How come phishing email can pass all

hoanv9

Active Member
Apr 15, 2020
45
6
28
44
Hi,
I tried the phishing test with my email gateway, the phishing email successfully pass all spam check and delivered to user. It can fake the sender even spf required.
Here is the log, can anybody have experience on?

Code:
Mar 23 13:10:50 smgw2 postfix/postscreen[2270866]: CONNECT from [23.21.109.197]:43534 to [192.168.110.202]:25
Mar 23 13:10:50 smgw2 postfix/postscreen[2270866]: CONNECT from [23.21.109.197]:5016 to [192.168.110.202]:25
Mar 23 13:10:56 smgw2 postfix/postscreen[2270866]: PASS NEW [23.21.109.197]:43534
Mar 23 13:10:56 smgw2 postfix/postscreen[2270866]: PASS OLD [23.21.109.197]:5016
Mar 23 13:10:56 smgw2 postfix/smtpd[2329615]: connect from psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:56 smgw2 postfix/smtpd[2329616]: connect from psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:57 smgw2 postfix/smtpd[2329615]: 05378380C12: client=psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:57 smgw2 postfix/smtpd[2329616]: 2FA4D380C5A: client=psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:57 smgw2 postfix/cleanup[2327590]: 2FA4D380C5A: message-id=<4a6ff2ed.4aca7f0c@psm.knowbe4.com>
Mar 23 13:10:57 smgw2 postfix/qmgr[1057]: 2FA4D380C5A: from=<4a6ff2ed.4aca7f0c@psm.knowbe4.com>, size=6730, nrcpt=1 (queue active)
Mar 23 13:10:57 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: new mail message-id=<4a6ff2ed.4aca7f0c@psm.knowbe4.com>#012
Mar 23 13:10:57 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: Subject: Change Your Microsoft 365 Password Immediately
Mar 23 13:10:57 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: From: IT <IT@thecompanypizza.com>
Mar 23 13:10:59 smgw2 postfix/smtpd[2329641]: 03158380CEC: client=localhost.localdomain[127.0.0.1], orig_client=psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:59 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: SA score=1/5 time=1.435 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.377),KAM_DMARC_STATUS(0.01),KAM_REALLYHUGEIMGSRC(0.5),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),TO_NO_BRKTS_HTML_ONLY(1.999),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 23 13:10:59 smgw2 postfix/smtpd[2329016]: 2ABEF380CD8: client=localhost.localdomain[127.0.0.1], orig_client=psm.knowbe4.com[23.21.109.197]
Mar 23 13:10:59 smgw2 postfix/cleanup[2328613]: 2ABEF380CD8: message-id=<4a6ff2ed.4aca7f0c@psm.knowbe4.com>
Mar 23 13:10:59 smgw2 postfix/qmgr[1057]: 2ABEF380CD8: from=<4a6ff2ed.4aca7f0c@psm.knowbe4.com>, size=7959, nrcpt=1 (queue active)
Mar 23 13:10:59 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: accept mail to <testuser@thecompanypizza.com> (2ABEF380CD8) (rule: default-accept)
Mar 23 13:10:59 smgw2 pmg-smtp-filter[2329457]: 380CE2623D6B01A9D32: processing time: 1.483 seconds (1.435, 0.029, 0)
Mar 23 13:10:59 smgw2 postfix/lmtp[2326075]: 2FA4D380C5A: to=<testuser@thecompanypizza.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=1/0/0/1.5, dsn=2.5.0, status=sent (250 2.5.0 OK (380CE2623D6B01A9D32))
Mar 23 13:10:59 smgw2 postfix/qmgr[1057]: 2FA4D380C5A: removed
Mar 23 13:10:59 smgw2 postfix/smtp[2329224]: 2ABEF380CD8: to=<testuser@thecompanypizza.com>, relay=192.168.110.27[192.168.110.27]:25, delay=0.04, delays=0/0/0/0.03, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 23 13:10:59 smgw2 postfix/qmgr[1057]: 2ABEF380CD8: removed
Mar 23 13:16:49 smgw2 postfix/smtpd[2329615]: disconnect from psm.knowbe4.com[23.21.109.197] ehlo=1 mail=1 rcpt=1 data=1 rset=5 quit=1 commands=10
Mar 23 13:16:50 smgw2 postfix/smtpd[2329616]: disconnect from psm.knowbe4.com[23.21.109.197] ehlo=1 mail=1 rcpt=1 data=1 rset=5 quit=1 commands=10
 

Attachments

  • spf.JPG
    spf.JPG
    74.7 KB · Views: 40
From the log, the mail only have SA score of 1, did you apply any others custom mail filter rules beside the default setting?
 
From the log, the mail only have SA score of 1, did you apply any others custom mail filter rules beside the default setting?
Yes I had, please find screenshot.
 

Attachments

  • custom.JPG
    custom.JPG
    31.1 KB · Views: 59
The spam mail did not hit any of your custom score.

Code:
SA score=1/5 time=1.435 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.377),KAM_DMARC_STATUS(0.01),KAM_REALLYHUGEIMGSRC(0.5),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),TO_NO_BRKTS_HTML_ONLY(1.999),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
 
The spam mail did not hit any of your custom score.

Code:
SA score=1/5 time=1.435 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.377),KAM_DMARC_STATUS(0.01),KAM_REALLYHUGEIMGSRC(0.5),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),TO_NO_BRKTS_HTML_ONLY(1.999),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
That's why I posted the question to everyone. As thread subject, the email can pass all spam rule and delivered to mailbox.
 
If the default mail filter rule and SA score do not work for you. You have to create custom mail filter rule based on your situation and requirement.

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_mailfilter

Another option is custom spamassassin configuration.

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_custom_spamassassin_configuration
Thanks for your information.
I think that my problem is the fake mail from, so the email can pass all rule. I simulated the issue by command and successfully received inbox
With the bellow command, email can send to test@target.com with fake email ceo@target.com
telnet localhost 25 helo fakedomain.com mail from:attacker@fakedomain.com rcpt to:test@target.com data from: "Sender, Name" <ceo@target.com> to: test@target.com subject: fake sender This is a test .

I went through all the thread related with this topic, but seem not resole issue completely
#1. Block the duplicate email from Header
Using Match Field From=^.*<.*>.*<.*>.*$ and From=^.*UTF-8.*<.*>.*$
=> Not help and many false positive

#2. Increase Custome Scores for HEADER_FROM_DIFFERENT_DOMAINS
Add custom scores with name=HEADER_FROM_DIFFERENT_DOMAINS, score can be higher default
=> Fales positive with email that send from smtp provider such as AWS or any company that used smtp relay

Is there any suggestion on this?
 
Thanks for your information.
I think that my problem is the fake mail from, so the email can pass all rule. I simulated the issue by command and successfully received inbox
With the bellow command, email can send to test@target.com with fake email ceo@target.com
telnet localhost 25 helo fakedomain.com mail from:attacker@fakedomain.com rcpt to:test@target.com data from: "Sender, Name" <ceo@target.com> to: test@target.com subject: fake sender This is a test .

I went through all the thread related with this topic, but seem not resole issue completely
#1. Block the duplicate email from Header
Using Match Field From=^.*<.*>.*<.*>.*$ and From=^.*UTF-8.*<.*>.*$
=> Not help and many false positive

#2. Increase Custome Scores for HEADER_FROM_DIFFERENT_DOMAINS
Add custom scores with name=HEADER_FROM_DIFFERENT_DOMAINS, score can be higher default
=> Fales positive with email that send from smtp provider such as AWS or any company that used smtp relay

Is there any suggestion on this?

When a spammer use a well configured relay server and is compliant with all security checks, it has a good FQDN and good PTR, is not on blacklist, is coming from an existing hacked email account but is being spoofed as another user, for now, the solution is to use de sa-learn and get help with the users members of the email server to teach spamassassin by the content to know they are spam.

It takes time but works when the spammer repeat the same pattern.

If content files come with macros you can block them, for example and add personal filters that match with a pattern if possible else run learning to spamassassin downloading the .eml files and on a folder send it to the PMG server and just sit still.

For now there is not way to stop spoofing mails and stop fake froms, if there is any method it would be good, until now it requires from the users to advertise it and feed the adming about this.

Another trick is to use ldap and check the FROM on MX PMG and TO on RELAYS PMG, in that way it ensure that a fake mail will not come as your own domain or going out from your perimeter.

Another Trick is that if all known domains come from a known IP you can make rules or filter to deny any email comming from a domain from a non known ip, for example.

Get all domains and validate it with the users and feed a database extract the right information and then create your rules.

You will avoid spoofed domains but if the domain change the ip source without notifying you you will need to do a test script to make comparisons with the database if keeps the same ip's else you must apply changes on rules filters.

But it can only reduce the spoofing.

You shoud read also:

https://forum.proxmox.com/threads/s...th-from-name-and-then-matching-domains.80938/
 
Last edited:
BAYES_00(-1.9),...URIBL_BLOCKED(0.001)

these two hits point to 2 potenial improvements in your setup:
* disable bayes - (GUI -> Configuration -> Spam Detector -> Options) - see https://forum.proxmox.com/threads/s...for-bayes_00-and-bayes_05.105398/#post-453796 for a rationale
* you're running into the rate-limit at URIBL (which is one of the best sources for detecting spam/malicious links) - configure a dedicated DNS on your PMG - see:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
(more specifically: https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway)

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!