Spam getting through

Discussion in 'Mail Gateway: Installation and configuration' started by dthompson, Nov 30, 2018.

Tags:
  1. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    35
    Likes Received:
    0
    Hi all,

    I'm starting to have an issue where it appears that people sending spam are using the PMG servers to send.

    For instance, once person this morning got an email that was sent from the PMG directly:

    From: Faucher@mx1.digidns.ca,

    the PMG is mx.digidns.ca and mx1.digidns.ca

    Question is, what do I need to do in order to stop that from happening?

    Thanks
     
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,279
    Likes Received:
    279
    Someone (spammer) just fakes the from field - you cannot prevent that. Well, unless you setup and SPF record for your domain ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    35
    Likes Received:
    0
    Thanks for that but I do indeed have an SPF record setup for my domain (digidns.ca).
    "v=spf1 mx -all"

    So what else exactly am I missing here with regards to this type of spam getting though the filter? Do I also need to setup a subdomain (mx.digidns.ca and mx1.digidns.ca) to stop that spam from coming through? I wouldn't think I do.
    Thanks for your help!
     
  4. oguz

    oguz Proxmox Staff Member
    Staff Member

    Joined:
    Nov 19, 2018
    Messages:
    27
    Likes Received:
    2
    The thing is, the fact that you have an SPF record doesn't mean that the mails can't be faked from your address. How do the headers look on the spoofed emails regarding SPF?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    331
    Likes Received:
    78
    A SPF record does not prevent spam, it only will ensure, that the receiving mail server may(!) be able to detect, that the mail has not been sent from you. Big issue is, that there exist many techniques out there, which should help fighting spam but work completely different. So SPF, DKIM, Whitelists (like dnswl) should help to prevent spam, but the most ones, who really configure or use that (correct), are spammers, which know, that some systems may look for SPF records, (valid) DKIM signatures or whitelist entries to assume "clean" mail, meanwhile "valid" users often don't set SPF or forgot about, what they set, don't use DKIM, don't list their systems at Whitelists. It's what I saw from spam headers yet and found in years fighting spam with own systems like ESVA, EFA, other MailScanner derivates and now PMG. E.g. SPF is not usable for more and more companies using services like Hosted Exchange, Google Suite, Mailchimp, Amazon SES etc. as they have no control of the "IP park" they use and always would need to adjust their SPF records, also some of this won't support DKIM, and they and also the users or providers won't list their servers at e.g. dnswl. For myself e.g. I just was able to list my systems at dnswl, but my private systems also often change provider and I always need to update.
     
  6. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    35
    Likes Received:
    0
    The legit domain here is: user@realdomain.ca
    The spam email came in from: despacho@eccochemical.com

    One of the headers looks like this:

    Return-Path: <despacho@eccochemical.com>
    X-Spam-Status: No, hits=0.0 required=8.5
    tests=TOTAL_SCORE: 0.000
    X-Spam-Level:

    Received: from mx.digidns.ca ([192.168.11.4])
    by hc1.digidns.ca (Kerio Connect 9.2.7 patch 3) with ESMTPS
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
    for rick@realdomain.ca;
    Mon, 10 Dec 2018 09:51:45 -0500

    Received: from mx.digidns.ca (localhost.localdomain [127.0.0.1])
    by mx.digidns.ca (Proxmox) with ESMTP id 912EF1616E8
    for <rick@realdomain.ca>; Mon, 10 Dec 2018 09:51:45 -0500 (EST)

    Received-SPF: pass (eccochemical.com: 209.140.25.90 is authorized to use 'despacho@eccochemical.com' in 'mfrom' identity (mechanism 'ip4:209.140.25.90' matched)) receiver=mx.digidns.ca; identity=mailfrom; envelope-from="despacho@eccochemical.com"; helo=server9.1ahost.com; client-ip=209.140.25.90

    Received: from server9.1ahost.com (server9.1ahost.com [209.140.25.90])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mx.digidns.ca (Proxmox) with ESMTPS id ABAC7161539
    for <rick@realdomain.ca>; Mon, 10 Dec 2018 09:51:44 -0500 (EST)

    Received: from 185.189-204-140.bestel.com.mx ([189.204.140.185]:62497 helo=10.14.43.24)
    by server9.1ahost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.87)
    (envelope-from <despacho@eccochemical.com>)
    id 1gWMuA-0006mq-B6
    for rick@realdomain.ca.ca; Mon, 10 Dec 2018 10:51:32 -0400

    Date: Mon, 10 Dec 2018 08:51:30 -0600
    From: David Niemela <david@realdomain.ca> <despacho@eccochemical.com>
     
  7. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    35
    Likes Received:
    0
    By listing my servers as this service, this apparently helps control the flow of spam coming into the server? By the looks of it I add in a domain:

    domain: digitaltransitions.ca
    with IP's allowed to send (which I would think are my mx servers IP addresses: 208.93.232.25, 208.93.232.26)

    Would that be correct or does it need to be added in another way?
     
  8. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    391
    Likes Received:
    32
    We had a similar case in the german forum recently:
    https://forum.proxmox.com/threads/s...rten-absender-im-from-feld.49214/#post-230619

    What seemed to have worked there was a filter rule, which puts mails having 2 e-mail addresses in the From header into quarantine:
    * create a new What Object
    * add a "Match Field" object, with Field "From" and Value:
    Code:
    ^.*<.*>.*<.*>.*$
    
    * create a new filter rule putting all mails matching this What Object into quarantine.

    Keep in mind that this is just a rough heuristic (e-mail header-encodings can and will bite you here (as exemplified in the german thread)).
    so if you run into an email having the first address encoded with base64 or with quoted printable - you might need to add another regex to match the From: header, e.g. for mails, which contain a first from address, which is UTF-8 base64 encoded:
    Code:
    ^.*UTF-8.*<.*>.*$
    
    worked.

    hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    heutger likes this.
  9. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    331
    Likes Received:
    78
    This just helps, what potential recipients may have an additional sign, if the mail coming in is legit from your domain or it isn't. As SPF, DNSWL, DKIM and other techniques are preferred used by spammers to get through (as that's their job and profit) meanwhile legit senders often don't take this effort or are not able to take it at all (e.g. using Mail Service providers, where they don't have control over their IP pool and don't get informed, if they change anything to their IP pool), it's no good spam/no-spam sign as the inventors of this techniques hoped, it would be. E.g. most DKIM signed messages passing my PMG are spam meanwhile most legit mail doesn't use DKIM at all. Same for SPF, if a record exist, some are wrong, but for spam senders (e.g. also or especially Google Mail, Yahoo Mail, Hotmail/Outlook.com, ...) SPF exists and is valid. So you won't be able to prevent spam that way, if you set this "best practices", you just adopt "best practices" and may hope, that a recipient of a faked mail, which seems to be from your system and may result in unsolicited responses or NDR, may be blocked, because you set SPF or whitelist and the recipient use this technique to prevent the mail get through. However, as of the reasons above, you can't expect, that the recipient will do that as although it's best practice, it's unusable, because of weak adoption on legit side and great adoption on spammers side.
     
  10. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    35
    Likes Received:
    0
    Thank you very much for this.

    So just to be sure I'm on the right track,

    I have created a new "What" object, which contains:
    Name: Double Email in From Header
    With the Match Fields:
    From: ^.*<.*>.*<.*>.*$
    From: ^.*UTF-8.*<.*>.*$

    Then I create a new mail Filter Rule: "Double From Quarantine"
    Action: Quarantine
    What Objects: Double Email in From Header


    Does that seem correct and similar to how you did it?

    Thank you very much for all the help here to everyone!!
     
  11. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    391
    Likes Received:
    32
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. proxmoxuser0815

    proxmoxuser0815 New Member

    Joined:
    Mar 16, 2018
    Messages:
    16
    Likes Received:
    0
    I got the same Problem and was looking for a solution. So i tested the above solution with the reg exp, which seems to be ok (you can test it right here: https://www.regextester.com/99823)

    Unfortunately, the rule is triggered by mails with just one From-Address too. What am I doing wrong?
     

    Attached Files:

  13. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    391
    Likes Received:
    32
    * the rule seems deactivated? (but I guess you did that afterwards)
    * please post the (anonymized) header of the mail, which was quarantined, but had only one address in the from header
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. proxmoxuser0815

    proxmoxuser0815 New Member

    Joined:
    Mar 16, 2018
    Messages:
    16
    Likes Received:
    0
    Hi, thanks for you reply. The following header has been modified by our exchange/McAfee, but the From-Field has not been touched. Did it work for you, dthompson?

    Received: from mail.meinefirma.de (172.28.0.6) by myexchange.meinefirma.de
    (192.168.0.5) with Microsoft SMTP Server id 14.3.408.0; Thu, 13 Dec 2018
    12:48:09 +0100
    Received: from mail.meinefirma.de (localhost.localdomain [127.0.0.1]) by
    mail.meinefirma.de (Proxmox) with ESMTP id D5D2C8610B5 for <me@meinefirma.de>;
    Thu, 13 Dec 2018 12:48:09 +0100 (CET)
    Received: from mailout01.t-online.de (mailout01.t-online.de [194.25.134.80])
    by mail.meinefirma.de (Proxmox) with ESMTP id 414C3861089 for
    <me@meinefirma.de>; Thu, 13 Dec 2018 12:48:09 +0100 (CET)
    Received: from fwd13.aul.t-online.de (fwd13.aul.t-online.de [172.20.27.62]) by
    mailout01.t-online.de (Postfix) with SMTP id 9FF9142428C9 for
    <me@meinefirma.de>; Thu, 13 Dec 2018 12:48:03 +0100 (CET)
    Received: from spica14.aul.t-online.de
    (SrP4pgZJohQqvzMuPm3YyPkXSxPiPuaZd66o3BDkyEY4XyRJouufKcn4x2EePRIgPS@[172.20.102.139])
    by fwd13.aul.t-online.de with esmtp id 1gXPT6-4ZyIOO0; Thu, 13 Dec 2018
    12:47:52 +0100
    Received: from 192.122.26.66:5059 by cmpweb21.aul.t-online.de with HTTP/1.1
    (Lisa V5-4-8-0.14638 on API V5-16-0-0)
    Received: from 172.20.102.128:37701 by spica14.aul.t-online.de:8080; Thu, 13
    Dec 2018 12:47:52 +0100 (CET)
    Date: Thu, 13 Dec 2018 12:47:52 +0100

    From: "sender@senderdomain.com" <sender@senderdomain.com>
    Sender: "sender@senderdomain.com" <sender@senderdomain.com>
    Reply-To: "sender@senderdomain.com" <sender@senderdomain.com>
    To: "IT, IT" <me@meinefirma.de>
    Message-ID: <1544701671967.53369.74beea24e0b2be89bc40fbd3e55655c647a73049@spica.telekom.de>
    Subject: testmail
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_Part_64277_1934465080.1544701672294"
    Importance: normal
    X-MSMail-Priority: normal
    X-Priority: 3
    X-UMS: email
    X-ID: SrP4pgZJohQqvzMuPm3YyPkXSxPiPuaZd66o3BDkyEY4XyRJouufKcn4x2EePRIgPS@t-dialin.net
    X-TOI-MSGID: c20b2c9f-03f2-4bff-8faf-b1ef7e855dc7
    Return-Path: sender@senderdomain.com
    X-MS-Exchange-Organization-AuthSource: myexchange.meinefirma.de
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;60099453;0;novirus
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice