SPF softfail settings

Z

ztodorovski

New Member
Oct 4, 2019
4
1
3
31
I have a proxmox mail gateway cluster running, however I'm having a lot of spam delivered using forged email addresses, to resolve this i would like to quarantine all emails that are delivered from unauthorized ip addresses even when the SPF ends with ~all or ?all.

I'm not able to find a setting in the admin panel to achieve this result, I appreciate any advice how to achieve this.
 
Hmm - could you post some (anonymized) mail.log parts of such mails?

SPF is not necessarily (by itself) the best measure - as there are quite a few legitimate mails being send despite breaking the SPF-record (e.g. mails send from a web-site form ....)
As for being even more strict on '~all' - I'd assume this will cause quite a few false-positives.

If you do want to do this you're probably best of by adapting your spamassassin configuration and raising the score of some SPF-softfail rules (see /usr/share/spamassassin/25_spf.cf for the rules and https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_custom_spamassassin_configuration for adapting your config) and then creating a rule which quarantines rules with a score higher than what you adapted your rules to.

Again i would not recommend this.
 
I've attached the log available in the tracking center, I am aware that this will cause false positives but I'd rather have them in quarantine to be approved then passed to mail users directly.

In this case the person forged an address from a local bank which uses a softfail for SPF, the ip address is not blacklisted and the message itself looks very normal so it's not really detected as spam, this in itself is a very dangerous threat and users can be cheated out of important information, so I would rather err on the side of caution and have SPF fails in quarantine by raising the SPF_SOFTFAIL to score 4.

Oct 3 16:36:12 gateway12 postfix/smtpd[19913]: connect from setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:12 gateway12 postfix/smtpd[19913]: E015F211CF: client=setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:13 gateway12 postfix/cleanup[20198]: E015F211CF: message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk
Oct 3 16:36:21 gateway12 postfix/qmgr[27026]: E015F211CF: from=SPAMMER@nlb.mk, size=1179146, nrcpt=1 (queue active)
Oct 3 16:36:21 gateway12 postfix/smtpd[19913]: disconnect from setentaytres141.nsprimario.com[188.93.73.141] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 3 16:36:21 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: new mail message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk#012
Oct 3 16:36:23 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: SA score=1/5 time=1.314 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.000),HTML_IMAGE_ONLY_20(0.7),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972),URI_HEX(0.1)
Oct 3 16:36:23 gateway12 postfix/smtpd[20204]: connect from localhost.localdomain[127.0.0.1] Oct 3 16:36:23 gateway12 postfix/smtpd[20204]: 2E8B321491: client=localhost.localdomain[127.0.0.1], orig_client=setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:23 gateway12 postfix/cleanup[20198]: 2E8B321491: message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk
Oct 3 16:36:23 gateway12 postfix/qmgr[27026]: 2E8B321491: from=SPAMMER@nlb.mk, size=1179922, nrcpt=1 (queue active)
Oct 3 16:36:23 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: accept mail to ... (2E8B321491) (rule: default-accept)

Given that quarantine is an acceptable solution can you please explain why would this be bad or if there is a better way to prevent this?
 
Thanks for the logs!
hmm - from that it looks like there is indeed nothing else which might fire (a score of 1 is nowhere near a threshold where quarantaining would make sense) - just to be sure - you do have RBL-checks enabled for the Spam Detector/Spamassassin ? (in the GUI->Configuration->Spam Detector->Options) ?

Else (but this would only help for saving some ressources) - additionally configure some rbls for the mail-proxy

(In that case the IP is not backlisted so it would not have helped :/)

ztodorovski said:
Given that quarantine is an acceptable solution can you please explain why would this be bad or if there is a better way to prevent this?
Click to expand...
No - the warning was just that tweaking Spamassassin rules quite often leads to many false-positives (and more work for the users and admins).

You can give the quarantine approach a try and see how it works out!
 
I've double checked RBL is checked, also i manually checked the ip address on as many blacklist websites i could find all report it's clean and not marked as spammer IP :(

Thank you Stoiko for your help and pointing me to the location of the config :)

I'll give it a try with the softfail adjustment and report how it works out for others that may be interested,
 
Thanks for the offer of reporting your experiences - much appreciated! :)
 
So in this couple of days I've had about 4% emails that were moved to the quarantine and then manually approved/deleted, some of them were due to the introduction of the new SPF spam score.
The bulk of the quarantined mail was from marketing campaigns (Mailchimp or direct) and they actually fail on many accounts, it's not just the new spf score, I'm considering implementing other ways to deal with marketing emails, maybe label them as seperate entities and move them to other folders or something, the rest of the mails was all real spam mail that should really be blocked.

In conclusion increasing the weights of SPF checks seems to be useful at least for me, My service aims to provide zero-effort email platform so we will be managing the quarantine and I think having to review a few more mails in the quarantine is nothing in comparison to the benefits of protecting our clients from spam and phishing attempts.

Note: if you do follow this approach you will have to implement something special for mailchimp and other marketing platforms as many of the will fail the SPF check because companies haven't properly configured their SPF rules to add mailchimp. ( In reality their emails are spam as well :D )
 
  • Like
Reactions: Stoiko Ivanov
Thanks for sharing your experiences!
Seems not too bad (and speaks for a wider adoption of SPF than I'd have expected ;)
 
ztodorovski said:
I've attached the log available in the tracking center, I am aware that this will cause false positives but I'd rather have them in quarantine to be approved then passed to mail users directly.

In this case the person forged an address from a local bank which uses a softfail for SPF, the ip address is not blacklisted and the message itself looks very normal so it's not really detected as spam, this in itself is a very dangerous threat and users can be cheated out of important information, so I would rather err on the side of caution and have SPF fails in quarantine by raising the SPF_SOFTFAIL to score 4.

Oct 3 16:36:12 gateway12 postfix/smtpd[19913]: connect from setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:12 gateway12 postfix/smtpd[19913]: E015F211CF: client=setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:13 gateway12 postfix/cleanup[20198]: E015F211CF: message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk
Oct 3 16:36:21 gateway12 postfix/qmgr[27026]: E015F211CF: from=SPAMMER@nlb.mk, size=1179146, nrcpt=1 (queue active)
Oct 3 16:36:21 gateway12 postfix/smtpd[19913]: disconnect from setentaytres141.nsprimario.com[188.93.73.141] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 3 16:36:21 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: new mail message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk#012
Oct 3 16:36:23 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: SA score=1/5 time=1.314 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.000),HTML_IMAGE_ONLY_20(0.7),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972),URI_HEX(0.1)
Oct 3 16:36:23 gateway12 postfix/smtpd[20204]: connect from localhost.localdomain[127.0.0.1] Oct 3 16:36:23 gateway12 postfix/smtpd[20204]: 2E8B321491: client=localhost.localdomain[127.0.0.1], orig_client=setentaytres141.nsprimario.com[188.93.73.141]
Oct 3 16:36:23 gateway12 postfix/cleanup[20198]: 2E8B321491: message-id=a1bc16b52f69b4878f62f600c6bc0a92@nlb.mk
Oct 3 16:36:23 gateway12 postfix/qmgr[27026]: 2E8B321491: from=SPAMMER@nlb.mk, size=1179922, nrcpt=1 (queue active)
Oct 3 16:36:23 gateway12 pmg-smtp-filter[18930]: 214615D9607654D1DE: accept mail to ... (2E8B321491) (rule: default-accept)

Given that quarantine is an acceptable solution can you please explain why would this be bad or if there is a better way to prevent this?
Click to expand...
Hello

Where can you set SCORE 4 to SPF_SOFTFAIL ?
Because on the file /usr/share/spamassassin/25_spf.cf we don't have score var ?

Code: 
header   SPF_SOFTFAIL    eval:check_for_spf_softfail()
describe SPF_SOFTFAIL    SPF: sender does not match SPF record (softfail)
tflags   SPF_SOFTFAIL    net
reuse    SPF_SOFTFAIL

Try to add this but not working
Code: 
score     SPF_SOFTFAIL    3

I am using PMG 5.2.7

Thanks
 
Last edited:
fab909 said:
hanks for your answer but I use PMG 5.2 and I don't have this function on the interface ?
Click to expand...
PMG 5.2 has been EOL since 1.5 years now - I'd suggest that you upgrade to 7.0 ASAP (the feature got added in 6.2 IIRC)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back