Spoofing

João Dias

Active Member
Oct 23, 2018
2
0
41
39
I received this type of spoofing how can I create rules to not pass? I have Dkim and active SPF...







The header...

Return-Path: <d.huebenthal@itex.de>
Received: from mail-01.my-domain.com (LHLO mail-01.my-domain.com)
(172.16.0.6) by mail-01.my-domain.com with LMTP; Sun, 6 Aug 2023 04:46:48
+0100 (WEST)
Received: from localhost (localhost [127.0.0.1])
by mail-01.my-domain.com (Postfix) with ESMTP id 537A3200E72E3
for <user.u.name@my-domain.com>; Sun, 6 Aug 2023 04:46:48 +0100 (WEST)
X-Virus-Scanned: amavisd-new at my-domain.com
X-Spam-Flag: NO
X-Spam-Score: 3.991
X-Spam-Level: ***
X-Spam-Status: No, score=3.991 required=6.6 tests=[BAYES_50=0.8,
BITCOIN_SPAM_07=0.001, BOGUS_MIME_VERSION=1, FROM_EXCESS_BASE64=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
PDS_BTC_ID=0.467, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001,
SPF_SOFTFAIL=0.665, T_TVD_MIME_NO_HEADERS=0.01]
autolearn=no autolearn_force=no
Received: from mail-01.my-domain.com ([127.0.0.1])
by localhost (mail-01.my-domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3RlJNAYwMTOv for <user.u.name@my-domain.com>;
Sun, 6 Aug 2023 04:46:47 +0100 (WEST)
Received: from mail.my-domain.com (unknown [10.10.192.5])
by mail-01.my-domain.com (Postfix) with ESMTPS id DA04F200DCB67
for <user.u.name@my-domain.com>; Sun, 6 Aug 2023 04:46:47 +0100 (WEST)
Received: from mail.my-domain.com (localhost [127.0.0.1])
by mail.my-domain.com (Proxmox) with ESMTP id 679BF100131
for <user.u.name@my-domain.com>; Sun, 6 Aug 2023 04:46:47 +0100 (WEST)
Received-SPF: pass (itex.de: 92.205.55.226 is authorized to use 'd.huebenthal@itex.de' in 'mfrom' identity (mechanism 'a' matched)) receiver=mail.my-domain.com; identity=mailfrom; envelope-from="d.huebenthal@itex.de"; helo=sh20212.ispgateway.de; client-ip=92.205.55.226
Received: from sh20212.ispgateway.de (sh20212.ispgateway.de [92.205.55.226])
by mail.my-domain.com (Proxmox) with ESMTPS id 67EAA1000F0
for <user.u.name@my-domain.com>; Sun, 6 Aug 2023 04:46:45 +0100 (WEST)
Received: from sh20212.ispgateway.de (php73.df_default [IPv6:fd00:dead:beef::a])
by sh20212.ispgateway.de (Postfix) with ESMTPS id 1AE79D06D2D0
for <user.u.name@my-domain.com>; Sun, 6 Aug 2023 04:56:39 +0200 (CEST)
Received: (from 503535@localhost)
by sh20212.ispgateway.de (8.15.2/8.15.2/Submit) id 3762udod1540140;
Sun, 6 Aug 2023 04:56:39 +0200
Date: Sun, 6 Aug 2023 04:56:39 +0200
Message-Id: <202308060256.3762udod1540140@sh20212.ispgateway.de>
X-Authentication-Warning: sh20212.ispgateway.de: 503535 set sender to d.huebenthal@itex.de using -f
To: user.u.name@my-domain.com
Subject: =?UTF-8?B?TsOjbyBwZW5zZSBxdWUgdm9jw6ogw6kgaW50ZWxpZ2VudGU=?=
X-PHP-Originating-Script: 503535:mails.php
From: =?UTF-8?B??= <user.u.name@my-domain.com>
MIME-Version: 1.0;
Content-type: multipart/mixed; boundary="--XXTEEmuIaR"
 
Last edited:
a) the mail has a score of 3.9 - you could consider putting mails with a score of 3 into quarantine
b) the sending IP is listed in a few DNSBLs - check if one of them might work for your use-case
c) read-up on DMARC - as it's the piece that requires mails from your domain (also in the header-to - as here the envelope address is d.huebenthal@itex.de) to have a dkim signature

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!