Spamfilter outsmarted?

itNGO

itNGO

Renowned Member
Proxmox Subscriber
Jun 12, 2020
881
223
68
46
Germany
it-ngo.com
Hi,

we are using Proxmox Mail Gateway 8.x for one of our customers and have a strange "SPAM" which did it through the gateway without any detection.

The Hostname in PMG is "PMG.domain.tld" and the PMG is only responsible for "tomain.tld" in transport.

The Spamer did also used "MULTIPLE-FROM"-Adresses? Some of some contained the Server Hostname from PMG itself.

MULTIPLE_FROM (8) [Luxury@PMG.tomain.tld,Pillows@PMG.tomain.tld,2er-Set@PMG.tomain.tld,Abteilung@PMG.tomain.tld,<info_bxfjpxjrbwl@tgf.houseviet.org>]

As we use another Spamfilter "behind" PMG it was detected there, but PMG did "nothing" about this mail. That is somehow strange. Maybe someone can shed some light here?

RSPAMD-Results:
Code: 
MULTIPLE_FROM (8) [Luxury@PMG.domain.tld,Pillows@PMG.domain.tld,2er-Set@PMG.domain.tld,Abteilung@PMG.domain.tld,<info_bxfjpxjrbwl@tgf.houseviet.org>]
NEURAL_SPAM (4.93863) [0.988]
ARC_REJECT (1) [signature check failed: fail, {[1] = sig:microsoft.com:reject}]
PREVIOUSLY_DELIVERED (0) [s.user@domain.tld]
TO_MATCH_ENVRCPT_ALL (0)
FROM_NEQ_ENVFROM (0) [Luxury@PMG.domain.tld,wln58@tgf.houseviet.org]
MIME_TRACE (0) [0:~]
MISSING_XM_UA (0)
FORGED_SENDER (0) [Luxury@PMG.domain.tld,wln58@tgf.houseviet.org]
RCPT_COUNT_TWO (0) [2]
FUZZY_BLOCKED (0) [rspamd.com]
MIME_HTML_ONLY (0)
FROM_NO_DN (0)
SUBJECT_NEEDS_ENCODING (0)
RCVD_TLS_LAST (0)
TO_DN_NONE (0)
RCVD_COUNT_TWO (0) [2]

Proxmox Tracking Log:
Code: 
2024-07-23T20:52:37.817177+00:00 PMG postfix/smtpd[57427]: connect from mail-bn8nam11on2098.outbound.protection.outlook.com[40.107.236.98]
2024-07-23T20:52:38.208848+00:00 PMG postfix/smtpd[57427]: Anonymous TLS connection established from mail-bn8nam11on2098.outbound.protection.outlook.com[40.107.236.98]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-07-23T20:52:38.746059+00:00 PMG postfix/smtpd[57427]: NOQUEUE: client=mail-bn8nam11on2098.outbound.protection.outlook.com[40.107.236.98]
2024-07-23T20:52:38.912174+00:00 PMG pmg-smtp-filter[56687]: 8174966A01816DDCF9: new mail message-id=<799ca6c2-f689-4189-95a5-e4390c9d1a96@SJ1PEPF000023CF.namprd02.prod.outlook.com>#012
2024-07-23T20:52:43.087379+00:00 PMG pmg-smtp-filter[56687]: 8174966A01816DDCF9: SA score=0/5 time=4.144 bayes=undefined autolearn=disabled hits=ARC_SIGNED(0.001),ARC_VALID(0.001),FROM_LOCAL_NOVOWEL(0.5),HK_RANDOM_FROM(0.001),HTML_IMAGE_ONLY_28(0.726),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
2024-07-23T20:52:43.095315+00:00 PMG postfix/smtpd[57437]: connect from localhost[127.0.0.1]
2024-07-23T20:52:43.099438+00:00 PMG postfix/smtpd[57437]: 1841B8174A: client=localhost[127.0.0.1], orig_client=mail-bn8nam11on2098.outbound.protection.outlook.com[40.107.236.98]
2024-07-23T20:52:43.100334+00:00 PMG postfix/cleanup[57438]: 1841B8174A: message-id=<799ca6c2-f689-4189-95a5-e4390c9d1a96@SJ1PEPF000023CF.namprd02.prod.outlook.com>
2024-07-23T20:52:43.143935+00:00 PMG postfix/qmgr[47143]: 1841B8174A: from=<wln58@tgf.houseviet.org>, size=10593, nrcpt=1 (queue active)
2024-07-23T20:52:43.144372+00:00 PMG pmg-smtp-filter[56687]: 8174966A01816DDCF9: accept mail to <s.user@domain.tld> (1841B8174A) (rule: default-accept)
2024-07-23T20:52:43.144512+00:00 PMG postfix/smtpd[57437]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-07-23T20:52:43.147261+00:00 PMG pmg-smtp-filter[56687]: 8174966A01816DDCF9: processing time: 4.235 seconds (4.144, 0.018, 0)
2024-07-23T20:52:43.147743+00:00 PMG postfix/smtpd[57427]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (8174966A01816DDCF9); from=<wln58@tgf.houseviet.org> to=<s.user@domain.tld> proto=ESMTP helo=<NAM11-BN8-obe.outbound.protection.outlook.com>
2024-07-23T20:52:43.233646+00:00 PMG postfix/smtp[57439]: Trusted TLS connection established to 10.255.29.1[10.255.29.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2024-07-23T20:52:43.865341+00:00 PMG postfix/smtp[57439]: 1841B8174A: to=<s.user@domain.tld>, relay=10.255.29.1[10.255.29.1]:25, delay=0.77, delays=0.05/0.03/0.1/0.59, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A07D1393A5)
2024-07-23T20:52:43.865467+00:00 PMG postfix/qmgr[47143]: 1841B8174A: removed
2024-07-23T20:52:44.674816+00:00 PMG postfix/smtpd[57427]: disconnect from mail-bn8nam11on2098.outbound.protection.outlook.com[40.107.236.98] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 rset=1 quit=1 commands=8
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back