Random incoming spam emails from hotmail accounts

[Nisamudeen]

Hi,

We are receiving spam emails from different hotmail accounts with some porn spam attachment pdfs. These emails are never filtered in anitspamgateway. They comes directly to inbox. I have analyzed these emails and i can see these emails where originally generated from different hotmail accounts and who is of the incoming IP shows it is owned by Microsoft.

I am adding some of the subjects of the emails received. And each had some pdf attachments like in screen shot attached

cev ww v wewnl
mow xb s nigsb
bup hs w kagss
kix mb r meszd


How we can block these kind of emails with proxmox antispam gateway? We normally block the incoming mail address but next time it is coming from different address.

 

[tom]

Post the result of the spam check (spamassassin scores) of these emails, e.g. the full email header.

 

[Nisamudeen]

Hi,

I am posting full log of one particular email of the same. Replaced TO mail id with XXXXX as it is our official mail id


Jun 29 15:34:37 antispam1 postfix/smtpd[37576]: connect from mail-oln040092254054.outbound.protection.outlook.com[40.92.254.54]
Jun 29 15:34:38 antispam1 postfix/smtpd[37576]: Anonymous TLS connection established from mail-oln040092254054.outbound.protection.outlook.com[40.92.254.54]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 29 15:34:38 antispam1 postfix/smtpd[37576]: 9F850417C3: client=mail-oln040092254054.outbound.protection.outlook.com[40.92.254.54]
Jun 29 15:34:39 antispam1 postfix/cleanup[37380]: 9F850417C3: message-id=<OSAPR01MB3715B5E9E295F38B195D0966A2029@OSAPR01MB3715.jpnprd01.prod.outlook.com>
Jun 29 15:34:42 antispam1 postfix/qmgr[998]: 9F850417C3: from=<jonnapisxpk@hotmail.com>, size=164232, nrcpt=1 (queue active)
Jun 29 15:34:42 antispam1 pmg-smtp-filter[35894]: 42AAA60DB2172D01A2: new mail message-id=<OSAPR01MB3715B5E9E295F38B195D0966A2029@OSAPR01MB3715.jpnprd01.prod.outlook.com>#012
Jun 29 15:34:43 antispam1 postfix/smtpd[37576]: disconnect from mail-oln040092254054.outbound.protection.outlook.com[40.92.254.54] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jun 29 15:34:43 antispam1 pmg-smtp-filter[35894]: 42AAA60DB2172D01A2: SA score=1/5 time=0.461 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FORGED_HOTMAIL_RCVD2(1.187),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),KAM_MANYTO(0.2),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_FREEMAIL_DOC_PDF(0.01)
Jun 29 15:34:43 antispam1 postfix/smtpd[37387]: connect from localhost.localdomain[127.0.0.1]
Jun 29 15:34:43 antispam1 postfix/smtpd[37387]: 6763542AB1: client=localhost.localdomain[127.0.0.1], orig_client=mail-oln040092254054.outbound.protection.outlook.com[40.92.254.54]
Jun 29 15:34:43 antispam1 postfix/cleanup[37380]: 6763542AB1: message-id=<OSAPR01MB3715B5E9E295F38B195D0966A2029@OSAPR01MB3715.jpnprd01.prod.outlook.com>
Jun 29 15:34:43 antispam1 postfix/qmgr[998]: 6763542AB1: from=<jonnapisxpk@hotmail.com>, size=165497, nrcpt=1 (queue active)
Jun 29 15:34:43 antispam1 postfix/smtpd[37387]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 29 15:34:43 antispam1 pmg-smtp-filter[35894]: 42AAA60DB2172D01A2: accept mail to <xxxxxxx> (6763542AB1) (rule: default-accept)
Jun 29 15:34:43 antispam1 pmg-smtp-filter[35894]: 42AAA60DB2172D01A2: processing time: 0.594 seconds (0.461, 0.073, 0)
Jun 29 15:34:43 antispam1 postfix/lmtp[37381]: 9F850417C3: to=<xxxxxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=4.2/0/0/0.6, dsn=2.5.0, status=sent (250 2.5.0 OK (42AAA60DB2172D01A2))
Jun 29 15:34:43 antispam1 postfix/qmgr[998]: 9F850417C3: removed
Jun 29 15:34:43 antispam1 postfix/smtp[37388]: 6763542AB1: to=<XXXXXXXXX>, relay=exch.ad.kaikaito.com[212.224.100.62]:25, delay=0.26, delays=0.03/0/0.07/0.17, dsn=2.6.0, status=sent (250 2.6.0 <OSAPR01MB3715B5E9E295F38B195D0966A2029@OSAPR01MB3715.jpnprd01.prod.outlook.com> [InternalId=216612380606536, Hostname=exch.ad.kaikaito.com] Queued mail for delivery)
Jun 29 15:34:43 antispam1 postfix/qmgr[998]: 6763542AB1: removed

 

[hata_ph]

Show your spam email full raw format.

 

[Nisamudeen]

Hi,

I am attaching full email with headers.

 

[hata_ph]

All 4 mails no show spam score. Did you enable the default Modify Header rule?
The Modify Header rule will analyze all incoming mail and insert the calculated spam score.

 

[Nisamudeen]

Hi,

Yes it is active, See the screen shot attached.

 

[hata_ph]

Your incoming mail should have X-SPAM-LEVEL tag. But cannot see it in your 4 attachment.
I ask is because to check how spamassassin rate the spam mail.

Delivered-To: user1@mydomain.com
Return-Path: user@mydomain.com
Received-SPF: none (mydomain.com: No applicable sender policy available) receiver=pmg.user1.local; identity=mailfrom; envelope-from="user@mydomain.com"; helo=hwsrv-890048.hostwindsdns.com; client-ip=104.168.165.204
Received: from hwsrv-890048.hostwindsdns.com (ns1.mubeena.pw [104.168.165.204])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <user1@mydomain.com>; Thu,  1 Jul 2021 20:51:51 +0800 (+08)
Received: from ip-11-24.dataclub.eu (unknown [185.29.11.24])
    by hwsrv-890048.hostwindsdns.com (Postfix) with ESMTPSA id A9F5814C587
    for <user1@mydomain.com>; Thu,  1 Jul 2021 12:51:00 +0000 (UTC)
From: Tony {mydomain.com support!) <user@mydomain.com>
To: user1@mydomain.com
Subject: Block spam emails
Date: 1 Jul 2021 14:51:00 +0200
Message-ID: <20210701145100.EE92FEE210739320@mydomain.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  10
    BAYES_50                  0.8 Bayes spam probability is 40 to 60%
    HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to background
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
    KAM_STORAGE_GOOGLE       2.25 Google Storage API being abused by spammers
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    RCVD_IN_VALIDITY_RPBL    1.31 Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NONE                0.001 SPF: sender does not publish an SPF Record
    TO_EQ_FM_DOM_HTML_ONLY      1 To domain == From domain and HTML only
    URI_FIREBASEAPP         2.996 Link to hosted firebase web application, possible phishing

 

[Nisamudeen]

Hi,

Does it mean proxmox antispam gateway is not getting updating the email headers even if we have set the same in panel?

 

[tom]

Hi,

Does it mean proxmox antispam gateway is not getting updating the email headers even if we have set the same in panel?

Maybe you mixed up internal and external SMTP port and your incoming emails are sent to the external port? (and therefore rules do not apply).

 

[Nisamudeen]

Hi,

I didn't understand clearly, Can you please help me understanding the same. All our external emails are forwarded to port 25 public IP of our exchange server. This is clearly mentioned there in logs which I have posted

relay=exch.ad.kaikaito.com[212.224.100.62]:25

 

[Nisamudeen]

Hi,

Some one here to help on the case?

 

[hata_ph]

Hi,

Some one here to help on the case?

Is your PMG sit in front of your exchange server? All incoming email should go through PMG for filtering than only forward email to your exchange.

 

[Nisamudeen]

Hi,

Yes, PMG sit in-front of exchange. All incoming emails will hit PMG first and forwarded to exchange. We use pmg server as our default MX and all the relaying happens via PMG.

We have configured Relay domains and curresponding Transport rules in PMG

 

[hata_ph]

Can you confirm all incoming mail got tag with X-SPAM-LEVEL? If X-SPAM-LEVEL is not available you can filter via spamassassin.
Another option is to filter by sender email address.

 

[Nisamudeen]

Hi,

I have checked again with the mail account that has the issue. And i can see it has X-SPAM-LEVEL headers added, See the image attached. Spam detection result for that particular message is 0

 

[hata_ph]

For this case, I suggest increase score for KAM_MANYTO under Spam Detector -> Custom scores.

 

[Nisamudeen]

For this case, I suggest increase score for KAM_MANYTO under Spam Detector -> Custom scores.

I have gone through the explanation for the same. Does it mean it will affect geniune emails that has more than one forwarders? In our case the mentioned hotmail account is sending to more than 25 accounts.

KAM_MANYTO = Email has more than one To Header

For example I have to block email that has more than 25 email accounts in TO header, So what is the proposed "Score" for this custom header in spam Detector section. ? Trying to understand how this header is supposed to work. We have lots of high priority clients with this antispam server who receives news letters and subscriptions.

what happens if i set score 2 for KAM_MANYTO ?

 

[hata_ph]

If you set score 2 to KAM_MANYTO, it will apply score 2 instead of default 0.2 to the total spamassassin score.

You can always try to filter the email subject and sender address but I suspect both option maybe too random to filter.

 

[Nisamudeen]

Hi,

Thx for the last update. But before proceeding with this setting, I need a clear update then only i can proceed as this proxmox server is having critical mail clients. So wanted to understand what will really happen with this change.

So what is the exact setting if I have to block emails that has more than 25 To address in header?