Dangerous mail

A

Ali-istif

Active Member
Proxmox Subscriber
Oct 1, 2020
68
3
28
44
Hi,
Below, e-mails from people we do not know are sent directly to our mailbox.
This e-mail is suspicious. How can we prevent such e-mails?
We do not have such a customer and such an invoice.
Are there any viruses in such emails?
can you help me?
1622537874481.png
 
Are you currently using PMG?
If yes please share the logs of this mail from PMG - then we can maybe see what's specific about it.
 
Hi,
yes we are using PMG.
you can check the below detail.
Jun 1 11:34:55 mailgateway postfix/smtpd[24170]: connect from mail-vi1eur05olkn2048.outbound.protection.outlook.com[40.92.90.48]
Jun 1 11:34:56 mailgateway postfix/smtpd[24170]: 061EA3802E6: client=mail-vi1eur05olkn2048.outbound.protection.outlook.com[40.92.90.48]
Jun 1 11:34:56 mailgateway postfix/cleanup[24159]: 061EA3802E6: message-id=<AM8P194MB154503AB3E9751CB60C966A7D53E9@AM8P194MB1545.EURP194.PROD.OUTLOOK.COM>
Jun 1 11:34:56 mailgateway postfix/qmgr[926]: 061EA3802E6: from=<hocaahmetgunes@hotmail.com>, size=102631, nrcpt=1 (queue active)
Jun 1 11:34:56 mailgateway pmg-smtp-filter[24064]: 3804EA60B5F1304441A: new mail message-id=<AM8P194MB154503AB3E9751CB60C966A7D53E9@AM8P194MB1545.EURP194.PROD.OUTLOOK.COM>#012
Jun 1 11:34:56 mailgateway postfix/smtpd[24170]: disconnect from mail-vi1eur05olkn2048.outbound.protection.outlook.com[40.92.90.48] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jun 1 11:34:59 mailgateway pmg-smtp-filter[24064]: 3804EA60B5F1304441A: SA score=0/5 time=3.370 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),SUBJ_ALL_CAPS(0.5),T_HTML_ATTACH(0.01),T_REMOTE_IMAGE(0.01),T_TVD_MIME_NO_HEADERS(0.01),URI_TRUNCATED(0.001)
Jun 1 11:34:59 mailgateway postfix/smtpd[23875]: connect from localhost.localdomain[127.0.0.1]
Jun 1 11:34:59 mailgateway postfix/smtpd[23875]: AE3833814FE: client=localhost.localdomain[127.0.0.1], orig_client=mail-vi1eur05olkn2048.outbound.protection.outlook.com[40.92.90.48]
Jun 1 11:34:59 mailgateway postfix/cleanup[24093]: AE3833814FE: message-id=<AM8P194MB154503AB3E9751CB60C966A7D53E9@AM8P194MB1545.EURP194.PROD.OUTLOOK.COM>
Jun 1 11:34:59 mailgateway postfix/qmgr[926]: AE3833814FE: from=<hocaahmetgunes@hotmail.com>, size=104029, nrcpt=1 (queue active)
Jun 1 11:34:59 mailgateway postfix/smtpd[23875]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 1 11:34:59 mailgateway pmg-smtp-filter[24064]: 3804EA60B5F1304441A: accept mail to <zafer@xxxx.net> (AE3833814FE) (rule: default-accept)
Jun 1 11:34:59 mailgateway pmg-smtp-filter[24064]: 3804EA60B5F1304441A: processing time: 3.439 seconds (3.37, 0.05, 0)
Jun 1 11:34:59 mailgateway postfix/lmtp[24162]: 061EA3802E6: to=<zafer@xxxxx.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.8, delays=0.31/0/0/3.4, dsn=2.5.0, status=sent (250 2.5.0 OK (3804EA60B5F1304441A))
Jun 1 11:34:59 mailgateway postfix/qmgr[926]: 061EA3802E6: removed
Jun 1 11:35:00 mailgateway postfix/smtp[23886]: AE3833814FE: to=<zafer@xxxxx.net>, relay=192.168.53.253[192.168.53.253]:25, delay=0.46, delays=0.01/0/0.01/0.44, dsn=2.6.0, status=sent (250 2.6.0 <AM8P194MB154503AB3E9751CB60C966A7D53E9@AM8P194MB1545.EURP194.PROD.OUTLOOK.COM> [InternalId=32401233281112, Hostname=EXCSRV1.nokta.local] 105816 bytes in 0.435, 237.336 KB/sec Queued mail for delivery)
Jun 1 11:35:00 mailgateway postfix/qmgr[926]: AE3833814FE: removed
 
One thing that you could consider is disabling Bayes (GUI->Configuration->Spam Detector->Options):
Ali-istif said:
BAYES_00(-1.9),
Click to expand...

That would add 1.9 to the mails result (which still not too high.
Else - if the message had some particular attachment you could filter the mail based on that in the Rule System (just add a fitting What Object)

Finally you can always block based on Sender

I hope this helps!
 
You must log in or register to reply here.
Top Bottom