Catch such E-Mails signaled as coming from own domain (from name within outlook) client

[ittk]

I received such an real FromName-Spoofing E-Mail, replaced only data sensitive infos.

Received: from mail2.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail2.mydomain.com (Proxmox) with ESMTP id A96001214C7
    for <myuseraccount@mydomain.com>; Mon, 14 Sep 2020 13:40:15 +0200 (CEST)
Received-SPF: temperror (solaing.com: Time-out on DNS 'TXT' lookup of 'solaing.com') receiver=mail2.mydomain.com; identity=mailfrom; envelope-from="postmaster@solaing.com"; helo=server.pcservices.com.co; client-ip=184.171.245.130
Received: from server.pcservices.com.co (server.pcservices.com.co [184.171.245.130])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail2.mydomain.com (Proxmox) with ESMTPS id 75AA4121489
    for <myuseraccount@mydomain.com>; Mon, 14 Sep 2020 13:36:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=solaing.com
    ; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:
    Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
    Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
    In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
    List-Post:List-Owner:List-Archive;
    bh=kFTq+DBk3XEzMk+EoPIKwkatqv/VYk9PDsHlpm2laPg=; b=UD+H+4j+jRk1NVkjbKsR+Gvsq9
    Ol1qpsPAgvWtnkggC2TePG9rKuognnJJsOe9BVQilfBv77p4aLjw6HTAO+l955StDpU3ZDDv0mA+C
    A2RgxmVmL3XcVjGZ+rHfQgjECp6TgHCFg3wd203UY6zvaOYDGMGtxP1G4Sy6VfmXQhiec5ig8gxM7
    JUKtfudH5YVYDAMOqguK3nBbtOmNY3KzxMY6CsXOUTHWB9WEfNjQdNN5m02aQvgvXubBN28lSgq0O
    58D+7ZsMMmmdPCfV+hXA5t2rGIIyjvHpOCi3k+XebvXqGJEmPJFsJCd5Y3UWlYRMIDhNj3uQSDfpW
    Rn3ZKUEg==;
Received: from 129.95.61.94.rev.vodafone.pt ([94.61.95.129]:62612 helo=solaing.com)
    by server.pcservices.com.co with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)
    (envelope-from <postmaster@solaing.com>)
    id 1kHla2-0000Tm-Cy; Mon, 14 Sep 2020 06:19:33 -0400
From: "Berger, Dietmar" <berger.dietmar@mydomain.com>
To: <myuseraccount@mydomain.com>
Subject: Krankmeldung
Thread-Topic: Krankmeldung
Thread-Index: AQHVtYpf7x/N/w2kYkS73cqx0EocKQ==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Mon, 14 Sep 2020 11:19:24 +0100
Message-ID: <964F05FF-6265-469B-8C72-D6F702D078D3@solaing.com>
Accept-Language: en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <964F05FF-6265-469B-8C72-D6F702D078D3@prominent.com>
MIME-Version: 1.0
X-C2ProcessedOrg: 7b2bbcae-b880-4d46-8913-bbc89c82f36b
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3871755
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1591.017
Content-Type: multipart/related;
 boundary="--_=_NextPart1_5a713625-13f8-4014-9c38-c0e0731e6790"
X-OutGoing-Spam-Status: No, score=-0.7
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.pcservices.com.co
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - solaing.com
X-Get-Message-Sender-Via: server.pcservices.com.co: authenticated_id: postmaster@solaing.com
X-Authenticated-Sender: server.pcservices.com.co: postmaster@solaing.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-SPAM-LEVEL: Spam detection results:  0
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    MIME_QP_LONG_LINE       0.001 Quoted-printable line longer than 76 chars
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)

Return-Path: postmaster@solaing.com
X-MS-Exchange-Organization-Network-Message-Id: 4204681b-87a6-43a4-2154-08d858a2f6b2
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-PP-Proceessed: e7bb4166-00d2-4de0-81b3-258e69fba737
X-MS-Exchange-Organization-AuthSource: mail01.intern.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1913.003

Within PMG log form adsress is from: postmaster@solaing.com
But on outlook client its coming from own domain user.

How to block or just TAG SPAM score such E-Mails? What's the best approch to do it? Discussion to it is very welcome.

Thanks guys.

 

[ittk]

Has really no one any suggestion?

 

[hata_ph]

Assume your PMG's spamassassin is working fine and you have also enable DNSBL. I would suggest few extra options.

1. Block/quarantine domain @solaing.com via mail filter.
2. Block/quarantine email subject via mail filter.
3. Increase spamassassin custom score for SPF_HELO_NONE and T_SPF_TEMPERROR under Spam Detector -> Custom score.

 

[ittk]

Assume your PMG's spamassassin is working fine and you have also enable DNSBL. I would suggest few extra options.

1. Block/quarantine domain @solaing.com via mail filter.
2. Block/quarantine email subject via mail filter.
3. Increase spamassassin custom score for SPF_HELO_NONE and T_SPF_TEMPERROR under Spam Detector -> Custom score.

Thank's for reply, but too specific to the general problem, that fake from name spoof adress can still be received indicating as coming from own doamin name. There most be more smarter approches @Stoiko Ivanov ?

 

[hata_ph]

Thank's for reply, but too specific to the general problem, that fake from name spoof adress can still be received indicating as coming from own doamin name. There most be more smarter approches @Stoiko Ivanov ?

According to the log, the email is from internal or external IP?
If is from internal IP, you need to find out is there any spam bot in your internal network.

Received: from server.pcservices.com.co (server.pcservices.com.co [184.171.245.130])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail2.mydomain.com (Proxmox) with ESMTPS id 75AA4121489
for <myuseraccount@mydomain.com>; Mon, 14 Sep 2020 13:36:00 +0200 (CEST)

 

[ittk]

@hata_ph
It's coming straight from external side / external IP-Adresses received by PMG. So no relay (security) problem at all.
And the unsettling thing is that PMG is NOT able to detect and catch such spoofed E-Mails, yet.

The logfile lines unleash the real sender address:

Received-SPF: temperror (solaing.com: Time-out on DNS 'TXT' lookup of 'solaing.com') receiver=mail2.mydomain.com;identity=mailfrom; 

envelope-from="postmaster@solaing.com"; ...

Received: from 129.95.61.94.rev.vodafone.pt ([94.61.95.129]:62612 helo=solaing.com)
    by server.pcservices.com.co with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)


(envelope-from <postmaster@solaing.com>)...

X-Get-Message-Sender-Via: server.pcservices.com.co: authenticated_id: postmaster@solaing.com
X-Authenticated-Sender: server.pcservices.com.co: postmaster@solaing.com

Return-Path: postmaster@solaing.com

So for me this means, that PMG and all of this Anti-SPAM mechansems cannot detect the spoofed E-Mail-Address is another like
the one presented within Outlook as Mail-Client.

It seems that PMG just examies the from line: "From: "Berger, Dietmar" <berger.dietmar@mydomain.com>"

But not header infos like:

From SPF header: envelope-from="postmaster@solaing.com"; ...
Or coming from (envelope-from <postmaster@solaing.com>)...
Or such header lines: X-Get-Message-Sender-Via: server.pcservices.com.co: authenticated_id: postmaster@solaing.com
X-Authenticated-Sender: server.pcservices.com.co: postmaster@solaing.com

@Stoiko Ivanov: How-To detect and catch all of such designed SPAM E-Mail properly?

 

[Stoiko Ivanov]

How-To detect and catch all of such designed SPAM E-Mail properly?

This (meaning the mismatch of From address in the e-mail header and the envelope-from address) is not in all cases a spoofing/spam problem - think about mailinglists -= or mails sent from form on a website

SpamAssassin assigns it 0.25 points in the default configuration (HEADER_FROM_DIFFERENT_DOMAINS rule)

rejecting such mails in all cases will cause many false positives in most environments (but you could try to increase the score for the rule and see how it works)


depending on your environment you could block emails coming from the external port which have a From header matching your domain (but again in most environments this would cause many false positivies) - with a rule

I hope this helps!

 

[ittk]

This (meaning the mismatch of From address in the e-mail header and the envelope-from address) is not in all cases a spoofing/spam problem - think about mailinglists -= or mails sent from form on a website

SpamAssassin assigns it 0.25 points in the default configuration (HEADER_FROM_DIFFERENT_DOMAINS rule)

rejecting such mails in all cases will cause many false positives in most environments (but you could try to increase the score for the rule and see how it works)


depending on your environment you could block emails coming from the external port which have a From header matching your domain (but again in most environments this would cause many false positivies) - with a rule

I hope this helps!

I mentioned another approch here, but still don't know, if it will regard the from: info for the blocking decision, as i don't expect any e-mail coming form "outside" having my own domain as from adresse (sender). All e-mails have the from with my e-mail domain will be send out from my internal LAN mailsystem and never coming from any external source.

 

[Stoiko Ivanov]

I mentioned another approch here, but still don't know, if it will regard the from: info for the blocking decision, as i don't expect any e-mail coming form "outside" having my own domain as from adresse (sender). All e-mails have the from with my e-mail domain will be send out from my internal LAN mailsystem and never coming from any external source.

as said in the other thread - you need to make a distinction between the smtp-envelope address and the headers (From:, To

You can use the rule-system to block certain inbound mails by creating a rule which is only for the In direction (and active) - however this only works if all your internal systems and all your users use only the internal port for relaying mail to the outside

if you want to match the smtp-envelope addresses use fitting Who Objects
If you want to match the header-fields use fitting Match Field What Objects

once you create a rule the mail.log (`journalctl -b`, '/var/log/mail.log', and the Tracking Center) will show if it triggered

I hope this explains it

 

[ittk]

as said in the other thread - you need to make a distinction between the smtp-envelope address and the headers (From:, To

You can use the rule-system to block certain inbound mails by creating a rule which is only for the In direction (and active) - however this only works if all your internal systems and all your users use only the internal port for relaying mail to the outside

if you want to match the smtp-envelope addresses use fitting Who Objects
If you want to match the header-fields use fitting Match Field What Objects

once you create a rule the mail.log (`journalctl -b`, '/var/log/mail.log', and the Tracking Center) will show if it triggered

I hope this explains it

Thanks again for the great job are doing in here. Much appreciated, so wil must give the rule system an try to solve the issue. that cannot be directly handeled in MTA (postfix) level, like you explained

 

[Stoiko Ivanov]

Glad to be of help - but as said - you can do this as well on the postfix level (it's just not integrated in PMG/the GUI) - I personally would probably try to do that via rule-system as well