Who Objects -> Blacklist-> Domain (Not Working)

[MiamiJack]

Either I did this wrong, or this is simply not working.
Yesterday I added to the above a domain:
mediaware-news.com

Today I received 2 messages.

Was I supposed to put *@ in front or something else?

 

[hata_ph]

Pls show more details like mail log or your mail filter setup.

 

[mach]

The domain wide blocklist works, but spammers don't always use real From, you need to look at Received-SPF mfrom for the real from. And block that domain.

Example Spam:
Received-SPF: pass (bitcoin-trading.biz: 95.217.217.211 is authorized to use 'admin@bitcoin-trading.biz' in 'mfrom' identity (mechanism 'ip4:95.217.217.211' matched))
From: Free-VPN-Service@Free-VPN-Service.site

Blocking domain "Free-VPN-Service.site" wouldn't block that email. But blocking "bitcoin-trading.biz" would.

 

[ittk]

The domain wide blocklist works, but spammers don't always use real From, you need to look at Received-SPF mfrom for the real from. And block that domain.

Example Spam:
Received-SPF: pass (bitcoin-trading.biz: 95.217.217.211 is authorized to use 'admin@bitcoin-trading.biz' in 'mfrom' identity (mechanism 'ip4:95.217.217.211' matched))
From: Free-VPN-Service@Free-VPN-Service.site

Blocking domain "Free-VPN-Service.site" wouldn't block that email. But blocking "bitcoin-trading.biz" would.

Have here nearly the same issue: But no solution on it, yet ;(

 

[MiamiJack]

I understand, will try to check those.
In the meantime when a user blacklists the message it's the from address which potentially in this case won't match anything ( gives the user the sense that they are blocking them).

Maybe a future option could be to report the spam.

Thanks

 

[ittk]

@Stoiko Ivanov:

On which level operates this one using postfix MTA to block E-mails form "outside" using your own domains configured within PMG:

https://sajonara.de/2014/07/07/e-mail-spam-mit-absender-blacklisten-postfix-eindaemmen/
https://wp.peters-webcorner.de/2018...domains-eintreffen-smtpd_sender_restrictions/
https://www.heise.de/forum/heise-Se...erren/posting-24472659/show/#posting_24472659

Maybe this is an approch for this issue?

The faked e-mail-address / domain is within the FROM part of the e-mail and SPF check is passed due to the SPF design issue itself.

 

[Stoiko Ivanov]

On which level operates this one using postfix MTA to block E-mails form "outside" using your own domains configured within PMG:

Not sure I understand your question completely?

but regarding the links to heise etc - you can incorporate the changes into the postfix config using the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
if you want to restrict the settings to only the external port you need to adapt the master.cf.in template

I hope this helps

 

[ittk]

Not sure I understand your question completely?

but regarding the links to heise etc - you can incorporate the changes into the postfix config using the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
if you want to restrict the settings to only the external port you need to adapt the master.cf.in template

I hope this helps

I asked which header fields postfix will examine to prevent / block such spoofed mails coming from"own" domain.
if postfix does not look and grab the e-mail address / Domaininfo there - for the "from:" - this approch won't do the job...

So @Stoiko Ivanov do you know it or have experiance for it?

 

[Stoiko Ivanov]

I asked which header fields postfix will examine to prevent / block such spoofed mails coming from"own" domain.
if postfix does not look and grab the e-mail address / Domaininfo there - for the "from:" - this approch won't do the job...

Postfix in its default configuration (and also the one shipped by PMG) does not check the content (meaning both headers and body) of a mail.

* Some users here have used postfix' header_checks mechanism (search the forum and take a look at the postfix documentation: http://www.postfix.org/header_checks.5.html) to do certain actions (e.g. block mail) on posfix level before they reach the rulesystem/pmg-smtp-filter
* From/To Who Objects in the rule-system operate on the envelope addresses (the address provided in the smtp-dialog's MAIL FROM/RCPT TO commands and not on the From/To headers of a mail) - if you want to match headers in a mail inside the rule-system use a Match Field What Object.

I hope this explains it!

 

[MiamiJack]

Hello again,

I have attached the email headers for an example of the mediaware-news spam.
To confirm, we are looking for the "sender" address and not the from address in order to determine what to block, so in this case the from is
emblue3prd@emark4.embluejet.com

If so, then can I simply block embluejet.com or will that not work because of the sub domain?

One other question, can we see some kind of report showing that our blocked domains is working and reflects how many times we blocked it?

Thanks

 

[Stoiko Ivanov]

Try either blocking 'emark4.embluejet.com' as domain or add a regex to match embluejet.com and all subdomains ('.*emark4.embluejet.com')

on another note:
* you get URIBL_BLOCKED hits - consider fixing your DNS Setup (using a dedicated DNS-Server or setting on up on PMG) - URIBL is one of the best methods to catch spam - and your DNS server seems over quota:
** see the questions and answers section at: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
** https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
* if possible try adding your PMG IPs as trusted relays to your office365 settings (otherwise it will always get a SPF-failure (since your PMG is only relaying the mails))

I hope this helps!

 

[MiamiJack]

Thanks @Stoiko Ivanov !
Not to hijack this thread ( my thread ) from the domain blocking, if I setup cached DNS server is that enough for URIBL?
I already setup DNS on PMG GW and setup first lookup in resolve.conf properly.

 

[Stoiko Ivanov]

sorry I pasted the wrong (second link):
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
(the general getting started page might also be interesting:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway)

if I setup cached DNS server is that enough for URIBL?

usually having a dedicated (not shared) recursive/caching DNS server is enough to get answers from URIBL - but you can see if it works by checking the logs (pmg-smtp-filter logs which spamassassin rules trigger - check in the log for mentions of URIBL_BLOCKED - if they are still present consider getting a dedicated feed from uribl (see https://pmg.proxmox.com/wiki/index.php/URIBL_Datafeed_over_DNS)

I hope this explains it!

 

[MiamiJack]

Will follow up with that, thanks.
In respect to the domain, if I add a regular expression blacklist of:
^([^.]+)\.brimmats\.com

I believe that will match the domain, however what i the regular expression comparing that to?
Everything possible?

 

[Stoiko Ivanov]

^([^.]+)\.brimmats\.com

above you're writing about

emark4.embluejet.com

here you're asking about

brimmats\.com

so I'm a bit confused ....

I believe that will match the domain,

if you configure it as Who object (and add it as From to a rule) it will match the envelope-sender address
if you configure it as What object (Match Field From) it will match the header from header field (which usually contains an e-mail address)

one further point:
no need to anchor the regex (the '^' in the beginning) - this happens inside the rule system - maybe try :
'.*\.brimmats\.com'

I hope this helps

else please try to configure it with a test-email and send such a test-email - that way you get a feeling how it works

 

[MiamiJack]

I was putting both of those domains which were the sender from and the email from domains, under who and not matching so messages were still being delivered.
Based on your response I created a what object matching from and put what I believe to be the from email address.

If a message is rejected because of a what object, is there a specific rejection message I can check in the log files in order to see if it was in fact blocked?

Thanks for your help!

 

[MiamiJack]

OK, back for another attempt.

I have added both the domain names in both who and what, but the messages are still delivered.
I may of course not have done this correctly, and just need to make sure what I need to do to correct it and wrap my head around what I'm doing wrong.

(What Object) In Picture 1, I have added the domain with wildcards for both the sub domain ( which is being seen from several sub domains ) as well as a wildcard for the extension since we have seen some .com and some .nets for this example.

When I do this of course something send just from the domain with no sub domain will not match, or will it work if I just put domain.com ?
I believe sub domain won't match.
Picture 2 will show additional attempts to reject within the policy.

Picture 3 will reflect the who object -> blacklist.


Thanks!

 

[hata_ph]

Try this regex

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}brimmats\.com(\W|$)
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}embluejet\.com(\W|$)

 

[MiamiJack]

@hata_ph thanks, FYI That works the same as *\.embluejet\.com.
I can get it to block now.

 

[MiamiJack]

Is there a way to avoid having both a regular expression for
Type Reg-Exp: *\.domain\.com ( handles sub-domains )
and
Type Domain: domain.com ( handles the domain itself )

Just thinking a single rule is more efficient...

Thanks