time, so blacklisting them - which was of course done, yet merely after user reported - won't probably do much...

Cheers,
~R.

Return-Path: <ucxepfs@azimuters.gen.tr> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on [ destination.host ] X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,HTML_FONT_SIZE_LARGE, HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_04,HTML_MESSAGE,PYZOR_CHECK, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE, T_TVD_MIME_EPI autolearn=ham autolearn_force=no version=3.4.2 X-Original-To: 7gbamc5fwb3gz7h@[ user domain redacted for privacy ] Delivered-To: default@[ destination.host ] Received: from [ pmg.host ] ([ pmg.host ] [ pmg IP ]) by [ destination.host ] (Postfix) with ESMTP id 07EA570FB0; Mon, 20 Jun 2022 00:46:26 +0200 (CEST) Received: from [ pmg.host ] (localhost [127.0.0.1]) by [ pmg.host ] (Proxmox) with ESMTP id 5E18D60FD3; Sun, 19 Jun 2022 23:39:52 +0200 (CEST) Received-SPF: pass (azimuters.gen.tr: 46.19.137.136 is authorized to use 'ucxepfs@azimuters.gen.tr' in 'mfrom' identity (mechanism 'a' matched)) receiver=[ pmg.host ]; identity=mailfrom; envelope-from="ucxepfs@azimuters.gen.tr"; helo=mail.azimuters.gen.tr; client-ip=46.19.137.136 Received-SPF: pass (azimuters.gen.tr: 46.19.137.136 is authorized to use 'ucxepfs@azimuters.gen.tr' in 'mfrom' identity (mechanism 'a' matched)) receiver=[ pmg.host ]; identity=mailfrom; envelope-from="ucxepfs@azimuters.gen.tr"; helo=mail.azimuters.gen.tr; client-ip=46.19.137.136 Received: from mail.azimuters.gen.tr (mail.azimuters.gen.tr [46.19.137.136]) by [ pmg.host ] (Proxmox) with ESMTP id EB6FE6002D; Sun, 19 Jun 2022 23:39:50 +0200 (CEST) Received: from azimuters.gen.tr (rel.tetarox.site [2.56.88.81]) by mail.azimuters.gen.tr (Postfix) with ESMTPA id 332CC7F19; Sun, 19 Jun 2022 23:48:12 +0300 (EEST) Message-ID: <53646257401831364774715016820331@azimuters.gen.tr> From: "CARDIOXIL" <ucxepfs@azimuters.gen.tr> To: <comercial@hipocrate2002serv.ro> Subject: =?utf-8?B?MSBsdW7EgyBkZSBhZG1pbmlzdHJhcmUgQ2FyZGlveGlsIC0gZSBjYSDImWkgY3VtIHRlLWFpIG5hyJl0ZSBkaW4gbm91?= Date: Sun, 19 Jun 2022 23:48:22 +0300 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0006_01D88435.36FD4250" This is a multi-part message in MIME format. ------=_NextPart_000_0006_01D88435.36FD4250 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01D88435.36FD4250" ------=_NextPart_000_0007_01D88435.36FD4250 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable =0D=0A=0D=0A=0D=0A=0D=0ACardioxil este o comoar&#259; de extracte= medicinale care func&#539;ioneaz&#259; =0D=0Aarmonios pentru a v= &#259; men&#539;ine vasele de s&#226;nge curate &#537;i =0D=0Afer= me.=0D=0A =0D=0ACondi&#539;ii pentru =0D=0Aachizi&#539;ionarea Ca= rdioxil &#238;n cadrul =0D=0Aprogramului:=0D=0A =0D=0AComanda&#53= 9;i =0D=0ACardioxil pentru uz =0D=0Apersonal.=0D=0AComanda&#539;i= un produs pentru dvs., familie =0D=0Asau prieteni. Nu avem de-a=20= face cu intermediari care caut&#259; s&#259; cumpere loturi de =0D= =0ACardioxil pentru rev&#226;nzare =0D=0Aulterioar&#259; la un pr= e&#539; mai ridicat.=0D=0APlasa&#539;i comanda =0D=0Aprin formula= rul oficial de program.=0D=0AFormularul =0D=0Aoficial de comand&#= 259; garanteaz&#259; pre&#539;ul produc&#259;torului &#537;i v&#2= 59; protejeaz&#259; de =0D=0Aintermediari.=0D=0A =0D=0AReducerea=20= =0D=0A-50% se va termina &#238;n &gt;&gt;&gt;=0D=0A =0D=0A318 =0D= =0ARON 159 =0D=0ARON=0D=0A =0D=0A=0D=0A ------=_NextPart_000_0007_01D88435.36FD4250 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: quoted-printable <HTML><HEAD>=0D=0A<META http-equiv=3D"Content-Type" content=3D"te= xt/html; charset=3Dwindows-1251">=0D=0A</HEAD>=0D=0A<BODY bgColor= =3D#ffffff>=0D=0A<DIV align=3Dcenter><FONT color=3D#ff0080 size=3D= 4 face=3DArial><STRONG><FONT =0D=0Asize=3D6>Cardioxil</FONT> este= o comoar&#259; de extracte medicinale care func&#539;ioneaz&#259= ; =0D=0Aarmonios pentru a v&#259; men&#539;ine vasele de s&#226;n= ge curate &#537;i =0D=0Aferme.</STRONG></FONT></DIV>=0D=0A<DIV al= ign=3Dcenter><FONT size=3D4></FONT>&nbsp;</DIV>=0D=0A<DIV align=3D= center><FONT color=3D#800000 size=3D4 face=3DArial><STRONG>Condi&= #539;ii pentru =0D=0Aachizi&#539;ionarea <FONT color=3D#ff0080>Ca= rdioxil</FONT> &#238;n cadrul =0D=0Aprogramului:</STRONG></FONT><= /DIV>=0D=0A<DIV align=3Dcenter><FONT size=3D4></FONT>&nbsp;</DIV>= =0D=0A<DIV align=3Dcenter><FONT size=3D4 face=3DArial><FONT color= =3D#008000>Comanda&#539;i</FONT> =0D=0A<STRONG><FONT color=3D#ff0= 080>Cardioxil</FONT></STRONG> pentru uz =0D=0Apersonal.<BR><FONT=20= color=3D#008000>Comanda&#539;i</FONT> un produs pentru dvs., fami= lie =0D=0Asau prieteni. Nu avem de-a face cu intermediari care ca= ut&#259; s&#259; cumpere loturi de =0D=0A<FONT color=3D#ff0080><S= TRONG>Cardioxil</STRONG></FONT> pentru rev&#226;nzare =0D=0Aulter= ioar&#259; la un pre&#539; mai ridicat.<BR><FONT color=3D#008000>= Plasa&#539;i</FONT> comanda =0D=0Aprin formularul oficial de prog= ram.<BR><FONT color=3D#008000>Formularul</FONT> =0D=0Aoficial de=20= comand&#259; garanteaz&#259; pre&#539;ul produc&#259;torului &#53= 7;i v&#259; protejeaz&#259; de =0D=0Aintermediari.</FONT></DIV>=0D= =0A<DIV align=3Dcenter><FONT size=3D4></FONT>&nbsp;</DIV>=0D=0A<D= IV align=3Dcenter><FONT color=3D#0000ff size=3D4 face=3DArial><A=20= =0D=0Ahref=3D"https://golistoenser.free.hr/macapnd2/"><STRONG>Red= ucerea =0D=0A-50% se va termina &#238;n &gt;&gt;&gt;</STRONG></A>= </FONT></DIV>=0D=0A<DIV align=3Dcenter><FONT size=3D4></FONT>&nbs= p;</DIV>=0D=0A<DIV align=3Dcenter><FONT size=3D4 face=3DArial><ST= RIKE><FONT color=3D#008000>318 =0D=0ARON</FONT></STRIKE> <STRONG>= <FONT color=3D#ff0000>159 =0D=0ARON</FONT></STRONG></FONT></DIV>=0D= =0A<DIV align=3Dcenter><FONT size=3D4 face=3DArial></FONT>&nbsp;<= /DIV>=0D=0A<DIV align=3Dcenter><A =0D=0Ahref=3D"https://golistoen= ser.free.hr/macapnd3/"><IMG border=3D0 hspace=3D0 alt=3D"" src=3D= "cid:1000e01d88987987774d0fc824a69@ucxepfs" width=3D480 height=3D= 345></A></DIV></BODY></HTML>=0D=0A ------=_NextPart_000_0007_01D88435.36FD4250-- ------=_NextPart_000_0006_01D88435.36FD4250 Content-Type: image/jpeg; name="wfoiuqwwjkimix.jpeg" Content-Transfer-Encoding: base64 Content-ID: <12d7e01d8843770fa774d0fc824a69@ucxepfs> [ removed ] ------=_NextPart_000_0006_01D88435.36FD4250-- bOLmEzC0rJWlKSkpT lsMsGjRo1qol+DRo0aIINGjRogg0aNGiCDRo0aIINGjRogj/2Q== ------=_NextPart_000_0006_01D88435.36FD4250--
 

Attachments

  • Bildschirmfoto 2022-06-20 um 12.04.51.png
    Bildschirmfoto 2022-06-20 um 12.04.51.png
    303 KB · Views: 23
Setup DNSBL, mail filter and spamassassin should help to improve spam detection.
 
you should be able to block all mails coming from domains without PTR's and this solves the issues 99% of the time since spam mails arent usually legitimate.

just know that you might block some legitimate mails if you do this.

every ISP with a mail server usually choose this option :) .

another solution could be adding a blacklist, you can find them pretty easyly by searching for it on google there is quite a bit.
 
From your mail header, there is no X-SPAM-LEVEL info. Did you enable the default modify header mail rule?
You still did not list down what mail filter rule that you have setup to filter the spam.
 
D0K said:
you should be able to block all mails coming from domains without PTR's and this solves the issues 99% of the time since spam mails arent usually legitimate.
Click to expand...
Thanks, but these bastards apparently do have a perfect PTR, so this approach wouldn't have blocked them, I guess? :)
Code: 
~ % host 46.19.137.136
136.137.19.46.in-addr.arpa domain name pointer mail.azimuters.gen.tr.
 
hata_ph said:
From your mail header, there is no X-SPAM-LEVEL info.
Click to expand...
The 'X-Spam-Level:' header is empty when the score is too low (chicken-egg-problem?)
...and in order to find out, WHY it is too low (and consequently the SPAM got through) I started this thread. :)
hata_ph said:
Did you enable the default modify header mail rule?
Click to expand...
Not sure. Where/how is this done? Isn't that part of PMG by default?
hata_ph said:
You still did not list down what mail filter rule that you have setup to filter the spam.
Click to expand...
As I said, we have set up nothing beyond what is "factory default" and "built-in" w. PMG and edited resolv.conf to be able to use URIBL.
But considering we do not know what SPAM will come, it is difficult to somehow "precautionary" set rules. Yes, the ones you mentioned in your post do make sense but wouldn't have caught this one either.

To be clear: PMG does a brilliant almost perfect job, yet there is the occasional one that manages to get through - so why not talk about it w. the option of going from almost perfect to perfect? :)

That's why I ask: how/why did this one get through? :)
 
RollMops said:
Thanks, but these bastards apparently do have a perfect PTR, so this approach wouldn't have blocked them, I guess? :)
Code: 
~ % host 46.19.137.136
136.137.19.46.in-addr.arpa domain name pointer mail.azimuters.gen.tr.
Click to expand...
i dont know where you got that IP from i tried some of the domain names on your picture and some of them didnt have any ptr

anyways this could help you filter away a great deal of the mails i believe. i hope you find a good solution.

have a great day.

kind regards :)
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back