Block double email on header?

[killmasta93]

Hi,
I was wondering if someone could shed some light on how to block double email on header?

this was part of the log which is a bad email

Jun 12 09:46:46 mail postfix/cleanup[32454]: 14191201E25: info: header From: "goodclient@goodomain.com" <badclient@badomain.pw from s5.asurahosting.com[54.36.167.79]; from=<badclient@badomain.pw>

the thing is that i have this filter
what objects

filed: From
value: ^.*<.*>.*<.*>.*$

and
filed: From
value: ^.*UTF-8.*<.*>.*$

But not sure if thats the correct filter?

Thank you

 

[hata_ph]

this is the entire from?

"goodclient@goodomain.com" <badclient@badomain.pw from s5.asurahosting.com[54.36.167.79]; from=<badclient@badomain.pw>

 

[killmasta93]

Thanks for the reply this is the whole outcome it did go to spam but not for the right reason of the double header

Jun 12 09:42:21 mail postfix/smtpd[32379]: connect from s5.asurahosting.com[54.36.167.79]
Jun 12 09:42:21 mail postfix/smtpd[32379]: Anonymous TLS connection established from s5.asurahosting.com[54.36.167.79]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 12 09:42:22 mail postfix/smtpd[32379]: 23CCA201E32: client=s5.asurahosting.com[54.36.167.79]
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header From: "amychen@realdomain.com" <amychen@fakedomain.com> from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header To: auxiliar.importaciones@mydomain.com from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header Subject: Re: Factory KDPT20050336 from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: message-id=<e1c58b104d35b2a1c4d417685aeffb6e@fakedomain.com>
Jun 12 09:42:22 mail postfix/qmgr[773]: 23CCA201E32: from=<amychen@fakedomain.com>, size=5315, nrcpt=1 (queue active)
Jun 12 09:42:22 mail pmg-smtp-filter[31507]: 2201F85EE3944E56D4D: new mail message-id=<e1c58b104d35b2a1c4d417685aeffb6e@fakedomain.com>#012
Jun 12 09:42:22 mail postfix/smtpd[32379]: disconnect from s5.asurahosting.com[54.36.167.79] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 12 09:42:30 mail pmg-smtp-filter[31507]: 2201F85EE3944E56D4D: SA score=8/5 time=7.654 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.726),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),KAM_NUMSUBJECT(0.5),KAM_SOMETLD_ARE_BAD_TLD(5),PDS_FROM_2_EMAILS(2.199),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001)
Jun 12 09:42:30 mail pmg-smtp-filter[31507]: 2201F85EE3944E56D4D: sender in user (auxiliar.importaciones@mydomain.com) whitelist
Jun 12 09:42:30 mail postfix/smtpd[32360]: connect from localhost.localdomain[127.0.0.1]
Jun 12 09:42:30 mail postfix/smtpd[32360]: 2FA1B201E36: client=localhost.localdomain[127.0.0.1], orig_client=s5.asurahosting.com[54.36.167.79]
Jun 12 09:42:30 mail postfix/cleanup[32354]: 2FA1B201E36: message-id=<e1c58b104d35b2a1c4d417685aeffb6e@fakedomain.com>
Jun 12 09:42:30 mail postfix/qmgr[773]: 2FA1B201E36: from=<amychen@fakedomain.com>, size=6677, nrcpt=1 (queue active)
Jun 12 09:42:30 mail postfix/smtpd[32360]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 12 09:42:30 mail pmg-smtp-filter[31507]: 2201F85EE3944E56D4D: accept mail to <auxiliar.importaciones@mydomain.com> (2FA1B201E36) (rule: Whitelist)
Jun 12 09:42:30 mail pmg-smtp-filter[31507]: 2201F85EE3944E56D4D: processing time: 7.869 seconds (7.654, 0.123, 0)
Jun 12 09:42:30 mail postfix/lmtp[32355]: 23CCA201E32: to=<auxiliar.importaciones@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.3, delays=0.35/0/0.01/7.9, dsn=2.5.0, status=sent (250 2.5.0 OK (2201F85EE3944E56D4D))
Jun 12 09:42:30 mail postfix/qmgr[773]: 23CCA201E32: removed
Jun 12 09:42:30 mail postfix/smtp[32361]: 2FA1B201E36: to=<auxiliar.importaciones@mydomain.com>, relay=192.168.1.248[192.168.1.248]:27, delay=0.13, delays=0.01/0/0.05/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 417DEA22368)
Jun 12 09:42:30 mail postfix/qmgr[773]: 2FA1B201E36: removed

 

[hata_ph]

Pls show the email raw data.

 

[killmasta93]

Thanks for the reply, so it did go to spam as it shows that PDS from 2 emails but should of blocked it

Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id 0496A201A8E;
    Fri,  5 Jun 2020 04:17:28 -0500 (-05)
Received: from mail.mydomain.com (unknown [192.168.1.253])
    by mail.mydomain.com (Postfix) with ESMTPS id 37C26A211AC;
    Fri,  5 Jun 2020 04:17:28 -0500 (-05)
Received: from localhost ([127.0.0.1] helo=s5.asurahosting.com)
    by s5.asurahosting.com with esmtpa (Exim 4.92.3)
    (envelope-from <amychen@fakedomain.pw>)
    id 1jh8TT-002e2m-Lg; Fri, 05 Jun 2020 10:17:15 +0100
Received: from s5.asurahosting.com (s5.asurahosting.com [54.36.167.79])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id E9F44200067;
    Fri,  5 Jun 2020 04:17:22 -0500 (-05)
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.1.248) by mail.mydomain.com with LMTP; Fri, 5 Jun 2020
 04:17:28 -0500 (COT)
Reply-To: <amychen@fakedomain.pw>
From: "amychen@realdomain.com" <amychen@fakedomain.pw>
To: "Johana Porras" <auxiliar.importaciones@mydomain.com>
Cc: <mtoro@mydomain.com>,
    <clopez@mydomain.com>
References: <1d00e8d42d023e653265054d61de02b3@fakedomain.pw> <00f501d63078$9b6ae110$d240a330$@mydomain.com> <6ee8d6b234b8d92110c711ccd7f23c67@fakedomain.pw> <00ba01d63853$86156b40$924041c0$@mydomain.com>
In-Reply-To: <00ba01d63853$86156b40$924041c0$@mydomain.com>
Subject: Re: SPAM: Re: SPAM: Re: 
Date: Fri, 5 Jun 2020 04:17:15 -0500
Message-ID: <7403909ff863d6bc3ed0f4f9ce49d2e6@mydomain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0085_01D63B14.6C6D1080"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHZBZy2aYQRUu87uKZf4yoUyrivogEn1jLVAdX3NpQCllSs5wD5H9eB
X-SPAM-LEVEL: Spam detection results:  10
    AWL                    -1.000 Adjusted score from AWL reputation of From: address
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HTML_MESSAGE            0.001 HTML included in message
    KAM_BADIPHTTP               2 Due to the Storm Bot Network, IPs in emails is bad
    KAM_LOTSOFHASH           0.25 Emails with lots of hash-like gibberish
    KAM_MXURI                 1.5 URI begins with a mail exchange prefix, i.e. mx.[...]
    KAM_NUMSUBJECT            0.5 Subject ends in numbers excluding current years
    KAM_SOMETLD_ARE_BAD_TLD      5 .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse
    LOTS_OF_MONEY           0.001 Huge... sums of mon
    ey
    NORMAL_HTTP_TO_IP       0.001 URI host has a public dotted-decimal IPv4 address
    NUMERIC_HTTP_ADDR       0.001 Uses a numeric IP address in URL
    PDS_FROM_2_EMAILS       2.199 -
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [realdomain.com,58.221.79.17,mydomain.com,fakedomain.pw,forgedbucketteeth.com,]
    WEIRD_PORT              0.001 Uses non-standard port number for HTTP
X-Sender: amychen@fakedomain.pw
X-Authenticated-Id: amychen@fakedomain.pw
X-OlkEid: 0000000038E2BBA5AC372F4498162CB5CD2E199A070034AD76187591974DBF6C4F76951C873A010005000000000049031BE5F3E49A4E9E5C7A067F05B42F000000001F3A00002A2B32CF39FE664F99F9F41A7A858FDE

 

[hata_ph]

Since spamassassin have mark it as spam, you should be good to go.
Beside that, you can create who and what object to block the spam domain or filter keyword from the subject.

 

[killmasta93]

Thanks for the reply, correct but i have that rule above weird howcome it did not block it is the rule wrong?

 

[hata_ph]

Thanks for the reply, correct but i have that rule above weird howcome it did not block it is the rule wrong?

Pls show the rules..

 

[killmasta93]

Thanks for the reply, these are the rules

 

[hata_ph]

Thanks for the reply, these are the rules
View attachment 18042

This rule only block from email format <amychen@realdomain.com> <amychen@fakedomain.pw>

 

[killmasta93]

thanks for the reply, correct but from the above headers should it been applied?

Thank you

 

[hata_ph]

thanks for the reply, correct but from the above headers should it been applied?

Thank you

If you want to block "amychen@realdomain.com" <amychen@fakedomain.com> format, use below regex

from: ^.*".*".*<.*>.*$

FYI, you may encounter alot of false positive if you enable this rule.

 

[ittk]

Thanks for the reply, these are the rules
View attachment 18042
View attachment 18041

Why you want to block such an single E-Mail separately? As its already detected as SPAM by SA: "X-SPAM-LEVEL: Spam detection results: 10"
So maybe just say if SPAM score is above Level 9, block mail won't this work for you? And a much better approch for you?

Creating to much custom rules and blocking, will give too much false-postives.

And its seems you have adjusted your PMG installation / postfix, due to these logging output:

Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header From: "amychen@realdomain.com" <amychen@fakedomain.com> from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header To: auxiliar.importaciones@mydomain.com from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>
Jun 12 09:42:22 mail postfix/cleanup[32354]: 23CCA201E32: info: header Subject: Re: Factory KDPT20050336 from s5.asurahosting.com[54.36.167.79]; from=<amychen@fakedomain.com> to=<auxiliar.importaciones@mydomain.com> proto=ESMTP helo=<s5.asurahosting.com>

Maybe this creates impact on other PMG functions?!? Ads you inspect now for the envelope from (instead of the technical from) for e.g. newsletters..

And btw will the ruleset work like the one you have? As you have TWO In Rules with the same PRIORITY? Is this actually allowed?

 

[killmasta93]

@hata_ph o boy you were right, so many false alarms had to remove it, so in reality what was done from above an email spoofing?
@ittk well the idea is that dont want to get email spoofed but i did a testing email with

https://github.com/mogaal/sendemail.git

so this was an example sending from another real SMTP server but the email is different

./sendEmail -f no-reply-accounts@payspal.com -t sistemas@mydomain.com -u Someone Has Your Password -m Someone has your password this last sign in location and ip click here to reset your password -s smtpout.secureserver.net:25 -xu ventas@anotherrealdomain.com -xp mypassword -o tls=no

and this was the output. so my question is how can i avoid something like this?

Return-Path: <no-reply-accounts@payspal.com>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.1.248) by mail.mydomain.com with LMTP; Sun, 21 Jun 2020
 23:07:29 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.1.253])
    by mail.mydomain.com (Postfix) with ESMTPS id 4A79BA2183A
    for <sistemas@mydomain.com>; Sun, 21 Jun 2020 23:07:29 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id 5E399201E3A
    for <sistemas@mydomain.com>; Sun, 21 Jun 2020 23:07:28 -0500 (-05)
Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 75B64201E35
    for <sistemas@mydomain.com>; Sun, 21 Jun 2020 23:06:41 -0500 (-05)
Received: from pc.local ([200.xx.xx.xx])
    by :SMTPAUTH: with ESMTPA
    id nDj4juYdCJwbonDj5ju81W; Sun, 21 Jun 2020 21:06:33 -0700
X-CMAE-Analysis: v=2.3 cv=NcuYKFL4 c=1 sm=1 tr=0
 a=wwkyJG7mYMWwrLjdnHFGwQ==:117 a=wwkyJG7mYMWwrLjdnHFGwQ==:17
 a=9vNfU2sgHbE7ZfwKyeQA:9 a=0HNjNlRYNDf5fV8gmUoA:9 a=wPNLvfGTeEIA:10
X-SECURESERVER-ACCT: ventas@anotherrealdomin.com
Message-ID: <690774.94097607-sendEmail@pc>
From: "no-reply-accounts@payspal.com" <no-reply-accounts@payspal.com>
To: "sistemas@mydomain.com" <sistemas@mydomain.com>
Subject: Someone Has Your Password
Date: Mon, 22 Jun 2020 04:05:57 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-515248.383236216"
X-CMAE-Envelope: MS4wfDXCDq0AAtslYJm8tzy7U2WvNvVGRzqLGMfjifH5ITgBhYS18ZdGH+hiN6vlAeWaDeV03ZTuxGEnqNT1sj0OJkOp8FoTvrpMq3K9zWTBN4X6qcWjviso
 XVqY4qtcMDxJbKifPuumLBqNF8KEXPEggSBCtKnGMqs7VfOAue+81tMPw1QQlBDzzq7ds26h922f4WYRh7AzFbb3NlcdcPrVjR0=
X-SPAM-LEVEL: Spam detection results:  0
    DCC_REPUT_00_12          -0.8 DCC reputation between 0 and 12 %  (mostly ham)
    KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H3       -0.01 Good reputation (+3)
    RCVD_IN_MSPIKE_WL       -0.01 Mailspike good senders
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NONE                0.001 SPF: sender does not publish an SPF Record
    ZMIvirSobY_SUB63          0.8 SPAM from Sober-Y-Virus

 

[hata_ph]

Enable DNSBL and SPF checking will help reduce spam/spoof mails.
Enable reject unknown domain and senders is an options too.
Setup mail filter to block/quarantine suspicious mails with domain/from/subject/attachment regex object will help a lot too.

 

[killmasta93]

as for the DNSBL i have a few lists
but for SPF i have to disable to many ppl dont have SPF and they get blocked
as for the other part there is two the reject unknown clients and senders dont really know whats the difference?

zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

 

[hata_ph]

as for the other part there is two the reject unknown clients and senders dont really know whats the difference?

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

 

[ittk]

as for the DNSBL i have a few lists
but for SPF i have to disable to many ppl dont have SPF and they get blocked
as for the other part there is two the reject unknown clients and senders dont really know whats the difference?

zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

Bad that you disabled SPF checking. Other Mailserver Operaters must configure their SPF Records properly, otherwise they will never do so. What's your DNSBL threshold score? As you have weighted most lists with score 2.

 

[ittk]

Enable DNSBL and SPF checking will help reduce spam/spoof mails.
Enable reject unknown domain and senders is an options too.
Setup mail filter to block/quarantine suspicious mails with domain/from/subject/attachment regex object will help a lot too.

So you have enabled both of therse "reject" default options? As default value both are off. So there must be a reason for it? Any false-postives / negative impacts, when you are running PMG with both reject options turned on?

 

[hata_ph]

So you have enabled both of therse "reject" default options? As default value both are off. So there must be a reason for it? Any false-postives / negative impacts, when you are running PMG with both reject options turned on?

There will be false positive but mostly is because the senders did not properly configure their email servers.
It is optional to enable the feature.
You can always use mail filter to filter domains/regex/from/sender.