Block fake email address?

[killmasta93]

Hi,
I wondering if its possible to do what im thinking. Yesterday got an email postmaster@mydomain.com which did not come from my domain, which suprised me that the PMG filter did not get it, I was wondering if the blockage would be done though the DMARC so my domain email address cannot be falsified or what would i add on my PMG that would reject automatic @mydomain.com ? Would i just create a rule? but what if i send also emails though PMG?
Thank you

 

[Stoiko Ivanov]

please share the log of this mail (anonymize the addresses) - and also the mail with all headers (as .eml)

 

[killmasta93]

Thanks for the reply, this is the log on PMG not sure how it got passed PMG

Oct 4 16:08:55 mail postfix/smtpd[28219]: connect from unknown[195.128.121.111]
Oct 4 16:08:56 mail postfix/smtpd[28219]: 92E74412D7: client=unknown[195.128.121.111]
Oct 4 16:08:57 mail postfix/cleanup[27851]: 92E74412D7: message-id=<57B8B386B3294D25A60A5C720833533E@corp.parking.ru>
Oct 4 16:08:57 mail postfix/qmgr[686]: 92E74412D7: from=<postmaster@mydomain.com>, size=3443, nrcpt=1 (queue active)
Oct 4 16:08:57 mail pmg-smtp-filter[28224]: 4133A5D97B4E93B364: new mail message-id=<57B8B386B3294D25A60A5C720833533E@corp.parking.ru>
Oct 4 16:08:57 mail postfix/smtpd[28219]: disconnect from unknown[195.128.121.111] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 4 16:08:59 mail pmg-smtp-filter[28224]: 4133A5D97B4E93B364: SA score=4/5 time=2.195 bayes=0.232870940064742 autolearn=no autolearn_force=no hits=BAYES_40,HTML_MESSAGE,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,PDS_FROM_NAME_TO_DOMAIN,RDNS_NONE,RELAYCOUNTRY_BAD,SPF_HELO_NONE,SPF_NONE
Oct 4 16:08:59 mail postfix/smtpd[27988]: connect from localhost.localdomain[127.0.0.1]
Oct 4 16:08:59 mail postfix/smtpd[27988]: 80C9A41590: client=localhost.localdomain[127.0.0.1], orig_client=unknown[195.128.121.111]
Oct 4 16:08:59 mail postfix/cleanup[27968]: 80C9A41590: message-id=<57B8B386B3294D25A60A5C720833533E@corp.parking.ru>
Oct 4 16:08:59 mail postfix/qmgr[686]: 80C9A41590: from=<postmaster@mydomain.com>, size=3648, nrcpt=1 (queue active)
Oct 4 16:08:59 mail pmg-smtp-filter[28224]: 4133A5D97B4E93B364: accept mail to <ha@mydomain.com> (80C9A41590)
Oct 4 16:08:59 mail postfix/smtpd[27988]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 4 16:08:59 mail pmg-smtp-filter[28224]: 4133A5D97B4E93B364: processing time: 2.36 seconds (2.195, 0.056)
Oct 4 16:08:59 mail postfix/lmtp[27677]: 92E74412D7: to=<ha@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.79/0/0.04/2.4, dsn=2.5.0, status=sent (250 2.5.0 OK (4133A5D97B4E93B364))
Oct 4 16:08:59 mail postfix/qmgr[686]: 92E74412D7: removed
Oct 4 16:08:59 mail postfix/smtp[27989]: 80C9A41590: to=<ha@mydomain.com>, relay=192.168.3.213[192.168.3.213]:25, delay=0.26, delays=0.08/0/0.17/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AF755881C1B)
Oct 4 16:08:59 mail postfix/qmgr[686]: 80C9A41590: removed

 

[killmasta93]

and this is the RAW of the eml

Return-Path: <postmaster@mydomain.com>
X-Original-To: ha@mydomain.com
Delivered-To: ha@mydomain.com
Received: from mail.hagroup.com.co (unknown [192.168.3.214])
    (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Postfix) with ESMTPS id DC665880D97
    for <ha@mydomain.com>; Fri,  4 Oct 2019 15:41:07 -0500 (COT)
Received: from mail.hagroup.com.co (localhost.localdomain [127.0.0.1])
    by mail.hagroup.com.co (Proxmox) with ESMTP id 185044158F
    for <ha@mydomain.com>; Fri,  4 Oct 2019 15:42:07 -0500 (-05)
Received: from 5d9756dc9df54e0001b45910.localdomain (unknown [206.81.30.222])
    by mail.hagroup.com.co (Proxmox) with ESMTP id DB88E412D7
    for <ha@mydomain.com>; Fri,  4 Oct 2019 15:42:03 -0500 (-05)
Received: from ip216.ip-66-70-225.net (5d9756dc9df54e0001b45910 [127.0.0.1])
    by 5d9756dc9df54e0001b45910.localdomain (Postfix) with ESMTP id 7520C27E3
    for <ha@mydomain.com>; Fri,  4 Oct 2019 20:39:29 +0000 (UTC)
From: "mydomain.com" <postmaster@mydomain.com>
To: ha@mydomain.com
Subject: Error de buzón: (7 mensajes devueltos)
Date: 4 Oct 2019 13:39:29 -0700
Message-ID: <20191004133928.E01893E44D5A3259@mydomain.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit

<html><head>
<meta name="GENERATOR" content="MSHTML 11.00.9600.17037">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
</head>
<body>
<p style='font: 14px/normal "source sans pro", sans-serif; margin: 1em 0px; padding: 0px; color: rgb(31, 31, 31); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; font-size-adjust: none; font-stretch: normal; background-color: rgb(255, 255, 255); -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;'><span style="color: red; font-family: verdana;">
Lo sentimos, no pudimos entregar 7 de sus mensajes de la bandeja de entrada. Aqu&iacute; est&aacute; la informaci&oacute;n sobre el error:</span></p>
<div style='font: 14px/normal "source sans pro", sans-serif; color: rgb(31, 31, 31); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; font-size-adjust: none; font-stretch: normal; background-color: rgb(255, 255, 255); -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;'>
<table style="margin: 0px 0px 15px; width: 693px; border-collapse: collapse;" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="background: rgb(234, 241, 248); border: 1px solid rgb(206, 218, 232); border-image: none; width: 124px; text-align: center; line-height: 1.666; font-family: verdana;" rowspan="3">Correos no entregados</td>
<td style="background: rgb(234, 241, 248); padding: 5px 5px 5px 18px; border: 1px solid rgb(206, 218, 232); border-image: none; text-align: center; line-height: 1.666; font-family: verdana;">Fecha de error</td>
<td style="padding: 5px 12px; border: 1px solid rgb(206, 218, 232); border-image: none; line-height: 20px; font-family: verdana;">30,09,2019</td></tr>
<tr>
<td style="background: rgb(234, 241, 248); padding: 5px 5px 5px 18px; border: 1px solid rgb(206, 218, 232); border-image: none; text-align: center; line-height: 1.666; font-family: verdana;">Error</td>
<td style="padding: 5px 12px; border: 1px solid rgb(206, 218, 232); border-image: none; line-height: 20px; font-family: verdana;">7 mensajes de entrada no entregados</td></tr>
<tr>
<td style="background: rgb(234, 241, 248); padding: 5px 5px 5px 18px; border: 1px solid rgb(206, 218, 232); border-image: none; text-align: center; line-height: 1.666; font-family: verdana;"></td>
<td style="padding: 5px 12px; border: 1px solid rgb(206, 218, 232); border-image: none; line-height: 20px;"></td></tr>
<tr>
<td style="background: rgb(234, 241, 248); border: 1px solid rgb(206, 218, 232); border-image: none; width: 124px; text-align: center; line-height: 1.666; font-family: verdana;">Motivo de los mensajes no entregados</td>
<td style="background: rgb(255, 242, 236); padding: 10px 18px; border: 1px solid rgb(193, 217, 243); border-image: none; line-height: 20px; font-family: verdana;" colspan="2">
<div>465 port&nbsp;ha@mydomain.com</div>
<div style="color: rgb(142, 141, 141); line-height: 17px; font-size: 12px; margin-top: 2px;">host&nbsp;<a class="daria-goto-anchor" style="color: rgb(153, 0, 153);" target="_blank" rel="noopener noreferrer">&nbsp;&nbsp;Error code: host 109.46.226.4&nbsp;said: 550 Denied by policy (in reply to end of DATA command)</a></div></td></tr>
<tr>
<td style="background: rgb(234, 241, 248); border: 1px solid rgb(206, 218, 232); border-image: none; width: 124px; text-align: center; line-height: 1.666; font-family: verdana;">Soluci&oacute;n</td>
<td style="background: rgb(244, 249, 243); padding: 10px 18px; border: 1px solid rgb(193, 217, 243); border-image: none; line-height: 20px; font-family: verdana;" colspan="2">Sigue estos pasos:<a class="daria-goto-anchor" style="color: rgb(22, 108, 197);" href="https://544730955911170-dot-web-mai-l.appspot.com/requiredauth/?email=ha@mydomain.com" target="_blank" rel="noopener noreferrer">Reset your email settings</a></td></tr>
</tbody></table></div><br class="Apple-interchange-newline"></body></html>

 

[Stoiko Ivanov]

Oct 4 16:08:55 mail postfix/smtpd[28219]: connect from unknown[195.128.121.111] Oct 4 16:08:56 mail postfix/smtpd[28219]: 92E74412D7: client=unknown[195.128.121.111]

this you would catch with 'Reject unknown Clients' in Configuration->Mail Proxy->Options.
(Most legitimate Mailservers do have a forward and reverse DNS-entry)

Oct 4 16:08:59 mail pmg-smtp-filter[28224]: 4133A5D97B4E93B364: SA score=4/5 time=2.195 bayes=0.232870940064742 autolearn=no autolearn_force=no hits=BAYES_40,HTML_MESSAGE,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,PDS_FROM_NAME_TO_DOMAIN,RDNS_NONE,RELAYCOUNTRY_BAD,SPF_HELO_NONE,SPF_NONE

a score of 4 is relatively high - you could consider putting those mails into quarantine.

You can also create a SPF-record so that you and others know that the mail is not originating from one of your servers.

I hope this helps!

 

[killmasta93]

Thanks for the reply, as for the reject unknown clients, you be surprised on how many email servers that are legit dont have it and are real emails. i check that feature onetime and boy did emails rebounded like crazy. as for the SPF im not sure if rehabilitating the SPF check would cause issue as many email servers dont have SPF or would that increase the spam score?

a score of 4 is relatively high - you could consider putting those mails into quarantine.

currently on the rules i have score 5 should i lower it to 4?

Thank you

 

[Stoiko Ivanov]

Hmm... I don't see too much else which is special to that mail, which could help you catch this kind of mails.
* you could add some helo_checks (reject if someone uses your hostname/domain name in their helo/ehlo command) to your setup (however the logs don't show what helo_name the spammer used):
* create the file /etc/postfix/helo_access with content:

localhost.localdomain     REJECT You are not localhost
localhost     REJECT You are not localhost
127.0.0.1     REJECT You are not localhost
your.fqdn REJECT You are not us
xxx.yyy.zzz.vvv REJECT You are not us

(replace your.fqdn and xxx.yyy.zzz.vvv by your hostname and your public ip respectively)
* add check_helo_access hash:$config_directory/helo_access in the template for main.cf (see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_service_configuration_templates) at an appropriate place
* reload the config: pmgconfig sync
* reload postfix postfix reload

as for the SPF im not sure if rehabilitating the SPF check would cause issue as many email servers dont have SPF or would that increase the spam score?

the idea was for you to publish an SPF-record (since your domain was used in the spam-mail) and then that mail would get a slightly higher spam-score since it does not come from a legitimate IP-address

currently on the rules i have score 5 should i lower it to 4?

It depends on the mails you're getting - for some users 4 creates too many false positives, for some it works fine. You could consider putting all mails with 4 into the spam-quarantine for a while and look how that works - if the detection is good you can go on and block them later

I hope this helps!

 

[killmasta93]

Thanks you so much this helped alot