Phising Emails

dthompson

Member
Nov 23, 2011
43
0
6
Canada
www.digitaltransitions.ca
I am trying to figure out why some emails are not getting stopped by the spam filter and am looking for some help and guidance from the community.

We have some emails from a domain: unitecreative.ca who’s been complaining about phishing scams getting through roughly once to twice a day.

The email looks something like this, with a .doc file attachment, but changes over time (language, content):
==========================================================================
From:
David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
Date: November 15, 2018 at 10:35:02 PM EST
To: user1@unitecreative.ca
Subject: Your David Niemela Statement

Good Afternoon,

I have sent email to you confirming last invoice.

Best Regards,
-
David Niemela
user@unitecreative.ca
==========================================================================

That being said, they are getting emails from “themselves” at least that is in the From Address.

So for instance, David Niemela, who is an employee of unitecreative.ca is the “from” on emails, even though the actual sender is: "moiz@supremeuniversal.in" for example.

The PMG doesn’t think this is a problem and sends the message through with the attachment to the end user, which is someone else at unitecreative.ca

mx1 pmg-smtp-filter[23992]: 2D0235BEE3AF1A3F2E: SA score=0/5 time=1.403 bayes=4.9960036108132e-16 autolearn=no autolearn_force=no hits=BAYES_00,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_PASS

My question is how do I configure the server to reject these types of emails since they are frustrating to the person receiving them?

Currently my Block Spam is at a level of 5. Should I turn this down more to 4 or 3? I don’t want to block legitimate email though at the same time, so before I modify that section, I’m looking at pointers from anyone whose seen this similar type of spam getting through.

Thanks for any help you can provide!
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
13,686
434
83
Please check the email header (check the header via your email client), you should see the detailed score of each test. This helps for analysis.
 

dthompson

Member
Nov 23, 2011
43
0
6
Canada
www.digitaltransitions.ca
Thanks for the quick reply.

Here is one of the headers from one of the phsishing emails:
What exactly am I looking for here in order to increase blocking these types of emails from arriving?


Return-Path: <moiz@supremeuniversal.in>
X-Spam-Status: No, hits=0.0 required=8.5
tests=TOTAL_SCORE: 0.000
X-Spam-Level:
Received: from mx1.digidns.ca ([192.168.11.5])
by hc1.digidns.ca (Kerio Connect 9.2.7 patch 3) with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for user1@unitecreative.ca;
Thu, 15 Nov 2018 22:35:15 -0500
Received: from mx1.digidns.ca (localhost.localdomain [127.0.0.1])
by mx1.digidns.ca (Proxmox) with ESMTP id 6916F2D024
for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:15 -0500 (EST)
Received-SPF: pass (supremeuniversal.in: 103.24.200.152 is authorized to use 'moiz@supremeuniversal.in' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mx1.digidns.ca; identity=mailfrom; envelope-from="moiz@supremeuniversal.in";
helo=saturnnew.worldindia.in; client-ip=103.24.200.152
Received: from saturnnew.worldindia.in (saturn.worldindia.com [103.24.200.152])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx1.digidns.ca (Proxmox) with ESMTPS id 7B4162D021
for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:12 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=supremeuniversal.in; s=default; h=Content-Type:MIME-Version:Subject:
Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=DAPgCfudbeMB6GJ5CGZZmelDgBK1m2XztObRzKUCzuE=; b=P3rkvzAQQHqRjxzSYep1C+Poj
O1T66aaoHhtJpG9JdPQ7ayAPVY4JtmgCJkzQ1k6p/kUuJY18BkAt7BEOTtrMqnyrnY6IU3umXljaL
1BCmNnZO6aR5cMzpNHnRUqzu41ZpkS2VL+J2Uzzp9Kugz6Bbb6l4ALQBN0XMfzYXJ+f9AGSfqT+lD
/KYN5zNLoKE5HwBHfKjlsW/5z6WLZ04DCT+XvSsRZUgTMAUeR65W55G+oMlAH8SbK4fDgEg2p1oky
oWofRZCCzhKHO9QbCeBqdB38CL+xeETxGJHN9PAa6/1RZRakzO4Z+nhlMOkaKB9wkYS4aajQedTeQ
BaEXQrQfw==;
Received: from [187.131.233.87] (port=14982 helo=10.14.14.3)
by saturnnew.worldindia.in with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <moiz@supremeuniversal.in>)
id 1gNUuH-00017n-9J
for user1@unitecreative.ca; Fri, 16 Nov 2018 09:04:59 +0530
Date: Thu, 15 Nov 2018 20:35:02 -0700
From: David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
To: user1@unitecreative.ca
Message-ID: <38916456115078217946.0013B0B3ECBDAD52@unitecreative.ca>
Subject: Your David Niemela Statement
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_53170_1211169914.23711279722654273795"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - saturnnew.worldindia.in
X-AntiAbuse: Original Domain - unitecreative.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - supremeuniversal.in
X-Get-Message-Sender-Via: saturnnew.worldindia.in: authenticated_id: moiz@supremeuniversal.in
X-Authenticated-Sender: saturnnew.worldindia.in: moiz@supremeuniversal.in
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
HEADER_FROM_DIFFERENT_DOMAINS 0.001 From and EnvelopeFrom 2nd level mail domains are different
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at http://www.dnswl.org/, no trust
SPF_PASS -0.001 SPF: sender matches SPF record


Thank you very much!!
 

killmasta93

Member
Aug 13, 2017
510
18
18
25
Try using these DNSBL sites on your config helps alots

Code:
zen.spamhaus.org bl.spamcop.net psbl.surriel.com spamrbl.imp.ch noptr.spamrats.com escalations.dnsbl.sorbs.net bl.score.senderscore.com bl.spameatingmonkey.net rbl.realtimeblacklist.com dnsbl.dronebl.org ix.dnsbl.manitu.net b.barracudacentral.org truncate.gbudb.net bl.blocklist.de dnswl.spfbl.net dnswl.org
 

dthompson

Member
Nov 23, 2011
43
0
6
Canada
www.digitaltransitions.ca
Try using these DNSBL sites on your config helps alots

Code:
zen.spamhaus.org bl.spamcop.net psbl.surriel.com spamrbl.imp.ch noptr.spamrats.com escalations.dnsbl.sorbs.net bl.score.senderscore.com bl.spameatingmonkey.net rbl.realtimeblacklist.com dnsbl.dronebl.org ix.dnsbl.manitu.net b.barracudacentral.org truncate.gbudb.net bl.blocklist.de dnswl.spfbl.net dnswl.org

Thank you very much. I will give those a shot!
 

heutger

Active Member
Apr 25, 2018
691
183
43
Fulda, Hessen, Germany
www.heutger.net
you need to add *x after each entry, where *2 e.g. means to add 2 for a match on this list *1 means to add 1 for a match on this list and *-x, e.g. *-1 means to substract 1 for a match on this list or *-2 to substract -2 for a match on this list. So for whitelists you use -x and for blacklists you use x. You then also set the threshold level in the GUI, so at which score to reject a message. If you set to e.g. 2 it just needs one 2 list or 2 1 lists and no substraction at all. You can look out at my advanced thread for more information on how to optimize PMG. I also won’t recommend whitelists, as they are not as such good as been expected.
 

Robson Rissato

New Member
Aug 15, 2018
19
0
1
44
you need to add *x after each entry, where *2 e.g. means to add 2 for a match on this list *1 means to add 1 for a match on this list and *-x, e.g. *-1 means to substract 1 for a match on this list or *-2 to substract -2 for a match on this list. So for whitelists you use -x and for blacklists you use x. You then also set the threshold level in the GUI, so at which score to reject a message. If you set to e.g. 2 it just needs one 2 list or 2 1 lists and no substraction at all. You can look out at my advanced thread for more information on how to optimize PMG. I also won’t recommend whitelists, as they are not as such good as been expected.

exemple :
zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,db.wpbl.info,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24
 

killmasta93

Member
Aug 13, 2017
510
18
18
25
o snap i did not know about the *2. also did not know that the whitelist would also be considered as blacklist?
 

heutger

Active Member
Apr 25, 2018
691
183
43
Fulda, Hessen, Germany
www.heutger.net
o snap i did not know about the *2. also did not know that the whitelist would also be considered as blacklist?
yes, the entry is dns(r)bl, so it‘s about blacklists/blocklists based on dns checks. So if you set in this entry also whitelists, any hit of this ones will be considered as to block as postfix doesn’t know, that it’s a whitelist and also won’t check the fqdn of the list. Combined lists you may be able by f.q.d.n=IP to choose IP entries, which are for black- or blocklisting to only reject on this ones. So the „trick“ on whitelists (and I don‘t know any other way on how to use them) is the weighted ranking with postscreen (there should also be some recent milter addons, which also allowed weights) and a treshold then, so you can use the whitelists with minus/negative multiplier to substract scores again and then you check the whole score against the threshold. However, recently there were great statistics at inps.de and you may still find some in the Waybackmachine, but this site is gone (because of GDPR as stated by the owner). But you can also check your spam mails coming through, some are on whitelist, valid mail often isn’t, so the idea because of IPv6 to deprecate blacklists and replace by whitelists, failed similar to SPF and DKIM because of worse adoption on legit infrastructures, meanwhile brighter adoption on spammers side as some admins relay on this information. That’s the reason, why I don’t use whitelists to weight my handchoosen blacklists out. I weight them based on a multiple week check on false-positives as you can see in my blacklist optimization thread by adding them with log entry on each hit and then check the logs weekly for a reasonable timeframe, if they don’t already fell through by having too much false-positives already after days. Score 2 have no false-positives for weeks, Score 1 some rare ones, all others are out, also ones, who don’t show any hits at all. I check once with my private mail test installation as well as with my commercial test installation.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!