Help Understanding how this is getting through

Sep 17, 2020
315
20
38
Hello All,

I'm not able to stop this spammer who has been sending message via a minimum of 2 providers each time, and then we accept it never looking at the recipients SPF etc.
Any ideas on how I can stop this?

Information has been obfuscated on the MGW & Client Side info.
Client recipient side does have reject SPF settings if not from Clients IP's.

Thanks!!

Headers from Outlook
Code:
Received: from client.mail.server (10.111.1.10) by
 client.mail.server (10.111.1.10) with Microsoft SMTP Server
 (TLS) id 15.0.1497.42 via Mailbox Transport; Tue, 29 Nov 2022 15:25:42 -0500
Received: from client.mail.server (10.111.1.10) by
 client.mail.server (10.111.1.10) with Microsoft SMTP Server
 (TLS) id 15.0.1497.42; Tue, 29 Nov 2022 15:25:39 -0500
Received: from mgw.proxmox-server.com (93.93.93.50) by
 client.mail.server (10.111.1.10) with Microsoft SMTP Server
 (TLS) id 15.0.1497.42 via Frontend Transport; Tue, 29 Nov 2022 15:25:39 -0500
Received: from mgw (localhost.localdomain [127.0.0.1])
    by mgw.proxmox-server.com (Proxmox) with ESMTP id 8F11780BB9
    for <Client@Client.com>; Tue, 29 Nov 2022 15:25:39 -0500 (EST)
Received: from qwwj.em.jennycraig.com (unknown [103.198.26.252])
    by mgw.proxmox-server.com (Proxmox) with ESMTP id 44F7280976
    for <Client@Client.com>; Tue, 29 Nov 2022 15:25:34 -0500 (EST)
Received: from 10.196.243.97
 by atlas111.aol.mail.bf1.yahoo.com pod-id NONE with HTTPS; Tue, 29 Nov 2023 19:47:07 +0000
Received: from 209.85.214.180 (EHLO mail-pl1-f180.google.com)
 by 10.196.243.97 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Tue, 29 Nov 2023 19:47:07 +0000
Received: by mail-pl1-f180.google.com with SMTP id g10so14459143plo.11
        for <Client@Client.com>; Tue, 29 Nov 2023 11:47:07 -0800 (PST)
From: Client Name <Client@Client.com>
To: Client Name <Client@Client.com>
Subject: How did you feel after trying 'Dollar General'?
Thread-Topic: How did you feel after trying 'Dollar General'?
Thread-Index: AQHZBDDABwz29OlVxkm7FZTCVdkV0A==
Date: Wed, 29 Nov 2023 19:46:26 +0000
Message-ID: <GSaZUcg_k41V0ZO7owyKqkWq05NEjzbgWHE8Z8HxWorXoLJBSjz@mail.gmail.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: client.mail.server
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com;
 s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=vv69Ojau1DGM4YXViCaGDJPXYbGptlmMS0h6WJGgYLg=;
        b=DwtFsr+OzUxZGAHOZHRV5r3JRASyLBLQhpTH58m7en1VjZbeOMZFfe0TIdSlCuizrX
         8FePrI5M5uukWaK2K1GxtgEWftTzTBBeGzRgnjyQ6E49lmdJHO1JTfR9E2T7nk0AyOyb
         1I8uYjhrSbA+4DBgLSr1DQdjIlIcC9GWI+16+B4T5BXGmV8knej4HTPhcsAEvZ0FTnXJ
         pOTUy42faOyA9kb+GiDD+raGJ4ujeG6fwPK030E1grVbP6g4QAXwcIBoXDQeltZdkmlp
         uFhqoCt2VSDCsgrBy9/46lyoBUsMyOFa5fr1F7SBEhGK1sps72uC324luOUty+ucRGkj
         zNLA==
x-originating-ip: [209.85.214.180]
received-spf: pass (domain of gmail.com designates 209.85.214.180 as permitted
 sender)
authentication-results: atlas111.aol.mail.bf1.yahoo.com; dkim=pass
 header.i=@gmail.com header.s=20210112; spf=pass smtp.mailfrom=gmail.com;
 dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
x-spam-level: Spam detection results:  15    AWL                     1.739
 Adjusted score from AWL reputation of From: address    BAYES_50
                  0.8 Bayes spam probability is 40 to 60%    DKIM_INVALID
              0.1 DKIM or DK signature exists, but is not valid    DKIM_SIGNED
               0.1 Message has a DKIM or DK signature, not necessarily valid
    HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
 background    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment    KAM_STORAGE_GOOGLE       2.25 Google Storage API being abused by
 spammers    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    PDM_URI_GOOGLEAPIS          3 Rule to look for spammy Google API usage
    RBL_SENDERSCORE             5 Entries listed in bl.score.senderscore.com RBL
    RCVD_IN_VALIDITY_RPBL    1.31 Relay in Validity RPBL,
 https://senderscore.org/blocklistlookup/    RDNS_NONE               0.793
 Delivered to internal network by a host with no rDNS    SCC_CANSPAM_2
            0.63 Interesting compliance language    SPF_HELO_NONE           0.001
 SPF: HELO does not publish an SPF Record    UNPARSEABLE_RELAY       0.001
 Informational: message has unparseable relay lines    URIBL_BLOCKED
           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [storage.googleapis.com]    URIBL_SBL_A               0.1 Contains
 URL's A record listed in the Spamhaus SBL blocklist [storage.googleapis.com]
x-received: by 2002:a17:902:6b8b:b0:188:a40b:47c9 with SMTP id
 p11-20020a1709026b8b00b00188a40b47c9mr38663617plk.75.1669751227135; Tue, 29
 Nov 2023 11:47:07 -0800 (PST)
Content-Type: multipart/related;
    boundary="_005_GSaZUcgk41V0ZO7owyKqkWq05NEjzbgWHE8Z8HxWorXoLJBSjzmailg_";
    type="multipart/alternative"
MIME-Version: 1.0
 
Last edited:
Hi.
SPF records check Return-Path record, not field From. We don't see original message, so i think in return-path we can see not Client@Client.com address.
If i correct understand your situation, you want block selfsend-messages, from Client@Client.com to Client@Client.com. In my case, i created Who object with list of my domains, and created rule to block messages with this list object.
 
Agreed that the from is only visual per say, and the return will have
I'm not sure that would work, because the client.com does send through our MGW for outbound, and of course receives through the gateway, I believe doing what your saying would block legit email.
Looking for something to try to tighten this up.
 
Thanks @Stoiko Ivanov , but I'm not sure why its not blocking or quarantining...
My first question is, would be block that at the Postfix level, or simply somewhere to Quarantine do I need to change/create a rule/policy?
 
Last edited:
Thanks @Stoiko Ivanov , but I'm not sure why its not blocking or quarantining...
My first question is, would be block that at the Postfix level, or simply somewhere to Quarantine do I need to change/create a rule/policy?
Can you post the log from proxmox mail gateway. It's unclear here why it's not blocking we need logs from pmg to understand that. I am guessing that is because you have too many rules and some of the rules whitelist something on this email. At least in my opinion you should try simplify your configuration instead of just adding 999x rules it will make it much easier to debug when something is not working but whatever float your boat.
 
I will try to dig up the logs from mail.log.

In respect to the rules, we added the rule to match the object so we can tell which rules are providing us better results and are more effective.
We aren't whitelisting the source.
 
Without trying to obfuscate everything, the message
(8F11780BB9) (rule: default-accept)

And then

Nov 29 15:25:39 mgw pmg-smtp-filter[796704]: A4F6463866ABECC2E9: sender in user (client@client.com) whitelist
Nov 29 15:25:39 mgw pmg-smtp-filter[796704]: A4F6463866ABECC2E9: accept mail to <client@client.com> (8F11780BB9) (rule: default-accept)

There is NO rule to whitelist client@client.com under mail proxy, who or what.

Of course it is under relay domains.
 
can you post your rule-system with 'pmgdb dump' ?
anonymized if necessary, but please in a unique manner.
such that mail "aaa" always is replaced by the same anonymized email and different from the others. same for domains, etc. please
 
Nov 29 15:25:39 mgw pmg-smtp-filter[796704]: A4F6463866ABECC2E9: sender in user (client@client.com) whitelist
Nov 29 15:25:39 mgw pmg-smtp-filter[796704]: A4F6463866ABECC2E9: accept mail to <client@client.com> (8F11780BB9) (rule: default-accept)

There is NO rule to whitelist client@client.com under mail proxy, who or what.
yes - there is no rule - but he address is listed in client@client.com user whitelist...
see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview
 
Yes, the rules/objects had no reference but you were right it was in a users whitelist.
Is there something in the log that tells me it was a users whitelist or is whitelist simply all users and proxy->whitelist what is reflected when it says "whitelist"

Lastly, I know I can see the individual users whitelists from the whitelists option and then pick a user, but is there a way to see all of the emails in everyone's whitelist, command line or otherwise?

Thanks!!!
 
Yes, the rules/objects had no reference but you were right it was in a users whitelist.
Is there something in the log that tells me it was a users whitelist or is whitelist simply all users and proxy->whitelist what is reflected when it says "whitelist"

Lastly, I know I can see the individual users whitelists from the whitelists option and then pick a user, but is there a way to see all of the emails in everyone's whitelist, command line or otherwise?

Thanks!!!
Yes from the log
Nov 29 15:25:39 mgw pmg-smtp-filter[796704]: A4F6463866ABECC2E9: sender in user (client@client.com) whitelist

I have no user whitelist so I usually see in the log only the rule that I use for whitelist:
Nov 28 10:51:16 pmg-smtp-filter[46231]: 12141763848493C9C8D: accept mail to <receiver@example.com> (CF3E7121411) (rule: AcceptList)

For Configuration - Mail proxy - Whitelist as far as I know you cannot see that some sender is whitelisted in the logs.

Administration - User Whitelist will only show you for each user I can't see how to show for all. Maybe someone else knows.
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_quarantine_2
 
Lastly, I know I can see the individual users whitelists from the whitelists option and then pick a user, but is there a way to see all of the emails in everyone's whitelist, command line or otherwise?
you can use the API or `pmgsh` for that - get all users with entries in the lists via:
https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/quarantine/quarusers
and then the entries for that user:
https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/quarantine/blacklist
https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/quarantine/whitelist

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!