Block emails with <> In them.

D

dthompson

Well-Known Member
Nov 23, 2011
146
15
58
Canada
www.digitaltransitions.ca
I have a customer thats getting some of these getting through to them:

Code: 
Oct 22 18:34:59 swarmx2 postfix/smtpd[251329]: warning: hostname valuemail.click does not resolve to address 116.204.183.235
Oct 22 18:34:59 swarmx2 postfix/smtpd[251329]: connect from unknown[116.204.183.235]
Oct 22 18:35:00 swarmx2 postfix/smtpd[251329]: 44F8740518: client=unknown[116.204.183.235]
Oct 22 18:35:00 swarmx2 postfix/cleanup[251189]: 44F8740518: message-id=<JRmaUgd0Xof0mPFpSQ1WyAg4S7X-fAqrsKZxgYNVEOLTwOcaEgZJgid-cadf-4b64-ba5d-13abc51dd070-000000@.amazonses.com>
Oct 22 18:35:00 swarmx2 postfix/qmgr[3990271]: 44F8740518: from=<>, size=20092, nrcpt=1 (queue active)
Oct 22 18:35:00 swarmx2 pmg-smtp-filter[247640]: 4052C63547014CEA19: new mail message-id=<JRmaUgd0Xof0mPFpSQ1WyAg4S7X-fAqrsKZxgYNVEOLTwOcaEgZJgid-cadf-4b64-ba5d-13abc51dd070-000000@.amazonses.com>#012
Oct 22 18:35:01 swarmx2 postfix/smtpd[251329]: disconnect from unknown[116.204.183.235] ehlo=1 mail=1 rcpt=1 bdat=3 quit=1 commands=7
Oct 22 18:35:02 swarmx2 pmg-smtp-filter[247640]: 4052C63547014CEA19: SA score=1/5 time=1.577 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_ADSP_NXDOMAIN(0.9),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_SHORT(0.001),MIME_HTML_ONLY(0.1),MIME_QP_LONG_LINE(0.001),RCVD_IN_HOSTKARMA_BL(1.5),RDNS_NONE(0.793),T_KAM_HTML_FONT_INVALID(0.01),T_SPF_HELO_PERMERROR(0.01)
Oct 22 18:35:02 swarmx2 postfix/smtpd[251339]: connect from localhost.localdomain[127.0.0.1]
Oct 22 18:35:02 swarmx2 postfix/smtpd[251339]: 7BF694060C: client=localhost.localdomain[127.0.0.1], orig_client=unknown[116.204.183.235]
Oct 22 18:35:02 swarmx2 postfix/cleanup[251189]: 7BF694060C: message-id=<JRmaUgd0Xof0mPFpSQ1WyAg4S7X-fAqrsKZxgYNVEOLTwOcaEgZJgid-cadf-4b64-ba5d-13abc51dd070-000000@.amazonses.com>
Oct 22 18:35:02 swarmx2 postfix/qmgr[3990271]: 7BF694060C: from=<>, size=21177, nrcpt=1 (queue active)
Oct 22 18:35:02 swarmx2 postfix/smtpd[251339]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 22 18:35:02 swarmx2 pmg-smtp-filter[247640]: 4052C63547014CEA19: accept mail to <john.doe@company.com> (7BF694060C) (rule: default-accept)
Oct 22 18:35:02 swarmx2 pmg-smtp-filter[247640]: 4052C63547014CEA19: processing time: 1.676 seconds (1.577, 0.048, 0)
Oct 22 18:35:02 swarmx2 postfix/lmtp[251335]: 44F8740518: to=<john.doe@company.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.56/0.02/0/1.7, dsn=2.5.0, status=sent (250 2.5.0 OK (4052C63547014CEA19))
Oct 22 18:35:02 swarmx2 postfix/qmgr[3990271]: 44F8740518: removed
Oct 22 18:35:02 swarmx2 postfix/smtp[251190]: Trusted TLS connection established to 192.168.9.11[192.168.9.11]:2525: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
Oct 22 18:35:02 swarmx2 postfix/smtp[251190]: 7BF694060C: to=<john.doe@company.com>, relay=192.168.9.11[192.168.9.11]:2525, delay=0.05, delays=0.02/0/0.03/0.01, dsn=2.0.0, status=sent (250 2.0.0 63547016-0000693a Message accepted for delivery)
Oct 22 18:35:02 swarmx2 postfix/qmgr[3990271]: 7BF694060C: removed


The email thats showing as "FROM" is direct from the spam filter. In this case, its
: Serena@swarmx2.mailhive.ca
Click to expand...

How can I block anything originating externally as below?
Oct 22 18:35:02 swarmx2 postfix/qmgr[3990271]: 7BF694060C: from=<>, size=21177, nrcpt=1 (queue active)

I would ideally like to know how to keep the spam filter from sending out any emails from itself (outside of root / postmaster, etc) that are legitimate senders.

The server should not be sending anything to any internal addresses that aren't legitimate.

Thanks
 
an empty 'from' in smtp means that the receiving server should not answer (e.g. in case the mail is not deliverable), this is required e.g. for non delivery notifications see: https://www.rfc-editor.org/rfc/rfc1123#section-5.2.9

this in itself is not really an indicator for spam/unwanted mails
 
dthompson said:
Fair enough. So how do I keep the PMG from sending unwanted spam? Whats my best method to keep the server from sending or accepting anything from itself to internal users?
Click to expand...

You have a few options you can do to improve your filtering. First follow https://pmg.proxmox.com/wiki/index....Proxmox_Mail_Gateway#Improving_Spam_Detection

Looks like you are not using DNSBLs for blocking. The IP from where your spam originates is on many blocklists example to check blocklists https://mxtoolbox.com/SuperTool.aspx?action=blacklist:116.204.183.235&run=toolpage

I personally use only a few b.barracudacentral.org;zen.spamhaus.org;bl.mailspike.net;bl.spamcop.net;truncate.gbudb.net;new.spam.dnsbl.sorbs.net with DNSBL Threshold 1 but that is just me. Make sure before you are changing configuration to test and some dnsblocklist require you to register your server IP to use them like barracudacentral dnsbl.

Second thing you can do is releated to this "connect from unknown[116.204.183.235]" you can not allow connections from unknown you can change this setting in Configuration - Mail Proxy - Reject Unknown Clients/Senders be careful to monitor false positives when you enable this

Another thing you can do is to change S/A scores Oct 22 18:35:02 swarmx2 pmg-smtp-filter[247640]: 4052C63547014CEA19: SA score=1/5 time=1.577 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_ADSP_NXDOMAIN(0.9),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_SHORT(0.001),MIME_HTML_ONLY(0.1),MIME_QP_LONG_LINE(0.001),RCVD_IN_HOSTKARMA_BL(1.5),RDNS_NONE(0.793),T_KAM_HTML_FONT_INVALID(0.01),T_SPF_HELO_PERMERROR(0.01)

I would also disable BAYES_00 you can do that in Configuration - Spam Detector - Options Use Bayesian filter

My changed S/A scores for that you can set in Configuration - Spam Detector - Custom Scores

DKIM_ADSP_NXDOMAIN 1.5
KAM_SHORT 0.75
RCVD_IN_HOSTKARMA_BL 4.0
RDNS_NONE 2.5
T_SPF_HELO_PERMERROR 0.5

I have a threshold for blocking at score 5 so if you are using the default configuration you probably need to reduce the numbers they are too high for your configuration. Please test everything before using I am not responsible for incorrectly blocked email. Don't just follow our advice...
I have an old thread I should probably update https://forum.proxmox.com/threads/s...x-filter-in-reply-to-field.80037/#post-354681 some things changed but most of it it's still true...
 
  • Like
Reactions: KlaasArthur and dcsapak
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back