We could not detect SPAM mails (where do we go wrong)

NZBilisim

New Member
Feb 9, 2022
23
1
3
53
Many users received emails today. Mail IP address is seriously on SPAM lists, but proxy missed.
The mail came from cigdem.ozturk@pttem.com. said proxmox accepted/delivered.
--------------------- Report ------------------------------------ -------------------
Jun 17 14:42:52 smtpgateway postfix/smtpd[1081895]: warning: hostname pause-nation.relationsky.net does not resolve to address 185.239.243.156: Name or service not known
Jun 17 14:42:52 smtpgateway postfix/smtpd[1081895]: connect from unknown[185.239.243.156]
Jun 17 14:42:52 smtpgateway postfix/smtpd[1081895]: NOQUEUE: client=unknown[185.239.243.156]
Jun 17 14:42:53 smtpgateway pmg-smtp-filter[1081725]: 6E17EA62AC68BD0524F: new mail message-id=<20220617044250.EFD5B7A315CE5C8F@pttem.com>#012
Jun 17 14:42:53 smtpgateway pmg-smtp-filter[1081725]: 6E17EA62AC68BD0524F: SA score=0/5 time=0.577 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.811),BAYES_00(-1.9),HTML_IMAGE_ONLY_04(1.172),HTML_IMAGE_RATIO_02(0.001),HTML_MESSAGE(0.001),KAM_DMARC_QUARANTINE(1.5),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RDNS_NONE(0.793),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.665),T_SCC_BODY_TEXT_LINE(-0.01)
Jun 17 14:42:53 smtpgateway postfix/smtpd[1081929]: connect from localhost.localdomain[127.0.0.1]
Jun 17 14:42:53 smtpgateway postfix/smtpd[1081929]: B33816E17EE: client=localhost.localdomain[127.0.0.1], orig_client=unknown[185.239.243.156]
Jun 17 14:42:53 smtpgateway postfix/cleanup[1081930]: B33816E17EE: message-id=<20220617044250.EFD5B7A315CE5C8F@pttem.com>
Jun 17 14:42:53 smtpgateway postfix/qmgr[1078195]: B33816E17EE: from=<cigdem.ozturk@pttem.com>, size=816289, nrcpt=1 (queue active)
Jun 17 14:42:53 smtpgateway postfix/smtpd[1081929]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 17 14:42:53 smtpgateway pmg-smtp-filter[1081725]: 6E17EA62AC68BD0524F: accept mail to <info@adisadanismanlik.com.tr> (B33816E17EE) (rule: default-accept)
Jun 17 14:42:53 smtpgateway pmg-smtp-filter[1081725]: 6E17EA62AC68BD0524F: processing time: 0.771 seconds (0.577, 0.089, 0)
Jun 17 14:42:53 smtpgateway postfix/smtpd[1081895]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (6E17EA62AC68BD0524F); from=<cigdem.ozturk@pttem.com> to=<info@adisadanismanlik.com.tr> proto=ESMTP helo=<mtk0.kjtgroup.com>
Jun 17 14:42:53 smtpgateway postfix/smtpd[1081895]: disconnect from unknown[185.239.243.156] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 17 14:42:53 smtpgateway postfix/smtp[1081931]: B33816E17EE: to=<info@adisadanismanlik.com.tr>, relay=mail.nzbilisim.net[178.20.225.216]:25, delay=0.23, delays=0.07/0/0.07/0.09, dsn=2.0.0, status=sent (250 Requested mail action okay, completed)
Jun 17 14:42:53 smtpgateway postfix/qmgr[1078195]: B33816E17EE: removed
--------------------------------------------------------------------------
 
The problem is... When the server that should send the mail and the server that sends the mail are different IPs, the system needs to catch it.
 
The problem is... When the server that should send the mail and the server that sends the mail are different IPs, the system needs to catch it.
Not sure if I understand this 100% right - but ... sending mails with "forged" domains is something that is quite common - and not only used by spammers - one technique that tries to address this issue is SPF:
https://en.wikipedia.org/wiki/Sender_Policy_Framework

However - I really recommend to read the wiki-page I linked and to implement the suggestions there - this usually gives you quite a good setup to catch most spam
 
Merhaba
Gönderdiğiniz belgeyi okudum.
Çok teşekkür ederim.
Proxmox'ta SPF kaydını kontrollü yapmak, uygun değilse spam olarak işaretlemek diyebileceğim bir yapı var mı?
Evet ise, hangi menü?
Bilgileri paylaşabilir misiniz?
 
Please post in English - else it's hard to help you

Based on an automated translation of your post:
* for your domains you need to create and maintain SPF records in DNS - this is nothing PMG can help you with
* if you really want to reject mails if they don't come from an IP covered in the SPF record of a domain use : GUI->Configuration->Mail Proxy->Options-> use SPF (mails will be of course accepted from domains which don't have a SPF record, or one with a softfail at the end)

I hope this helps!
 
Sorry for the language.
Mindfulness :)
We use proxy for incoming mails.
SPF definitions have been made in our DNS server.
DMARC and DKIM definitions have been made.
But in the example I gave, the mail server information of the pttem.com domain address is as follows.

pttem-com.mail.protection.outlook.com - appears to be 104.47.12.36.

If you examine the report, the mails came from the IP address of 185.239.243.156.

Shouldn't Proxmox detect this IP difference and quarantine it?
 
SPF_SOFTFAIL(0.665),T_SCC_BODY_TEXT_LINE(-0.01)
Spamassassin detected a softfail (currently the policy of pttem.com would indicate a hardfail) - and assigned some minimal points to it (which makes sense given how much legit mail comes from domains with broken spf-setups)

as said above - did you enable use SPF in GUI->Configuration->Mail Proxy->Options?

and again - I'd suggest to disable bayes and awl - as explained in the wiki-page I linked
 
I am attaching the screenshot of the place you mentioned.
SPF - YES

how do i disable bayes and awl in proxmox app?
 

Attachments

  • spf.JPG
    spf.JPG
    73.8 KB · Views: 12
I am attaching the screenshot of the place you mentioned.
SPF - YES
then the mails coming from an IP, which is not covered by the spf-record of the domain (and which has a `-all` as final entry) will get rejected

If this is not happening - I would suggest to check the DNS-setup -and verify that PMG indeed gets the correct spf record
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!