Trying to block senders who should be blocked by SPF

MiamiJack

MiamiJack

Member
Proxmox Subscriber
Sep 17, 2020
310
18
23
Hello All,

I have a situation where the from address is @ClientsEmailDomain.com and I have tested it using https://vamsoft.com/support/tools/spf-policy-tester (thats one of my favorite well written tools) to confirm with an SPF testing tool that it would block or accept email from multiple addresses and in each scenario it confirms the the SPF policy is correct and show that it should block.

The header which is below has REAL spammer info, but obfuscated MGW & Sender Domain info.

I would like to understand how to better protect against those people sending messages to appear like @ClientsEmailDomain.com.
I do understand there is are is a header from vs an envelope sender, but not really seeing how I can stop these types of things.
Any assistance appreciated!


Code: 
Delivered-To: william@ClientsEmailDomain.com
Return-Path: helpdesk@ClientsEmailDomain.com
Received: from mail.apotekhub.com (mail.bernofarm.com [103.139.166.18])
    by mgw.PMGgateway.net (Proxmox) with ESMTPS id 87BC780DE8
    for <william@ClientsEmailDomain.com>; Wed, 31 Aug 2022 12:44:41 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
    by mail.apotekhub.com (Postfix) with ESMTP id 1FEB31395F68
    for <william@ClientsEmailDomain.com>; Wed, 31 Aug 2022 23:44:39 +0700 (WIB)
Received: from mail.apotekhub.com ([127.0.0.1])
    by localhost (mail.apotekhub.com [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id qG6emJwAqYXo for <william@ClientsEmailDomain.com>;
    Wed, 31 Aug 2022 23:44:36 +0700 (WIB)
Received: from localhost (localhost [127.0.0.1])
    by mail.apotekhub.com (Postfix) with ESMTP id 9C1C2139606A
    for <william@ClientsEmailDomain.com>; Wed, 31 Aug 2022 23:44:36 +0700 (WIB)
X-Virus-Scanned: amavisd-new at apotekhub.com
Received: from mail.apotekhub.com ([127.0.0.1])
    by localhost (mail.apotekhub.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id DgMVRFOQ3IVM for <william@ClientsEmailDomain.com>;
    Wed, 31 Aug 2022 23:44:36 +0700 (WIB)
Received: from kunauimplement.com (unknown [52.141.62.122])
    by mail.apotekhub.com (Postfix) with ESMTPSA id 32FC6139608E
    for <william@ClientsEmailDomain.com>; Wed, 31 Aug 2022 23:44:36 +0700 (WIB)
From: IT Help Desk <helpdesk@ClientsEmailDomain.com>
To: william@ClientsEmailDomain.com
subject: SPAM: Fix Your Password: william@ClientsEmailDomain.com
Date: 31 Aug 2022 16:44:35 +0000
Message-ID: <20220831164435.657D2178AECFB0E6@ClientsEmailDomain.com>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_000_0012_5ECDC7F2.145C4B55"
X-SPAM-LEVEL: Spam detection results:  4
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    HTML_IMAGE_ONLY_08      1.651 HTML: images with 400-800 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    HTML_SHORT_LINK_IMG_1   0.001 HTML is very short with a linked image
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KHOP_HELO_FCRDNS        0.399 Relay HELO differs from its IP's reverse DNS
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SCC_BODY_URI_ONLY       1.737 -
    SPF_FAIL                0.001 SPF: sender does not match SPF record (fail)
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    TO_EQ_FM_DOM_SPF_FAIL   0.001 To domain == From domain and external SPF failed
    TVD_SPACE_RATIO         0.001 -
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bmetrack.com]
    URIBL_DBL_SPAM            2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [bmetrack.com]
 
I have my ClientsEmailDomain.com server IP whitelisted, but of course not the sender of the spam.
I also do NOT have the ClientsEmailDomain.com whitelisted.
 
Not sure that makes sense.
If we have SPF checks enabled, and we have an SPF check saying that server 1.2.3.4 can send mail as ClientsEmailDomain.com, then when we receive email claiming that its from ClientsEmailDomain.com but from IP 4.5.6.7, then it should reject ( assuming a HARD FAIL for SPF config ).
Am I missing something??
 
please post the logs for this mail (and with a bit of context so no relevant lines are missed) - then maybe we could see what happens here.

else - this mail already got 4 points in spamassassin - so maybe adjust your rulesystem to quarantine such mail

apart from that:
MiamiJack said:
URIBL_BLOCKED
Click to expand...
MiamiJack said:
BAYES_00
Click to expand...
both indicate that you should:
* disable bayes
* configure a local dns-resolver on your PMG or get a subscription feed from uribl (both explained and linked in the getting started page on the pmg-wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway)

I think the above 2 points will improve your spamdetection quite a bit more than relying on SPF
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back