PMG not block obvious phising email ?

bougatoyta

Member
Jun 8, 2021
71
7
13
34
HI,

I receive a lot of phising attempt recently and I don't know what to do to properly filter them out.

They look like this :

1659684714511.png


Here's the header of this specific mail and the log of the tracking center

Code:
Aug 4 05:29:25 pmg postfix/smtpd[92645]: connect from server.imagoinbio.com[139.59.114.99]
Aug 4 05:29:25 pmg postfix/smtpd[92645]: Anonymous TLS connection established from server.imagoinbio.com[139.59.114.99]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Aug 4 05:29:26 pmg postfix/smtpd[92645]: 74A2A6BA: client=server.imagoinbio.com[139.59.114.99]
Aug 4 05:29:26 pmg postfix/cleanup[92611]: 74A2A6BA: message-id=<20220803202909.861917508A366FD7@fhuhf.bar>
Aug 4 05:29:26 pmg postfix/qmgr[1110]: 74A2A6BA: from=<mail@fhuhf.bar>, size=3247, nrcpt=1 (queue active)
Aug 4 05:29:26 pmg pmg-smtp-filter[92452]: 6BC62EB3D16CCAFD: new mail message-id=<20220803202909.861917508A366FD7@fhuhf.bar>#012
Aug 4 05:29:27 pmg postfix/smtpd[92645]: disconnect from server.imagoinbio.com[139.59.114.99] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 4 05:29:27 pmg pmg-smtp-filter[92452]: 6BC62EB3D16CCAFD: SA score=3/5 time=0.707 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),HTTP_EXCESSIVE_ESCAPES(0.001),MIME_HTML_ONLY(0.1),PDS_OTHER_BAD_TLD(1.997),RCVD_IN_HOSTKARMA_BL(1.5),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),TO_NO_BRKTS_FROM_MSSP(2.497),URIBL_BLOCKED(0.001)
Aug 4 05:29:27 pmg postfix/smtpd[92616]: connect from pmg.mydomain.com[127.0.0.1]
Aug 4 05:29:27 pmg postfix/smtpd[92616]: 8EE706BE: client=pmg.mydomain.com[127.0.0.1], orig_client=server.imagoinbio.com[139.59.114.99]
Aug 4 05:29:27 pmg postfix/cleanup[92611]: 8EE706BE: message-id=<20220803202909.861917508A366FD7@fhuhf.bar>
Aug 4 05:29:27 pmg postfix/qmgr[1110]: 8EE706BE: from=<mail@fhuhf.bar>, size=4734, nrcpt=1 (queue active)
Aug 4 05:29:27 pmg postfix/smtpd[92616]: disconnect from pmg.mydomain.com[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 4 05:29:27 pmg pmg-smtp-filter[92452]: 6BC62EB3D16CCAFD: accept mail to <contact@mydomain.org> (8EE706BE) (rule: default-accept)
Aug 4 05:29:27 pmg pmg-smtp-filter[92452]: 6BC62EB3D16CCAFD: processing time: 0.751 seconds (0.707, 0.03, 0)
Aug 4 05:29:27 pmg postfix/lmtp[92612]: 74A2A6BA: to=<contact@mydomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.62/0/0/0.75, dsn=2.5.0, status=sent (250 2.5.0 OK (6BC62EB3D16CCAFD))
Aug 4 05:29:27 pmg postfix/qmgr[1110]: 74A2A6BA: removed
Aug 4 05:29:27 pmg postfix/smtp[92566]: Trusted TLS connection established to 192.168.58.50[192.168.58.50]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
Aug 4 05:29:27 pmg postfix/smtp[92566]: 8EE706BE: to=<contact@mydomain.org>, relay=192.168.58.50[192.168.58.50]:25, delay=0.08, delays=0/0/0.06/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A097C166FCEE)
Aug 4 05:29:27 pmg postfix/qmgr[1110]: 8EE706BE: removed

Here's the thunderbird header :

Code:
X-Account-Key: account4
X-Mozilla-Keys:                                                                                 
Return-Path: <mail@fhuhf.bar>
Received: from mailserver.mydomain.com (LHLO mailserver.mydomain.com)
 (192.168.58.50) by mailserver.mydomain.com with LMTP; Thu, 4 Aug 2022
 05:29:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
    by mailserver.mydomain.com (Postfix) with ESMTP id 0C0B2166FCEE;
    Thu,  4 Aug 2022 05:29:28 +0200 (CEST)
Received: from mailserver.mydomain.com ([127.0.0.1])
    by localhost (mailserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id uD9H0TdAzjKx; Thu,  4 Aug 2022 05:29:27 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
    by mailserver.mydomain.com (Postfix) with ESMTP id E295A166FF4F;
    Thu,  4 Aug 2022 05:29:27 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mailserver.mydomain.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)
    (char E9 hex): X-SPAM-LEVEL: ...    -1.9 L'algorithme Bay\x{E9}sien a
    \x{E9}valu\x{E9} l[...]
Received: from mailserver.mydomain.com ([127.0.0.1])
    by localhost (mailserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id e2ohdWsAGYMb; Thu,  4 Aug 2022 05:29:27 +0200 (CEST)
Received: from pmg.mydomain.com (pmg.mydomain.com [192.168.58.51])
    by mailserver.mydomain.com (Postfix) with ESMTPS id A097C166FCEE
    for <contact@mydomain.org>; Thu,  4 Aug 2022 05:29:27 +0200 (CEST)
Received: from pmg.mydomain.com (pmg.mydomain.com [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 8EE706BE
    for <contact@mydomain.org>; Thu,  4 Aug 2022 05:29:27 +0200 (CEST)
Received-SPF: pass (fhuhf.bar: 139.59.114.99 is authorized to use 'mail@fhuhf.bar' in 'mfrom' identity (mechanism 'ip4:139.59.114.99' matched)) receiver=pmg.mydomain.com; identity=mailfrom; envelope-from="mail@fhuhf.bar"; helo=server.imagoinbio.com; client-ip=139.59.114.99
Received: from server.imagoinbio.com (server.imagoinbio.com [139.59.114.99])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by pmg.mydomain.com (Proxmox) with ESMTPS id 74A2A6BA
    for <contact@mydomain.org>; Thu,  4 Aug 2022 05:29:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=majezie; d=fhuhf.bar;
 h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:
 Content-Transfer-Encoding; i=mail@fhuhf.bar;
 bh=GaGZcR4jbz5jv4hzBTZ25pX4Vmsxdr4mq+vvfznzJHs=;
 b=HVJm+UW/Jb5KCdpXg4AIBMCfSFzJjyRy/pxQWF0yS7ay6nrmLfNWw6CquyC30PTUTeqONHN6kfR9
   SV0fKm2PnZFL0DB0GGR/R2vIiFvRdK3eRiUBldH21Yps7T0Q4Os6wWHZ9GLP21s+VRUDHmBbOPPc
   mo5HqUuaDy+/z84HKbzgBayA4Jnm65HDYQrlE0anrc14NeLqSPMv9fjnrv20OpobBfv5kf7FXcjI
   TQhansFCvOSz20yeAohpi//Op6TZn/chb+gmNG12DZ3dCDWo4SHECleVi359eQqTK8VWXK1eVOoc
   drB+19p2t4MpIKfqQjYyVusTQQVTMcgu4Oeakg==
From: IT Helpdesk<mail@fhuhf.bar>
To: contact@mydomain.org
Subject: Admin
Date: 3 Aug 2022 20:29:19 -0700
Message-ID: <20220803202909.861917508A366FD7@fhuhf.bar>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


Does anyone know how I can block these ? Idk why bayes does a -1,9 on the cores, I use multiple big RBL b.barracudacentral.org,zen.spamhaus.org*2,bl.spamcop.net,bl.score.senderscore.com

Email above 8 of score are blocked, between 4 and 7 they are in quarantine...

We even blocked specific subjet with custom rules...


Regards
 
Idk why bayes does a -1,9 on the cores,
This is due to bayes having learned wrongly - I would suggest to simply disable bayes

URIBL_BLOCKED(0.001)
This is an indication that you (or rather the DNS server you're using) is over the rate-limit at uribl.com - and uribl is one of the best means to catch spam/phishing mails

these two topics are addressed quite well in the getting started page in the PMG wiki - I'd suggest to check it out and implement the recommendations there:

https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!
 
IP 139.59.114.99 not listed in your DNSBL list, try using below DNSBL site.

dnsbl-1.uceprotect.net
rbl.dns-servicios.com
sip.invalument.com
hostkarma.junkemailfilter.com

1659686376770.png
 
Last edited:
This is due to bayes having learned wrongly - I would suggest to simply disable bayes


This is an indication that you (or rather the DNS server you're using) is over the rate-limit at uribl.com - and uribl is one of the best means to catch spam/phishing mails

these two topics are addressed quite well in the getting started page in the PMG wiki - I'd suggest to check it out and implement the recommendations there:

https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!
Hi,

Thanks for the real fast answer, I simply did not see the uribl block.

Is there a way to cache the result of uribl in pmg ?

I will look into a paid subscription for it but in the mean time I would like to simply reduce the query number.

It surprises me since there's not a lot of domain requested per day (maybe 500 differents domain?) does PMG make a new request for every mail even if the domain is the same as a previous mail ?
 
Is there a way to cache the result of uribl in pmg ?
not really - or not sensibly - you want the data to be fresh ...

but how it works and what the limits are is quite well explained on uribl.com

and as said - the Getting started page I linked has a few tips how to setup a recursive DNS-Server of your own to be used only by your pmg...
 
not really - or not sensibly - you want the data to be fresh ...

but how it works and what the limits are is quite well explained on uribl.com

and as said - the Getting started page I linked has a few tips how to setup a recursive DNS-Server of your own to be used only by your pmg...
Well the PMG use AD backend for DNS query and is the only mail relay in this network so nothing else is querying uribl.com, I just think we are over the free threeshold
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!