improve header manipulation detection

logol

Member
Jan 26, 2021
1
0
6
51
Hi,

we are currently running proxmox mail gateway 6.4-4 and an exchange server 2019 fully patched. the patch for the hafnium exploit was installed as soon as possible. the proxylogon script for exchange did not find any vulnerabilities
we recently received an email from an external sender that hid under the identity of a legit business customer.
today we received an email that was looking like a legit internal email.
the attacker or attackers know how our email footer looks like.
they manipulated the email header in a way that their original mail address is hidden.

envelope-from= was their address,
from= was our email address.

both times HEADER_FROM_DIFFERENT_DOMAINS had a value of around 0.25 which was not enough to classify the mails as spam.

i know that newsletters sometimes need this aspect.

what could we do that improves detection of mails that have a suspicious header? could those mails be quarantined first that have any sort of difference in envelope-from and from fields?

grateful for any ideas or suggestions.
 
both times HEADER_FROM_DIFFERENT_DOMAINS had a value of around 0.25 which was not enough to classify the mails as spam.
the scores of each spamassassin rule is determined by the huge sample-corpus that gets classified by SpamAssassin developers and usually is a good fit for all/most situations.

HEADER_FROM_DIFFERENT_DOMAINS is something that happens quite often in regular mails (think about mailinglists for example).
I would not recommend increasing the value in general - but if nothing else in the mail triggered detection you can try to increase it in the GUI
(GUI->Configuration->Spam Detector->Custom Scores)

if you want to match for particular headers contents the rulesystem has the Match Field What object which does this

else in general I can recommend reading through and implementing the suggestions in our getting started guide:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!