Phising Emails

If you want to block any FAKE MAIL the REGEX should be:

Code:
"[\w-\.]+@([\w-]+\.)+[\w-]{2,4}" <[\w-\.]+@([\w-]+\.)+[\w-]{2,4}>

Then this will block any From with two emails in following pattern: "xxx@xxx" <xxx@xxx>

This will be blocked:

Code:
"secretaria@clientdomain.com" <doaa.shaban@ten.tv>

And this will be allowed:

Code:
"USER NAME" <username@domain>

But there are valid mails with malformed "USER NAME" that users on Outlook use their mail as username, then this kind of mails will be blocked.

I recommend to do a NOTIFY ONLY to ADMIN and WATCH all notifications, in this case you can do a preemptive action, or send them to QUARANTINE and answer to thoses users to fix their mail client configuration.

There is another situation. A mail answering with a header
Code:
FROM: "user1" <user1@domain>
a mail that has a forward or answer using
Code:
FROM: "user@domain" <user@domain>
will be match too, so before getting something nasty firs i recommend to only notify those match rules.

Something sane like this for example:

1603492655771.png

1603492690202.png

If after a while you get that is what you decire, add the action to "QUARANTINE" to retain all activity mal formed or fake mails.
 
I am still working to find a way to tell the regex to say true when on FROM the @domain, is repeated more than once and differ.

The rule must fit only on From headers with two mails and both may differ.

It should not match:

Code:
From: "user1@domain1" <user1@domain1>
From: "user" <user@domain>
From: user@domain

It should match:

Code:
From: "user1@domain1" <user2@domain2>

REMEMBER: Any regex you test, do not block it or apply any action that may cause a lose of mails. Always apply only a notification action to ensure what the rule is matching and if it fits your desires.
 
Last edited:
  • Like
Reactions: killmasta93
@rojoblandino hi there quick question not sure if this filter also captures the following? Currently today i got this email im attaching the raw headers
its odd because the email came from ccl2srcv.com but on outlook it appeared as mydomain.com it was trying to fake the email and trick the user to reply.

Code:
Return-Path: <www-data@vmi433318.contaboserver.net>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.3.170) by mail.mydomain.com with LMTP; Wed, 11 Nov 2020
 10:48:51 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 7E8C136931D7
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id 6EFF13C1651
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received-SPF: temperror (vmi433318.contaboserver.net: Time-out on DNS 'TXT' lookup of 'vmi433318.contaboserver.net') receiver=mail.mydomain.com; identity=mailfrom; envelope-from="www-data@vmi433318.contaboserver.net"; helo=vmi433318.contaboserver.net; client-ip=173.249.38.177
Received: from vmi433318.contaboserver.net (vmi433318.contaboserver.net [173.249.38.177])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 39D8C3C1617
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:48 -0500 (-05)
Received: by vmi433318.contaboserver.net (Postfix, from userid 33)
    id 3B9E11000BD4; Wed, 11 Nov 2020 16:48:39 +0100 (CET)
To: contabilidad@mydomain.com
Subject: kpmg
MIME-Version: 1.0
Content-type:text/html;charset=UTF-8
From: User Name  Mesa <username@mydomain.com>
Reply-To: User Name<email@ccl2srv.com>
Message-Id: <20201111154840.3B9E11000BD4@vmi433318.contaboserver.net>
Date: Wed, 11 Nov 2020 16:48:39 +0100 (CET)
X-SPAM-LEVEL: Spam detection results:  0
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.377 HTML-only message, but there is no HTML tag
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)

<p>Buenos d&iacute;as,</p>

<p>&nbsp;<br />
Te ha contactado el xxxx por la ma&ntilde;ana?</p>

<p>&nbsp;<br />
Saludos,</p>

<p>User Name&nbsp;</p>

<p><br />
Enviado desde mi dispositivo m&oacute;vil</p>
 
Setup a filter rules to filter out the actual domain @cavalieridellarcadellalleanza.it or use regex for all domain that end with .it.
You can set to block or quarantine. It work for me and make sure the filter rules is at top priority.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.it(\W|$)
Hi, hata_ph,

please let me know how to add / use this regex on proxmox mail gateway, because I have the same problem. Receive alot of spam email which look like from our internal email users .
 
Hi, hata_ph,

please let me know how to add / use this regex on proxmox mail gateway, because I have the same problem. Receive alot of spam email which look like from our internal email users .
Who object -> regular expression. Then create a mail filter rules using the object to block/quarantine email.

1661495407866.png
 
Who object -> regular expression. Then create a mail filter rules using the object to block/quarantine email.

View attachment 40381
Hi hata_ph,

thanks for you reply , it's done now. :)
btw , there's some case on my user mail server, get spam like this :
they received the email from their email too, for ex :
email from : james@yyy.com to james@yyy.com
but i'm sure is not from them.

how to mark this kind of email as spam and quarantine this kind of email on proxmox mail gateway ?

please advice
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!