[SOLVED] Outgoing spam seems inefficient

[bougatoyta]

Hi,

I have a lot of trouble with outgoing spam with PMG.

Incoming spam are stopped almost perfectly but outgoing ones are almost never catch.

This is what PMG found for a spam mail from a compromised account :

SA score=1/5 time=0.339 bayes=undefined autolearn=disabled hits=AWL(0.009),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),LOTS_OF_MONEY(0.001),RDNS_NONE(1.274),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)

I've disabled AWL, enabled bayes, but the mail is in german, is a money scam and PMG does not catch it properly, also the RDNS_NONE is wrong because it is correct....

Any idea on how I can improve this ?

 

[Stoiko Ivanov]

Please post the complete log of the mail - maybe we can find something additionally

also - I'd suggest to keep bayes disabled - most of the time it rather causes more trouble and seldomly helps

lso the RDNS_NONE is wrong because it is correct....

does the sending IP have a reverse dns pointer?
(else keep in mind that quite a few spamassassin rules also match on headers - in that case I suspect a Received: line...)

 

[bougatoyta]

Here the full log :

Sep 16 08:36:12 my-pmg postfix/smtpd[83630]: warning: hostname my-pmg.domain.net does not resolve to address myIp
Sep 16 08:36:12 my-pmg postfix/smtpd[83630]: connect from unknown[myIp]
Sep 16 08:36:12 my-pmg postfix/smtpd[83630]: Anonymous TLS connection established from unknown[myIp]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Sep 16 08:36:12 my-pmg postfix/smtpd[83630]: F1E271DF4: client=unknown[myIp]
Sep 16 08:36:12 my-pmg postfix/cleanup[83898]: F1E271DF4: message-id=<20220915230004.17A2F16D2A06@my-pmg.domain.net>
Sep 16 08:36:12 my-pmg postfix/qmgr[19667]: F1E271DF4: from=<compromised@ccount.fr>, size=3355, nrcpt=1 (queue active)
Sep 16 08:36:12 my-pmg postfix/smtpd[83630]: disconnect from unknown[myIp] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 16 08:36:13 my-pmg pmg-smtp-filter[83831]: 1DF56324195CF3061: new mail message-id=<20220915230004.17A2F16D2A06@my-pmg.domain.net>#012
Sep 16 08:36:13 my-pmg pmg-smtp-filter[83831]: 1DF56324195CF3061: SA score=1/5 time=0.339 bayes=undefined autolearn=disabled hits=AWL(0.006),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),LOTS_OF_MONEY(0.001),RDNS_NONE(1.274),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Sep 16 08:36:13 my-pmg postfix/smtpd[83713]: connect from my-pmg.domain.net[127.0.0.1]
Sep 16 08:36:13 my-pmg postfix/smtpd[83713]: 5B1FA1DF7: client=my-pmg.domain.net[127.0.0.1], orig_client=unknown[myIp]
Sep 16 08:36:13 my-pmg postfix/cleanup[83788]: 5B1FA1DF7: message-id=<20220915230004.17A2F16D2A06@my-pmg.domain.net>
Sep 16 08:36:13 my-pmg postfix/smtpd[83713]: disconnect from my-pmg.domain.net[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 16 08:36:13 my-pmg postfix/qmgr[19667]: 5B1FA1DF7: from=<compromised@ccount.fr>, size=2739, nrcpt=1 (queue active)
Sep 16 08:36:13 my-pmg pmg-smtp-filter[83831]: 1DF56324195CF3061: accept mail to <lloydtbattlejr1971@msn.com> (5B1FA1DF7) (rule: default-accept)
Sep 16 08:36:13 my-pmg pmg-smtp-filter[83831]: 1DF56324195CF3061: processing time: 0.381 seconds (0.339, 0.024, 0)
Sep 16 08:36:13 my-pmg postfix/lmtp[82990]: F1E271DF4: to=<lloydtbattlejr1971@msn.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.39, delays=0/0/0/0.38, dsn=2.5.0, status=sent (250 2.5.0 OK (1DF56324195CF3061))
Sep 16 08:36:13 my-pmg postfix/qmgr[19667]: F1E271DF4: removed
Sep 16 08:36:14 my-pmg postfix/smtp[83402]: Trusted TLS connection established to msn-com.olc.protection.outlook.com[104.47.13.33]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 16 08:36:16 my-pmg postfix/smtp[83402]: 5B1FA1DF7: to=<lloydtbattlejr1971@msn.com>, relay=msn-com.olc.protection.outlook.com[104.47.13.33]:25, delay=3.2, delays=0/0/0.75/2.5, dsn=2.6.0, status=sent (250 2.6.0 <20220915230004.17A2F16D2A06@my-pmg.domain.net> [InternalId=1443109024782, Hostname=BY3PR13MB6013.namprd13.prod.outlook.com] 11739 bytes in 0.322, 35.509 KB/sec Queued mail for delivery -> 250 2.1.5)
Sep 16 08:36:16 my-pmg postfix/qmgr[19667]: 5B1FA1DF7: removed

I've corrected the RDNS, it was something to do in /etc/hosts of the pmg.

 

[Stoiko Ivanov]

Hmm - nothing really stands out - and given that this is/seems like a compromised account inside your organization that's hard to track down.
I assume that after a while the message contents would also trigger some SA-rules which have a higher score (e.g. when the links in the spammail are picked up as malicious by uribl) - but by that time your IP will most likely have been blacklisted in a few places :/

the only thing you could consider is raising the score of LOTS_OF_MONEY - but this might also lead to false positives ...

 

[bougatoyta]

Hmm - nothing really stands out - and given that this is/seems like a compromised account inside your organization that's hard to track down.
I assume that after a while the message contents would also trigger some SA-rules which have a higher score (e.g. when the links in the spammail are picked up as malicious by uribl) - but by that time your IP will most likely have been blacklisted in a few places :/

the only thing you could consider is raising the score of LOTS_OF_MONEY - but this might also lead to false positives ...

Okay, I will try to find a way to block these, I guess there's nothing open source that has a sort of pattern recognition and other antispam advanced techniques that FAANG uses

 

[Stoiko Ivanov]

techniques that FAANG uses

have never looked too deep in what other companies (large ones especially) are using - but part of it is most likely a huge user-base clicking on "This message is spam" - to ... prime the filters

 

[bougatoyta]

have never looked too deep in what other companies (large ones especially) are using - but part of it is most likely a huge user-base clicking on "This message is spam" - to ... prime the filters

Yeah I supposed so, right now I will try to implement a rate-limiting + mail warning in the mail server directly has PMG does not manage that, thank anyway for you help !