[SOLVED] Regex Block reply to?

[killmasta93]

Hi
I was wondering if its possible to block the reply to which does not match the current from ? or maybe block all reply to?

I got this email, the reply to was the attacker email which did not match the from email

This is what i have so far but i think im missing a variable

/Reply\-To: xxxx <xxx@xxxx\.com>/

Thank you

Return-Path: <www-data@vmi433318.contaboserver.net>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
(192.168.3.170) by mail.mydomain.com with LMTP; Wed, 11 Nov 2020
10:48:51 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 7E8C136931D7
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id 6EFF13C1651
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received-SPF: temperror (vmi433318.contaboserver.net: Time-out on DNS 'TXT' lookup of 'vmi433318.contaboserver.net') receiver=mail.mydomain.com; identity=mailfrom; envelope-from="www-data@vmi433318.contaboserver.net"; helo=vmi433318.contaboserver.net; client-ip=173.249.38.177
Received: from vmi433318.contaboserver.net (vmi433318.contaboserver.net [173.249.38.177])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 39D8C3C1617
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:48 -0500 (-05)
Received: by vmi433318.contaboserver.net (Postfix, from userid 33)
    id 3B9E11000BD4; Wed, 11 Nov 2020 16:48:39 +0100 (CET)
To: contabilidad@mydomain.com
Subject: kpmg
MIME-Version: 1.0
Content-type:text/html;charset=UTF-8
From: User Name  Mesa <username@mydomain.com>
Reply-To: User Name<email@ccl2srv.com>
Message-Id: <20201111154840.3B9E11000BD4@vmi433318.contaboserver.net>
Date: Wed, 11 Nov 2020 16:48:39 +0100 (CET)
X-SPAM-LEVEL: Spam detection results:  0
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.377 HTML-only message, but there is no HTML tag
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)

<p>Buenos d&iacute;as,</p>

<p>&nbsp;<br />
Te ha contactado el xxxx por la ma&ntilde;ana?</p>

 

[hata_ph]

Configure spamassassin custom score for HEADER_FROM_DIFFERENT_DOMAINS. Then use incoming spam rule to block/quarantine it.

 

[killmasta93]

thanks for the reply, so i would edit the current rules i have so far. but how would i add the HEADER_FROM_DIFFERENT_DOMAINS
and then have an incoming spam rule?

Thank you

ifplugin Mail::SpamAssassin::Plugin::RelayCountry
add_header all Relay-Country _RELAYCOUNTRY_
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|UA|RO|VN)/
describe RELAYCOUNTRY_BAD Relayed through spammy country at some point
score RELAYCOUNTRY_BAD 2.0
header RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(CO|AT|CH)/
describe RELAYCOUNTRY_GOOD First untrusted GW is CO, AT or CH
score RELAYCOUNTRY_GOOD -0.5
endif # Mail::SpamAssassin::Plugin::RelayCountry

header RCVD_IN_BRBL eval:check_rbl('brbl-lastexternal', 'b.barracudacentral.org.', '127.0.0.2')
describe RCVD_IN_BRBL Received via a relay in Barracuda RBL
tflags RCVD_IN_BRBL net
score RCVD_IN_BRBL 1.4

header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal', 'ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NiX Spam DNSBL (heise.de)
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 1.4

header RCVD_IN_WPBL eval:check_rbl('wpbl-lastexternal', 'db.wpbl.info.', '127.0.0.2')
describe RCVD_IN_WPBL Listed in WPBL
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 1.4

ifplugin Mail::SpamAssassin::Plugin::HashBL
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on EBL
score HASHBL_EMAIL 1.0
endif

 

[hata_ph]

Just add HEADER_FROM_DIFFERENT_DOMAINS to Spam Detector -> Custom Scores.
No need custom spamassassin rules.

 

[killmasta93]

Thanks for the reply, so i added this but i did a test and does not work

Return-Path: <sistemas@fakemail.com>
Received: from mail.mydomain.com (LHLO mail.mydomain.com) (192.168.11.250)
 by mail.mydomain.com with LMTP; Tue, 24 Nov 2020 14:18:42 -0500 (COT)
Received: from mail.mydomain.local (unknown [192.168.11.252])
    by mail.mydomain.com (Postfix) with ESMTPS id BC995B20F30
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:42 -0500 (-05)
Received: from mail.mydomain.local (localhost.localdomain [127.0.0.1])
    by mail.mydomain.local (Proxmox) with ESMTP id 9D11A581489
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:42 -0500 (-05)
Received-SPF: pass (fakemail.com: 190.14xx.xxx is authorized to use 'sistemas@fakemail.com' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mail.fakemail.local; identity=mailfrom; envelope-from="sistemas@fakemail.com"; helo=mail.fakemail.com; client-ip=190.xx.xxx
Received: from mail.fakemail.com (mail.fakemail.com [190.14xx.xxx])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
    (No client certificate requested)
    by mail.mydomain.local (Proxmox) with ESMTPS id 08367581379
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:34 -0500 (-05)
Received: from mail.fakemail.com (localhost.localdomain [127.0.0.1])
    by mail.fakemail.com (Proxmox) with ESMTP id 1BD113E10E5
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:27 -0500 (-05)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fakemail.com; h=
    cc:content-type:content-type:date:from:from:message-id
    :mime-version:reply-to:reply-to:subject:subject:to:to; s=mail;
     bh=CcTZSBs/pPBB/1jsrPY7avkPAiMFhBwpzPfmTq5OA7w=; b=k648DWBYngRP
    a3uI5sVZqxNGNdvgpSV4e1W5NCjHhEy7hAkIAHO8gl/6FKTCl4yiBq89MzVfA6uL
    VGrFaRPJzrUAE107hv0I7bMh/sGr2435TAnengIAXYScdnCJ7Bu4b3J+rfHqaIDm
    68PFEcdvX1U6wijFuHd/xKfx6AYSZuOsPKPo+rm7Ltdpi4xN8fD3V4/5JFwUgi7X
    NceRNnWEej8vq0F/789EEku4HZuWFVkV6bvNWCR5nzDfN/HKdW4cl0CSbvAZ9Vky
    lRUcOa7ltOgA4JIXD5Azs2bfsKIroWNfKwfysyRuwto3dRuLgplTFrk3GVUhWpJd
    f3yAL4va7Q==
Received: from mail.fakemail.com (unknown [192.168.7.245])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.fakemail.com (Proxmox) with ESMTPS id D1D7B3E10D2
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:26 -0500 (-05)
Received: from Teamview3PC (unknown [181.136.123.42])
    by mail.fakemail.com (Postfix) with ESMTPSA id 8D14FBE1E5F
    for <sistemas@mydomain.com>; Tue, 24 Nov 2020 14:18:26 -0500 (-05)
Reply-To: <gerencia@fakemail.comm.co>
From: <sistemas@fakemail.com>
To: <sistemas@mydomain.com>
Subject: test
Date: Tue, 24 Nov 2020 14:18:24 -0500
Message-ID: <000401d6c296$95210360$bf630a20$@fakemail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0005_01D6C26C.AC4D6C60"
X-Mailer: Microsoft Outlook 15.0
Content-Language: es-co
Thread-Index: AdbClpMP4lRiUbPfTUehSLfmNLq9dQ==
X-SPAM-LEVEL: Spam detection results:  1
    AWL                    -0.522 Adjusted score from AWL reputation of From: address
    DCC_CHECK                 1.1 Detected as bulk mail by DCC (dcc-servers.net)
    DIGEST_MULTIPLE         0.001 Message hits more than one network digest check
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HTML_MESSAGE            0.001 HTML included in message
    MIME_HTML_MOSTLY          0.1 Multipart message mostly text/html MIME
    PYZOR_CHECK             1.985 Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RELAYCOUNTRY_GOOD        -0.5 First untrusted GW is CO, AT or CH
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record

This is a multipart message in MIME format.

 

[hata_ph]

The spamassasin rule only trigger if the mail from and envelop-from is different.
Double check the sender SPF record.

HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different

Received-SPF: pass (fakemail.com: 190.14xx.xxx is authorized to use 'sistemas@fakemail.com' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mail.fakemail.local; identity=mailfrom; envelope-from="sistemas@fakemail.com"; helo=mail.fakemail.com; client-ip=190.xx.xxx

 

[killmasta93]

thanks for the reply, you right im trying to replicate to see the effect, btw i see the option is only for PMG 6.xx but for 5xx i dont see that option im guessing in need to edit the rules manually?

 

[hata_ph]

thanks for the reply, you right im trying to replicate to see the effect, btw i see the option is only for PMG 6.xx but for 5xx i dont see that option im guessing in need to edit the rules manually?

Are you refering to Custom Score?

 

[killmasta93]

yes correct custom scores changing HEADER_FROM_DIFFERENT_DOMAINS but for PMG 5.xxx

 

[Stoiko Ivanov]

es correct custom scores changing HEADER_FROM_DIFFERENT_DOMAINS but for PMG 5.xxx

the feature of having this in the GUI was added in PMG 6.1
for 5.x you would need to adapt the custom.cf file in /etc/mail/spamassassin

However PMG 5.x has been EOL for quite a few months now and the upgrade to 6.3 is straight-forward:
https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0

I would suggest that you upgrade to the latest version

 

[killmasta93]

Thanks for the reply, so i tried updating but didnt go so well the first time.

This is my currently custom.cf would i add something like this?

ifplugin Mail::SpamAssassin::Plugin::RelayCountry
add_header all Relay-Country _RELAYCOUNTRY_
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|UA|RO|VN)/
describe RELAYCOUNTRY_BAD Relayed through spammy country at some point
score RELAYCOUNTRY_BAD 2.0
header RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(CO|AT|CH)/
describe RELAYCOUNTRY_GOOD First untrusted GW is CO, AT or CH
score RELAYCOUNTRY_GOOD -0.5
endif # Mail::SpamAssassin::Plugin::RelayCountry

header RCVD_IN_BRBL eval:check_rbl('brbl-lastexternal', 'b.barracudacentral.org.', '127.0.0.2')
describe RCVD_IN_BRBL Received via a relay in Barracuda RBL
tflags RCVD_IN_BRBL net
score RCVD_IN_BRBL 1.4

header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal', 'ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NiX Spam DNSBL (heise.de)
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 1.4

header RCVD_IN_WPBL eval:check_rbl('wpbl-lastexternal', 'db.wpbl.info.', '127.0.0.2')
describe RCVD_IN_WPBL Listed in WPBL
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 1.4

ifplugin Mail::SpamAssassin::Plugin::Phishing
phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt
phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv
body URI_PHISHING eval:check_phishing()
describe URI_PHISHING Url match phishing in feed
score URI_PHISHING 1.4
endif

and would add this and restart pmg filter?

score HEADER_FROM_DIFFERENT_DOMAINS 8.000

 

[Stoiko Ivanov]

this should work - yes
what where the infos when upgrading? (eventually you really need to upgrade, because the installation currently does not receive any security-updates anymore)

 

[killmasta93]

Thanks for the reply, around a few months before i tried and failed but dont remember the error but ill try it again and post back on a new forum post thank you again