From address different than authentication

abzsol

abzsol

Well-Known Member
Proxmox Subscriber
Sep 18, 2019
93
6
48
Italy
www.abzsol.com
Hi everyone,

in these days a client is receiving some messages with a from address that seems from our Proxmox Mail Gateway but the sender is a different address.
I have set SPF to fail but I still receive them.

Code: 
Return-Path: <dayset@dayset.com.tr>
Received: from pmg01.abzsrl.it (UnknownHost [192.168.6.3]) by mail01.abzsrl.it with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Thu, 12 Nov 2020 19:02:45 +0100
Received: from pmg01.abzsrl.it (localhost.localdomain [127.0.0.1])
    by pmg01.abzsrl.it (Proxmox) with ESMTP id 079901C3271
    for <receiver@domain.ext>; Thu, 12 Nov 2020 19:02:39 +0100 (CET)
Received-SPF: pass (dayset.com.tr: 31.186.28.21 is authorized to use 'dayset@dayset.com.tr' in 'mfrom' identity (mechanism 'ip4:31.186.28.0/24' matched)) receiver=pmg01.abzsrl.it; identity=mailfrom; envelope-from="dayset@dayset.com.tr"; helo=mta01-mxf-kb.turkticaret.net; client-ip=31.186.28.21
Received: from mta01-mxf-kb.turkticaret.net (mta01-mxf-kb.turkticaret.net [31.186.28.21])
    by pmg01.abzsrl.it (Proxmox) with ESMTP id 7B3701C04D3
    for <receiver@domain.ext>; Thu, 12 Nov 2020 19:02:35 +0100 (CET)
Received: from localhost (av01-mxf-kb.turkticaret.net [31.186.28.51])
    by mta01-mxf-kb.turkticaret.net (Postfix) with ESMTP id DC8B549A
    for <receiver@domain.ext>; Thu, 12 Nov 2020 21:01:45 +0300 (+03)
X-Virus-Scanned: at
X-Spam-Flag: NO
X-Spam-Score: -0.796
X-Spam-Level: 
X-Spam-Status: No, score=-0.796 tagged_above=-999 required=6
    tests=[ALL_TRUSTED=-1, HTML_FONT_LOW_CONTRAST=0.001,
    HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, TO_IN_SUBJ=0.1,
    TO_NO_BRKTS_HTML_IMG=0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mta01-mxf-kb.turkticaret.net ([31.186.28.101])
    by localhost (av01-mxf-kb.turkticaret.net [31.186.28.51]) (amavisd-new, port 10024)
    with ESMTP id zifXOXMDux9e for <receiver@domain.ext>;
    Thu, 12 Nov 2020 20:56:00 +0300 (+03)
Received: from dayset.com.tr (unknown [51.254.246.45])
    by mta01-mxf-kb.turkticaret.net (Postfix) with ESMTPA id 36F454C1
    for <receiver@domain.ext>; Thu, 12 Nov 2020 21:01:37 +0300 (+03)
From: WeTransfer@pmg01.abzsrl.it
To: receiver@domain.ext
Subject: receiver@domain.ext downloaded your file
Date: 12 Nov 2020 22:02:19 +0400
Message-ID: <20201112220219.79B4C4F8B5562736@dayset.com.tr>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_000_0012_155E4AB2.82BDBBC7"
X-pmg01.abzsrl.it-spam: Spam detection results:  1
    AWL                     0.031 Adjusted score from AWL reputation of From: address
    BAYES_00                -0.25 Bayes spam probability is 0 to 1%
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RCVD_IN_SORBS_WEB         1.5 SORBS: sender is an abusable web server
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    TO_IN_SUBJ              0.099 To address is in Subject
    TO_NO_BRKTS_HTML_IMG    0.114 To: lacks brackets and HTML and one image
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [deref-mail.com,zendesk.com,wetransfer.com,tecasi.rs]
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)

What can I do?
Thanks so much
 
abzsol said:
Return-Path: <dayset@dayset.com.tr>
Click to expand...
this is the smtp-envelope from - which is the address/domain that gets checked for SPF (and dayset.com.tr can use 31.186.28.21 as sender) - so in that case SPF cannot help you

you'll most likely get far better detection results by properly configuring your DNS server:
abzsol said:
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
Click to expand...

see the getting started howto in the PMG wiki and the article about a local DNS-resolver:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!
 
Stoiko Ivanov said:
this is the smtp-envelope from - which is the address/domain that gets checked for SPF (and dayset.com.tr can use 31.186.28.21 as sender) - so in that case SPF cannot help you

you'll most likely get far better detection results by properly configuring your DNS server:


see the getting started howto in the PMG wiki and the article about a local DNS-resolver:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!
Click to expand...
Hi @Stoiko Ivanov and thanks for your reply.
We've already set URIBL but we reach the limit of calls.

Is there any method to check if the sender is from the same domain of the account used for authentication?
Thanks
 
abzsol said:
Is there any method to check if the sender is from the same domain of the account used for authentication?
Click to expand...
Not in general - SMTP-AUTH (used for authentication before sending an e-mail) is used mostly from Mail Clients when talking with their sending mail-server (it is not used between mail-servers on the internet). Some of the sending mailservers write information about which account was used for authentication in the headers (sometimes they add the information to the Received headers, sometimes in a header of its own) - however this is not standardized.
Additionally a mismatch between Envelope sender and authenticated account is nothing suspicious by itself - e.g. if someone configures their server to relay via a ISP relay, which only accepts mails with SMTP-AUTH, but still wants to send mails from root@localhost ...

Also the authentication with some server on the internet which relayed the mail to your PMG is not a particularly trustworthy or helpful piece of information for catching malicious mails

I hope this explains it
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back