Stopping spam from the MX filter in reply to field

D

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
I have an odd issue that I am trying to figure out how to resolve.

In the logs, my customer got this email (spam / phising)

Dec 2 11:10:20 swarmx1 postfix/smtpd[155817]: connect from winterjoys.com[62.210.130.198]
Dec 2 11:10:21 swarmx1 postfix/smtpd[155817]: Anonymous TLS connection established from winterjoys.com[62.210.130.198]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Dec 2 11:10:21 swarmx1 postfix/smtpd[155817]: 80C2C2A037A: client=winterjoys.com[62.210.130.198]
Dec 2 11:10:21 swarmx1 postfix/cleanup[158447]: 80C2C2A037A: message-id=<af6fdc708453bbb79085336094515b577628adbc@winterjoys.com>
Dec 2 11:10:21 swarmx1 postfix/qmgr[513]: 80C2C2A037A: from=<termination@winterjoys.com>, size=49711, nrcpt=1 (queue active)
Dec 2 11:10:21 swarmx1 pmg-smtp-filter[158468]: 2611A85FC7BC6DDCD60: new mail message-id=<af6fdc708453bbb79085336094515b577628adbc@winterjoys.com>#012
Dec 2 11:10:21 swarmx1 postfix/smtpd[155817]: disconnect from winterjoys.com[62.210.130.198] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Dec 2 11:10:24 swarmx1 pmg-smtp-filter[158468]: 2611A85FC7BC6DDCD60: SA score=0/5 time=2.110 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),RCVD_IN_PSBL(2.7),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
Dec 2 11:10:24 swarmx1 postfix/smtpd[158002]: connect from localhost[127.0.0.1]
Dec 2 11:10:24 swarmx1 postfix/smtpd[158002]: 3A31A2A035E: client=localhost[127.0.0.1], orig_client=winterjoys.com[62.210.130.198]
Dec 2 11:10:24 swarmx1 postfix/cleanup[158447]: 3A31A2A035E: message-id=<af6fdc708453bbb79085336094515b577628adbc@winterjoys.com>
Dec 2 11:10:24 swarmx1 postfix/qmgr[513]: 3A31A2A035E: from=<termination@winterjoys.com>, size=50640, nrcpt=1 (queue active)
Dec 2 11:10:24 swarmx1 postfix/smtpd[158002]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 2 11:10:24 swarmx1 pmg-smtp-filter[158468]: 2611A85FC7BC6DDCD60: accept mail to <info@domain.ca> (3A31A2A035E) (rule: default-accept)
Dec 2 11:10:24 swarmx1 pmg-smtp-filter[158468]: 2611A85FC7BC6DDCD60: processing time: 2.338 seconds (2.11, 0.191, 0)
Dec 2 11:10:24 swarmx1 postfix/lmtp[157876]: 80C2C2A037A: to=<info@domain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.8, delays=0.48/0/0/2.3, dsn=2.5.0, status=sent (250 2.5.0 OK (2611A85FC7BC6DDCD60))
Dec 2 11:10:24 swarmx1 postfix/qmgr[513]: 80C2C2A037A: removed
Dec 2 11:10:24 swarmx1 postfix/smtp[158385]: 3A31A2A035E: to=<info@domain.ca>, relay=192.168.11.221[192.168.11.221]:25, delay=0.07, delays=0.01/0/0.05/0.02, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Dec 2 11:10:24 swarmx1 postfix/qmgr[513]: 3A31A2A035E: removed


The "reply to" email is set to: invoice@swarmx1.mailhive.ca

swarmx1 and swarmx2 in this case are my PMG servers. How can I block emails like this getting through to customers? The fact that the reply to is a legit domain for the PMG servers is a little alarming. Can anyone thing of a way to stop this sort of email from coming in? Blocking the main domain spamming :winterjoys.com would be one thing but its a temporary solution. Ideally, I'd like to block anything that has a reply to that points back to these servers.

Hopefully this makes sense. Thanks!
 
Hello,
I have been working for the past month on improving how proxmox is filtering mail for our company. The default installation is very conservative and you need to take additional steps to ensure malicious mail is blocked. Before we had barracuda filter that was good but again has it's own drawbacks. I can say that after fine tuning proxmox specifically for our environment we are now on par with barracuda spam filtering and that is good news. Still working on how to improve malicious attachments detection/removal because the default filters are not very good.

First thing I started doing is checking if the servers from where I am getting mail are on any DNSBL block list. Using DNSBL is very controversial topic (https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List#Criticism) but I find them to be very good for our mail flow size. False positives are very low. You need to check this as soon as you get your spam as this is a new infected server and it might not be on any block list at the start of spamming. You will soon notice that the servers get added first on the same sites over and over again so I selected the DNSBL sites below.
Normally I use https://mxtoolbox.com/blacklists.aspx and https://www.abuseipdb.com/ for checking IP addresses.

Depending on the size of your mail flow you may need to use another method of querying DNSBL sites. We don't have much mail flow so using DNS is fine. Before using anything do your own research and learn about what you are going to use.

After checking for a while I settled on using:
b.barracudacentral.org (make sure to register your server on https://barracudacentral.org/account/register)
zen.spamhaus.org (https://www.spamhaus.org/zen/ read and understand why you should use it)
dnsbl-1.uceprotect.net (again read http://www.uceprotect.net/en/index.php?m=6&s=0 and try to understand why should you use it)
bl.mailspike.net (same here http://www.mailspike.net/usage.html)
bl.spamcop.net (and here https://www.spamcop.net/bl.shtml)
dnsbl.sorbs.net (this might give you some false positive http://www.sorbs.net/general/using.shtml) read below about how to add exclusions

This is what works for us and does not mean it will work for you. I am also setting DNSBL Threshold to 1 and that is considered very aggressive but it works for us.
Also I am using SPF checking.
dnsbl.png

To add exclusions you can add them on Whitelist
1607114777143.png

After you add a new exclusion make sure to restart the postfix service or the exclusion won't work. It's a bug it looks like.
1607115179638.png

Normally when I try to add exclusions the way that I check for sending domain what kind of IP pools they use is to check SPF on the domain (if they have one) and add them as exclusions. Using https://app.dmarcanalyzer.com/dns/spf?simple= you get a really nice display of network blocks that you can add to whitelist. It's way better to add safe networks then domains because domains can be spoofed IP addresses can't be.

For example to find out google (gmail IP servers blocks) on dmarcanalyzer you get this:
spf_google.png

Also looking on RIPE database https://www.ripe.net/ I managed to collect IP pools for major providers that I added to whitelist.

Apple (icloud.com in me.com)
144.178.36.0/24
144.178.38.0/24
17.110.0.0/15
17.111.110.0/23
17.120.0.0/16
17.133.0.0/16
17.139.0.0/16
17.142.0.0/15
17.151.1.0/24
17.158.0.0/15
17.162.0.0/15
17.164.0.0/16
17.171.37.0/24
17.172.0.0/16
17.179.168.0/23
17.36.0.0/16
17.41.0.0/16
17.58.0.0/16

outlook.com
111.221.112.0/21
111.221.23.128/25
111.221.66.0/25
111.221.69.128/25
157.55.11.0/25
157.55.157.128/25
157.55.225.0/25
157.55.49.0/25
157.55.61.0/24
157.55.9.128/25
157.56.232.0/21
157.56.24.0/25
157.56.240.0/20
157.56.248.0/21
207.46.198.0/25
207.46.4.128/25
207.46.58.128/25
213.199.177.0/26
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.78.128/25
65.55.94.0/25
70.37.151.128/25

hotmail.com
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
51.4.80.0/27

yahoo.com (very hard to find out they don't show ip pools via spf) ripe helps a bit...
87.248.104.0/21
74.6.128.0/20
77.238.176.0/21
98.137.64.0/20
66.163.184.0/21
188.125.72.0/21

amazon.com
106.50.16.0/28
176.32.105.0/24
176.32.127.0/24
178.236.10.128/26
194.154.193.192/27
194.7.41.152/28
199.127.232.0/22
199.255.192.0/22
203.81.17.0/24
205.251.233.32/32
205.251.233.36/32
207.171.160.0/19
212.123.28.40/32
23.249.208.0/20
23.251.224.0/19
52.95.48.152/29
52.95.49.88/29
54.240.0.0/18
69.169.224.0/20
72.21.192.0/19
72.21.217.142/32
76.223.176.0/20
87.238.80.0/21

facebookmail.com
66.220.144.128/25
66.220.155.0/24
66.220.157.0/25
69.63.178.128/25
69.63.181.0/24
69.63.184.0/25
69.171.232.0/24
69.171.244.0/23

gmail.com
108.177.8.0/21
108.177.96.0/19
130.211.0.0/22
172.217.0.0/19
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
172.217.32.0/20
172.253.112.0/20
172.253.56.0/21
173.194.0.0/16
209.85.128.0/17
216.239.32.0/19
216.58.192.0/19
35.190.247.0/24
35.191.0.0/16
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16

paypal (the main three servers)
66.211.168.230/31
173.0.84.224/27
173.0.94.244/30

After adding this we had extremely low false positive and if someone is trying to send something from domains added on whitelist and is coming from different IP I know it's spoofed from address and bad mail.

The next part is configuring the Spam Detector filter. Again the default settings are very conservative. I have also set honeypot@domain.com as a distribution group and added as much addresses as I seen on our filter that spam is being delivered to them and they do not exist. I want to receive bad email so I can analyze the headers and the content of the email. I also added myself to info@example.com and so I can see what kind of spam they receive. More spam mail you can check the better modifications you can make.

You don't want to modify something without making sure you know what you are doing. Also this works for us and it might not work for you. Do your own work/research before adding something...

When you receive bad mail check the headers what they are saying for example in outlook you open mail and do File - Properties - Internet headers
What is important to you is X-SPAM-LEVEL part of the source (example of bad mail):
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
HTML_IMAGE_RATIO_08 0.001 HTML has a low ratio of text to image area
HTML_MESSAGE 0.001 HTML included in message
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
RCVD_IN_DNSWL_LOW -0.7 Sender listed at https://www.dnswl.org/, low trust
RCVD_IN_MSPIKE_H4 0.001 Very Good reputation (+4)
RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_SOFTFAIL 0.665 SPF: sender does not match SPF record (softfail)
T_LOTTO_AGENT_FM 0.01 Claims Agent

On our filter we have set that if the score is 3 than it will add in the subject "Unwanted e-mail - SPAM" and if it's higher than 4 then it will block email. Again it depends on your environment how you setup so this works for us but it might not work for you.

The only two scores that I can modify from this list are SPF_SOFTFAIL and T_LOTTO_AGENT_FM and I did modify them in a way that it will block this kind of messages in the future. I set SPF_SOFTFAIL to score 4 and T_LOTTO_AGENT_FM to score 2 so in the future this mail would be blocked.

You need to check before on your filter what kind of mail is getting this detection results and how will you modify the score properly. Do your own research before using this methods.

1607116967240.png

You can search by anything in the log and that is good way to check before you add anything or how are you doing. Use the tools to your own advantage.
1607117044975.png

Here is how I set up our current Custom Scores for our environment. I know that in the manual it says that it's not recommended to make major changes to the scores but this seems the only way to block spam effectively. It depends highly on the size of your mail flow and how smart are you will adding scores. For now I had very low false positive and I adjusted the scores accordingly.

Make your own research and actually check messages before you make any changes to your system. What I have setup is tailored for our mail flow specifically. Don't blame me if you use my settings and your mail is getting blocked. Do your own research.

I am testing KAM_DMARC_REJECT and SPF_FAIL high score and for now it seems to be working fine.
1607117228999.png

1607117255210.png

If you want to add exclusions you can add them to Whitelist but be careful. Whatever you add here will mean that it will not be checked by the spam filter so keep that in mind!
1607117484801.png

You can check your whitelisted messages by searching for "rule: Whitelist"
I am at the limit of 10 attachments in the forums so no image here..


The last thing I am working on is how I will remove attachments that are not allowed. I already made a post but it's not approved yet on the forum.

Hope this is somehow helpful for you and as I said this works for us but it might not work for you. Do your own research before doing anything. I take no responsibility for the lost mail if you use the methods described in this post.
 

Attachments

  • 1607117447240.png
    1607117447240.png
    65.6 KB · Views: 72
Last edited:
  • Like
Reactions: mikeyvanderworp, killmasta93 and hata_ph
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back