From bilal.ahmed at kfueit.edu.pk Sat May 4 19:27:05 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 00:27:05 +0500
Subject: Email SPoofing Block Help with SPF in Mailscanner
Message-ID: <013f01d502af$5dfafd80$19f0f880$@kfueit.edu.pk>
Kindly I need a help someone is spoofing address of my domain and forwarding
email to my own domain.
My SPF is already added in Public DNS.
Please Any solution to block invalid SPF record address in my
Mailscanner/spamassasian.
Because I have seen the spoof address with no SPF record are passing through
Mainscanner.
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5243 bytes
Desc: not available
URL:
From bilal.ahmed at kfueit.edu.pk Sat May 4 19:37:05 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 00:37:05 +0500
Subject: Spoof email Blocking Help in Mailscanner
Message-ID: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
Please help someone is spoofing my email address on my domain.
My SPF is valid and added in Public DNS
How to block in Mailscanner /spamassasian a email with invalid or no SPF
record
Bilal Ahmad
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bilal.ahmed at kfueit.edu.pk Sat May 4 19:37:05 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 00:37:05 +0500
Subject: Email SPoofing Block Help with SPF in Mailscanner
Message-ID: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
Kindly I need a help someone is spoofing address of my domain and forwarding
email to my own domain.
My SPF is already added in Public DNS.
Please Any solution to block invalid SPF record address in my
Mailscanner/spamassasian.
Because I have seen the spoof address with no SPF record are passing through
Mainscanner.
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5243 bytes
Desc: not available
URL:
From mark at msapiro.net Sat May 4 20:35:45 2019
From: mark at msapiro.net (Mark Sapiro)
Date: Sat, 4 May 2019 13:35:45 -0700
Subject: Spoof email Blocking Help in Mailscanner
In-Reply-To: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
Message-ID: <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote:
>
> How to block in Mailscanner /spamassasian? a email with invalid or no
> SPF record
Ensure you have
loadplugin Mail::SpamAssassin::Plugin::SPF
in one of your /etc/spamassassin/*.pre files and then set
score SPF_FAIL
to a big number in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From bilal.ahmed at kfueit.edu.pk Sun May 5 01:54:01 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 06:54:01 +0500
Subject: Spoof email Blocking Help in Mailscanner
In-Reply-To: <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
<02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
Message-ID: <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk>
Dear Thanks
I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded .
Last question how to add score in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf file.
I have simply write score SPF_FAIL 15.0
But its still not rejecting invalid SPF email and passing with clean 0.0
Bilal Ahmad
-----Original Message-----
From: MailScanner On Behalf Of Mark Sapiro
Sent: Sunday, 5 May 2019 1:36 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Spoof email Blocking Help in Mailscanner
On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote:
>
> How to block in Mailscanner /spamassasian a email with invalid or no
> SPF record
Ensure you have
loadplugin Mail::SpamAssassin::Plugin::SPF
in one of your /etc/spamassassin/*.pre files and then set
score SPF_FAIL
to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
From yuwang at cs.fsu.edu Sun May 5 02:14:54 2019
From: yuwang at cs.fsu.edu (Yu Wang)
Date: Sat, 4 May 2019 22:14:54 -0400
Subject: Spoof email Blocking Help in Mailscanner
In-Reply-To: <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk>
References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
<02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
<005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk>
Message-ID: <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu>
Did you restart your mailscanner daemon?
-----Original Message-----
From: MailScanner
On Behalf Of
bilal.ahmed at kfueit.edu.pk
Sent: Saturday, May 4, 2019 9:54 PM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Dear Thanks
I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded
.
Last question how to add score in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf file.
I have simply write score SPF_FAIL 15.0
But its still not rejecting invalid SPF email and passing with clean 0.0
Bilal Ahmad
-----Original Message-----
From: MailScanner
On
Behalf Of Mark Sapiro
Sent: Sunday, 5 May 2019 1:36 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Spoof email Blocking Help in Mailscanner
On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote:
>
> How to block in Mailscanner /spamassasian a email with invalid or no
> SPF record
Ensure you have
loadplugin Mail::SpamAssassin::Plugin::SPF
in one of your /etc/spamassassin/*.pre files and then set
score SPF_FAIL
to a big number in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
From bilal.ahmed at kfueit.edu.pk Sun May 5 03:15:58 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 08:15:58 +0500
Subject: Spoof email Blocking Help in Mailscanner
In-Reply-To: <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu>
References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
<02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
<005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk>
<5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu>
Message-ID: <001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk>
Yes but not work
Dear
Now I have added these lines /etc/spamassassin/local.cf and its
working
meta SPF_NOT_PASS !(SPF_PASS || NO_RELAYS)
score SPF_NOT_PASS 4.506 # flag 10% of non-spam that hits this
rule as spam.
describe SPF_NOT_PASS Not fully validated by SPF.
Bilal Ahmad
-----Original Message-----
From: MailScanner
On
Behalf Of Yu Wang
Sent: Sunday, 5 May 2019 7:15 AM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Did you restart your mailscanner daemon?
-----Original Message-----
From: MailScanner
On Behalf Of
bilal.ahmed at kfueit.edu.pk
Sent: Saturday, May 4, 2019 9:54 PM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Dear Thanks
I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded
.
Last question how to add score in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf file.
I have simply write score SPF_FAIL 15.0
But its still not rejecting invalid SPF email and passing with clean 0.0
Bilal Ahmad
-----Original Message-----
From: MailScanner
On
Behalf Of Mark Sapiro
Sent: Sunday, 5 May 2019 1:36 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Spoof email Blocking Help in Mailscanner
On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote:
>
> How to block in Mailscanner /spamassasian a email with invalid or no
> SPF record
Ensure you have
loadplugin Mail::SpamAssassin::Plugin::SPF
in one of your /etc/spamassassin/*.pre files and then set
score SPF_FAIL
to a big number in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
From bilal.ahmed at kfueit.edu.pk Sun May 5 04:05:56 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Sun, 5 May 2019 09:05:56 +0500
Subject: Spoof email Blocking Help in Mailscanner
In-Reply-To: <001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk>
References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk>
<02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net>
<005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk>
<5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu>
<001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk>
Message-ID: <006b01d502f7$d91fb850$8b5f28f0$@kfueit.edu.pk>
But with this setting I fall in another trouble , because my own all valid
email are marked as spam due to this rule.
Even I whitelisted my own domain but SPF_NOT_PASS add high score..........
While my SPF is valid and I verified from various testing tools as well.
Bilal Ahmad
Network Administrator
-----Original Message-----
From: MailScanner
On
Behalf Of bilal.ahmed at kfueit.edu.pk
Sent: Sunday, 5 May 2019 8:16 AM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Yes but not work
Dear
Now I have added these lines /etc/spamassassin/local.cf and its
working
meta SPF_NOT_PASS !(SPF_PASS || NO_RELAYS)
score SPF_NOT_PASS 4.506 # flag 10% of non-spam that hits this
rule as spam.
describe SPF_NOT_PASS Not fully validated by SPF.
Bilal Ahmad
-----Original Message-----
From: MailScanner
On
Behalf Of Yu Wang
Sent: Sunday, 5 May 2019 7:15 AM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Did you restart your mailscanner daemon?
-----Original Message-----
From: MailScanner
On Behalf Of
bilal.ahmed at kfueit.edu.pk
Sent: Saturday, May 4, 2019 9:54 PM
To: 'MailScanner Discussion'
Subject: RE: Spoof email Blocking Help in Mailscanner
Dear Thanks
I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded
.
Last question how to add score in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf file.
I have simply write score SPF_FAIL 15.0
But its still not rejecting invalid SPF email and passing with clean 0.0
Bilal Ahmad
-----Original Message-----
From: MailScanner
On
Behalf Of Mark Sapiro
Sent: Sunday, 5 May 2019 1:36 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Spoof email Blocking Help in Mailscanner
On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote:
>
> How to block in Mailscanner /spamassasian a email with invalid or no
> SPF record
Ensure you have
loadplugin Mail::SpamAssassin::Plugin::SPF
in one of your /etc/spamassassin/*.pre files and then set
score SPF_FAIL
to a big number in /etc/MailScanner/spamassassin.conf or
/etc/spamassassin/local.cf
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
From maxsec at gmail.com Sun May 5 08:20:10 2019
From: maxsec at gmail.com (Martin Hepworth)
Date: Sun, 5 May 2019 09:20:10 +0100
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
Message-ID:
Have you whitelisted your own domain?
On Sat, 4 May 2019 at 20:38, wrote:
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.
>
> My SPF is already added in Public DNS.
>
>
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.
>
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.
>
>
>
>
>
>
>
>
>
> *Bilal Ahmad*
>
> Network Administrator
>
> Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
>
> www.kfueit.edu.pk
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5243 bytes
Desc: not available
URL:
From djones at ena.com Sun May 5 13:44:25 2019
From: djones at ena.com (David Jones)
Date: Sun, 5 May 2019 13:44:25 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To:
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
Message-ID: <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>
Never, ever, ever whitelist either in MailScanner or SpamAssassin any
domains that your MTA is configured to accept. This will definitely let
spoofed emails through.
> On Sat, 4 May 2019 at 20:38, > wrote:
>
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.____
>
We need an example email with headers lightly redacted posted to
someplace like pastebin.com. It would also help to see the maillog
entries for that queue ID.
There are multiple ways to block this based on the email headers.
We aren't even sure what domain to check the SPF record for without any
headers.
You should consider setting these values in MailScanner.conf if not
already to help with troubleshooting:
Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes
> My SPF is already added in Public DNS.____
>
Your own SPF setting in DNS will help prevent spoofing to others but
will not necessarily help spoofing to your own mail server running
MailScanner/SpamAssassin depending on your mail flow setup. For
example, does outbound mail flow for your domain go through this same
mail server unauthenticated from an internal mail server? Does an
internal mail server smarthost to or run locally on this MailScanner
instance?
If your outbound mail does not go through this MailScanner instance,
then you have options like this in your /etc/mail/spamassassin/local.cf
or /etc/mail/spamassassin/mailscanner.cf:
blacklist_from *@yourdomain.com
It appears that your outbound mail does flow through this MailScanner
box based on the "score SPF_FAIL 15.0" so the entry above would block
legit email just like the "score SPF_FAIL 15.0" entry.
You might be able to add this to the etc/mail/spamassassin/local.cf or
/etc/mail/spamassassin/mailscanner.cf:
whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
where the "ip.add.re.ss" is the internal IP address of your mail server.
Note this is not ideal since you will no longer be filtering outbound
email.
NOTE: this would only be temporary until a better solution is determined
after seeing the email headers of a spoofed email and knowing more about
the mail flow.
> __ __
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.____
>
Please provide more detail. Mail filtering is very complex so we can't
help without details.
- original email lightly redacted posted to pastebin.com
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.____
>
This may be more of a question for the SpamAssassin Users mailing list
if MailScanner is properly using SpamAssassin.
--
David Jones
From maxsec at gmail.com Sun May 5 15:47:54 2019
From: maxsec at gmail.com (Martin Hepworth)
Date: Sun, 5 May 2019 16:47:54 +0100
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>
Message-ID:
Was a question not an instruction, the whitelist of your own domain is a
common configuration error and will make sure spoofed emails allegedly from
your own domain will get through.
Martin
On Sun, 5 May 2019 at 14:45, David Jones via MailScanner <
mailscanner at lists.mailscanner.info> wrote:
> Never, ever, ever whitelist either in MailScanner or SpamAssassin any
> domains that your MTA is configured to accept. This will definitely let
> spoofed emails through.
>
> > On Sat, 4 May 2019 at 20:38, > > wrote:
> >
> > Kindly I need a help someone is spoofing address of my domain and
> > forwarding email to my own domain.____
> >
>
> We need an example email with headers lightly redacted posted to
> someplace like pastebin.com. It would also help to see the maillog
> entries for that queue ID.
>
> There are multiple ways to block this based on the email headers.
>
> We aren't even sure what domain to check the SPF record for without any
> headers.
>
> You should consider setting these values in MailScanner.conf if not
> already to help with troubleshooting:
>
> Add Envelope From Header = yes
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
>
> These must be on based on what information you provided but make sure:
> Spam Checks = yes
> Use SpamAssassin = yes
>
> > My SPF is already added in Public DNS.____
> >
>
> Your own SPF setting in DNS will help prevent spoofing to others but
> will not necessarily help spoofing to your own mail server running
> MailScanner/SpamAssassin depending on your mail flow setup. For
> example, does outbound mail flow for your domain go through this same
> mail server unauthenticated from an internal mail server? Does an
> internal mail server smarthost to or run locally on this MailScanner
> instance?
>
> If your outbound mail does not go through this MailScanner instance,
> then you have options like this in your /etc/mail/spamassassin/local.cf
> or /etc/mail/spamassassin/mailscanner.cf:
>
> blacklist_from *@yourdomain.com
>
> It appears that your outbound mail does flow through this MailScanner
> box based on the "score SPF_FAIL 15.0" so the entry above would block
> legit email just like the "score SPF_FAIL 15.0" entry.
>
> You might be able to add this to the etc/mail/spamassassin/local.cf or
> /etc/mail/spamassassin/mailscanner.cf:
>
> whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
>
> where the "ip.add.re.ss" is the internal IP address of your mail server.
> Note this is not ideal since you will no longer be filtering outbound
> email.
>
> NOTE: this would only be temporary until a better solution is determined
> after seeing the email headers of a spoofed email and knowing more about
> the mail flow.
>
> > __ __
> >
> > Please Any solution to block invalid SPF record address in my
> > Mailscanner/spamassasian.____
> >
>
> Please provide more detail. Mail filtering is very complex so we can't
> help without details.
>
> - original email lightly redacted posted to pastebin.com
> - what is the MTA?
> - what RBLs are configured in the MTA?
> - version of MailScanner
> - version of SpamAssassin
>
> > Because I have seen the spoof address with no SPF record are passing
> > through Mainscanner.____
> >
>
> This may be more of a question for the SpamAssassin Users mailing list
> if MailScanner is properly using SpamAssassin.
>
> --
> David Jones
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From djones at ena.com Mon May 6 05:39:24 2019
From: djones at ena.com (David Jones)
Date: Mon, 6 May 2019 05:39:24 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To:
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>,
Message-ID:
Martin,
I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :)
Dave
________________________________
From: MailScanner on behalf of Martin Hepworth
Sent: Sunday, May 5, 2019 10:47 AM
To: MailScanner Discussion
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through.
Martin
On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote:
Never, ever, ever whitelist either in MailScanner or SpamAssassin any
domains that your MTA is configured to accept. This will definitely let
spoofed emails through.
> On Sat, 4 May 2019 at 20:38,
> >> wrote:
>
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.____
>
We need an example email with headers lightly redacted posted to
someplace like pastebin.com. It would also help to see the maillog
entries for that queue ID.
There are multiple ways to block this based on the email headers.
We aren't even sure what domain to check the SPF record for without any
headers.
You should consider setting these values in MailScanner.conf if not
already to help with troubleshooting:
Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes
> My SPF is already added in Public DNS.____
>
Your own SPF setting in DNS will help prevent spoofing to others but
will not necessarily help spoofing to your own mail server running
MailScanner/SpamAssassin depending on your mail flow setup. For
example, does outbound mail flow for your domain go through this same
mail server unauthenticated from an internal mail server? Does an
internal mail server smarthost to or run locally on this MailScanner
instance?
If your outbound mail does not go through this MailScanner instance,
then you have options like this in your /etc/mail/spamassassin/local.cf
or /etc/mail/spamassassin/mailscanner.cf:
blacklist_from *@yourdomain.com
It appears that your outbound mail does flow through this MailScanner
box based on the "score SPF_FAIL 15.0" so the entry above would block
legit email just like the "score SPF_FAIL 15.0" entry.
You might be able to add this to the etc/mail/spamassassin/local.cf or
/etc/mail/spamassassin/mailscanner.cf:
whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
where the "ip.add.re.ss" is the internal IP address of your mail server.
Note this is not ideal since you will no longer be filtering outbound
email.
NOTE: this would only be temporary until a better solution is determined
after seeing the email headers of a spoofed email and knowing more about
the mail flow.
> __ __
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.____
>
Please provide more detail. Mail filtering is very complex so we can't
help without details.
- original email lightly redacted posted to pastebin.com
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.____
>
This may be more of a question for the SpamAssassin Users mailing list
if MailScanner is properly using SpamAssassin.
--
David Jones
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bilal.ahmed at kfueit.edu.pk Mon May 6 15:25:31 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Mon, 6 May 2019 20:25:31 +0500
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To:
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>,
Message-ID: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
Dear Experts,
First of all thanks for your advice , exactly you people are right that I
whitelist all my domain it lets the spammers forge email address with my
domain email address to get pass through.
My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
My scenario is that my Email server is hosted internally at Private ip
address range . My TXT Record at public dns is for my public faced IP
address.
Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is valid
as shown at their received email headers. SPF is valid checked at MXTOOLS as
well.
But my own mailscanner says SPF Fails may be because email server ip is
private and TXT record is for mail server public faced IP.
I am doing all this SPF check to get rid of spoofed emails that using my
domain address so I have whitelisted my internal network and host:mydomain
How to get rid of this SPF fail on my own mailscanner so that my own emails
not get high score ?
Any other solution to prevent Email spoofing ?
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
From: MailScanner
On
Behalf Of David Jones via MailScanner
Sent: Monday, 6 May 2019 10:39 AM
To: MailScanner Discussion
Cc: David Jones
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Martin,
I knew you wouldn't have done that which is why I removed your name from the
top of the reply. My response was for the OP and others that might have
done that. :)
Dave
_____
From: MailScanner > on
behalf of Martin Hepworth >
Sent: Sunday, May 5, 2019 10:47 AM
To: MailScanner Discussion
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Was a question not an instruction, the whitelist of your own domain is a
common configuration error and will make sure spoofed emails allegedly from
your own domain will get through.
Martin
On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> wrote:
Never, ever, ever whitelist either in MailScanner or SpamAssassin any
domains that your MTA is configured to accept. This will definitely let
spoofed emails through.
> On Sat, 4 May 2019 at 20:38,
> >>
wrote:
>
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.____
>
We need an example email with headers lightly redacted posted to
someplace like pastebin.com . It would also help to
see the maillog
entries for that queue ID.
There are multiple ways to block this based on the email headers.
We aren't even sure what domain to check the SPF record for without any
headers.
You should consider setting these values in MailScanner.conf if not
already to help with troubleshooting:
Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes
> My SPF is already added in Public DNS.____
>
Your own SPF setting in DNS will help prevent spoofing to others but
will not necessarily help spoofing to your own mail server running
MailScanner/SpamAssassin depending on your mail flow setup. For
example, does outbound mail flow for your domain go through this same
mail server unauthenticated from an internal mail server? Does an
internal mail server smarthost to or run locally on this MailScanner
instance?
If your outbound mail does not go through this MailScanner instance,
then you have options like this in your /etc/mail/spamassassin/local.cf
or /etc/mail/spamassassin/mailscanner.cf :
blacklist_from *@yourdomain.com
It appears that your outbound mail does flow through this MailScanner
box based on the "score SPF_FAIL 15.0" so the entry above would block
legit email just like the "score SPF_FAIL 15.0" entry.
You might be able to add this to the etc/mail/spamassassin/local.cf
or
/etc/mail/spamassassin/mailscanner.cf :
whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
where the "ip.add.re.ss" is the internal IP address of your mail server.
Note this is not ideal since you will no longer be filtering outbound
email.
NOTE: this would only be temporary until a better solution is determined
after seeing the email headers of a spoofed email and knowing more about
the mail flow.
> __ __
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.____
>
Please provide more detail. Mail filtering is very complex so we can't
help without details.
- original email lightly redacted posted to pastebin.com
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.____
>
This may be more of a question for the SpamAssassin Users mailing list
if MailScanner is properly using SpamAssassin.
--
David Jones
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From thom at vdb.nl Mon May 6 15:54:15 2019
From: thom at vdb.nl (Thom van der Boon)
Date: Mon, 6 May 2019 17:54:15 +0200 (CEST)
Subject: Email SPoofing Block Help with SPF in Mailscanner
Message-ID: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com>
An HTML attachment was scrubbed...
URL:
From kevin.miller at juneau.org Mon May 6 17:09:32 2019
From: kevin.miller at juneau.org (Kevin Miller)
Date: Mon, 6 May 2019 17:09:32 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>,
<014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
Message-ID: <384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local>
Assuming that you have access to your postfix server, I'd block SPF there rather than in spamassassin. Maybe consider installing postfix-policyd-spf-python. Any domains that are configured to hard-fail will be dealt with there, saving processing time. A soft fail will be passed through to normal spam filtering. If you wish to use spf in conjunction with spamassassin you'll still have that flexibility. Since your domain is set to hard-fail, those spoofed messages will never see the light of day.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk
Sent: Monday, May 06, 2019 7:26 AM
To: 'MailScanner Discussion'
Subject: RE: Email SPoofing Block Help with SPF in Mailscanner
Dear Experts,
First of all thanks for your advice , exactly you people are right that I whitelist all my domain it lets the spammers forge email address with my domain email address to get pass through.
My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 , MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
My scenario is that my Email server is hosted internally at Private ip address range . My TXT Record at public dns is for my public faced IP address.
Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is valid as shown at their received email headers. SPF is valid checked at MXTOOLS as well.
But my own mailscanner says SPF Fails may be because email server ip is private and TXT record is for mail server public faced IP.
I am doing all this SPF check to get rid of spoofed emails that using my domain address so I have whitelisted my internal network and host:mydomain
How to get rid of this SPF fail on my own mailscanner so that my own emails not get high score ?
Any other solution to prevent Email spoofing ?
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
From: MailScanner > On Behalf Of David Jones via MailScanner
Sent: Monday, 6 May 2019 10:39 AM
To: MailScanner Discussion >
Cc: David Jones >
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Martin,
I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :)
Dave
________________________________
From: MailScanner > on behalf of Martin Hepworth >
Sent: Sunday, May 5, 2019 10:47 AM
To: MailScanner Discussion
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through.
Martin
On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote:
Never, ever, ever whitelist either in MailScanner or SpamAssassin any
domains that your MTA is configured to accept. This will definitely let
spoofed emails through.
> On Sat, 4 May 2019 at 20:38,
> >> wrote:
>
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.____
>
We need an example email with headers lightly redacted posted to
someplace like pastebin.com. It would also help to see the maillog
entries for that queue ID.
There are multiple ways to block this based on the email headers.
We aren't even sure what domain to check the SPF record for without any
headers.
You should consider setting these values in MailScanner.conf if not
already to help with troubleshooting:
Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes
> My SPF is already added in Public DNS.____
>
Your own SPF setting in DNS will help prevent spoofing to others but
will not necessarily help spoofing to your own mail server running
MailScanner/SpamAssassin depending on your mail flow setup. For
example, does outbound mail flow for your domain go through this same
mail server unauthenticated from an internal mail server? Does an
internal mail server smarthost to or run locally on this MailScanner
instance?
If your outbound mail does not go through this MailScanner instance,
then you have options like this in your /etc/mail/spamassassin/local.cf
or /etc/mail/spamassassin/mailscanner.cf:
blacklist_from *@yourdomain.com
It appears that your outbound mail does flow through this MailScanner
box based on the "score SPF_FAIL 15.0" so the entry above would block
legit email just like the "score SPF_FAIL 15.0" entry.
You might be able to add this to the etc/mail/spamassassin/local.cf or
/etc/mail/spamassassin/mailscanner.cf:
whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
where the "ip.add.re.ss" is the internal IP address of your mail server.
Note this is not ideal since you will no longer be filtering outbound
email.
NOTE: this would only be temporary until a better solution is determined
after seeing the email headers of a spoofed email and knowing more about
the mail flow.
> __ __
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.____
>
Please provide more detail. Mail filtering is very complex so we can't
help without details.
- original email lightly redacted posted to pastebin.com
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.____
>
This may be more of a question for the SpamAssassin Users mailing list
if MailScanner is properly using SpamAssassin.
--
David Jones
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mailscanner at replies.cyways.com Mon May 6 17:34:05 2019
From: mailscanner at replies.cyways.com (Peter H. Lemieux)
Date: Mon, 6 May 2019 13:34:05 -0400
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>
<014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
<384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local>
Message-ID: <0116b4ad-bcdc-9b25-80f4-7d2e7110460e@replies.cyways.com>
If the purpose is simply to stop mail arriving from outside your network
using your domain in the From:, I agree with Kevin that adding rules to
Postfix would be a better choice. I generally deny all mail from
outside sources that has my domain in the From field. I use sendmail,
so I just have an entry in /etc/mail/access with
example.com REJECT
In postfix you'd probably want to add rulesets for
smtpd_client_restrictions and smtpd_sender_restrictions.
Peter
On 5/6/19 1:09 PM, Kevin Miller wrote:
> Assuming that you have access to your postfix server, I?d block SPF
> there rather than in spamassassin.? Maybe consider installing
> postfix-policyd-spf-python.? Any domains that are configured to
> hard-fail will be dealt with there, saving processing time.? A soft fail
> will be passed through to normal spam filtering.? If you wish to use spf
> in conjunction with spamassassin you?ll still have that flexibility.
> Since your domain is set to hard-fail, those spoofed messages will never
> see the light of day.
>
> ...Kevin
>
> --
>
> Kevin Miller
>
> Network/email Administrator, CBJ MIS Dept.
>
> 155 South Seward Street
>
> Juneau, Alaska 99801
>
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
> *From:* MailScanner
> *On
> Behalf Of *bilal.ahmed at kfueit.edu.pk
> *Sent:* Monday, May 06, 2019 7:26 AM
> *To:* 'MailScanner Discussion'
> *Subject:* RE: Email SPoofing Block Help with SPF in Mailscanner
>
> Dear Experts,
>
> First of all thanks for your advice , exactly you people are right that
> I whitelist all my domain it lets the spammers forge email address with
> my domain email address to get pass through.
>
> My MTA Postfix ?, IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
> MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
>
> My scenario is that my Email server is hosted internally at Private ip
> address range . My TXT Record at public dns is for my public faced IP
> address.
>
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
> valid as shown at their received email headers. SPF is valid checked at
> MXTOOLS as well.
>
> But my own mailscanner says SPF Fails may be because email server ip is
> private and TXT record is for mail server public faced IP.
>
> I am doing all this SPF check to get rid of spoofed emails that using my
> domain address so? I have whitelisted my internal network and host:mydomain
>
> How to get rid of this SPF fail on my own mailscanner so that my own
> emails not get high score ?
>
> Any other solution to prevent Email spoofing ?
>
> *Bilal Ahmad*
>
> Network Administrator
>
> Cell: +92 333 7451870 |? Tel: +92 68 5882400 |? Ext. 2499
>
> www.kfueit.edu.pk
>
> *From:* MailScanner
> >
> *On Behalf Of *David Jones via MailScanner
> *Sent:* Monday, 6 May 2019 10:39 AM
> *To:* MailScanner Discussion >
> *Cc:* David Jones >
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Martin,
>
> I knew you wouldn't have done that which is why I removed your name from
> the top of the reply.? My response was for the OP and others that might
> have done that.? :)
>
> Dave
>
> ------------------------------------------------------------------------
>
> *From:*MailScanner
> > on
> behalf of Martin Hepworth >
> *Sent:* Sunday, May 5, 2019 10:47 AM
> *To:* MailScanner Discussion
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Was a question not an instruction, the whitelist of your own domain is a
> common configuration error and will make sure spoofed emails allegedly
> from your own domain will get through.
>
> Martin
>
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> > wrote:
>
> Never, ever, ever whitelist either in MailScanner or SpamAssassin any
> domains that your MTA is configured to accept.? This will definitely
> let
> spoofed emails through.
>
> > On Sat, 4 May 2019 at 20:38,
> > >> wrote:
> >
> >? ? ?Kindly I need a help someone is spoofing address of my domain and
> >? ? ?forwarding email to my own domain.____
> >
>
> We need an example email with headers lightly redacted posted to
> someplace like pastebin.com .? It would also
> help to see the maillog
> entries for that queue ID.
>
> There are multiple ways to block this based on the email headers.
>
> We aren't even sure what domain to check the SPF record for without any
> headers.
>
> You should consider setting these values in MailScanner.conf if not
> already to help with troubleshooting:
>
> Add Envelope From Header = yes
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
>
> These must be on based on what information you provided but make sure:
> Spam Checks = yes
> Use SpamAssassin = yes
>
> >? ? ?My SPF is already added in Public DNS.____
> >
>
> Your own SPF setting in DNS will help prevent spoofing to others but
> will not necessarily help spoofing to your own mail server running
> MailScanner/SpamAssassin depending on your mail flow setup.? For
> example, does outbound mail flow for your domain go through this same
> mail server unauthenticated from an internal mail server?? Does an
> internal mail server smarthost to or run locally on this MailScanner
> instance?
>
> If your outbound mail does not go through this MailScanner instance,
> then you have options like this in your
> /etc/mail/spamassassin/local.cf
> or /etc/mail/spamassassin/mailscanner.cf :
>
> blacklist_from *@yourdomain.com
>
> It appears that your outbound mail does flow through this MailScanner
> box based on the "score SPF_FAIL 15.0" so the entry above would block
> legit email just like the "score SPF_FAIL 15.0" entry.
>
> You might be able to add this to the etc/mail/spamassassin/local.cf
> or
> /etc/mail/spamassassin/mailscanner.cf :
>
> whitelist_from_rcvd *@yourdomain.com
> [ip.add.re.ss]
>
> where the "ip.add.re.ss" is the internal IP address of your mail
> server.
> ? Note this is not ideal since you will no longer be filtering
> outbound
> email.
>
> NOTE: this would only be temporary until a better solution is
> determined
> after seeing the email headers of a spoofed email and knowing more
> about
> the mail flow.
>
> >? ? ?__ __
> >
> >? ? ?Please Any solution to block invalid SPF record address in my
> >? ? ?Mailscanner/spamassasian.____
> >
>
> Please provide more detail.? Mail filtering is very complex so we can't
> help without details.
>
> - original email lightly redacted posted to pastebin.com
>
> - what is the MTA?
> - what RBLs are configured in the MTA?
> - version of MailScanner
> - version of SpamAssassin
>
> >? ? ?Because I have seen the spoof address with no SPF record are
> passing
> >? ? ?through Mainscanner.____
> >
>
> This may be more of a question for the SpamAssassin Users mailing list
> if MailScanner is properly using SpamAssassin.
>
> --
> David Jones
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
>
>
From yuwang at cs.fsu.edu Mon May 6 21:13:19 2019
From: yuwang at cs.fsu.edu (yuwang)
Date: Mon, 06 May 2019 17:13:19 -0400
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>,
<014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
Message-ID: <9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu>
I have a similar set up: mail servers have internal IPs for the local
network and public IPs for external. Here is how I resolved SPF
checking:
We have internal DNS servers that host internal DNS records (hostnames
and IPs, etc). I created TXT records on our internal DNS servers for our
mail SPF record and list all our mail servers' internal IPs. I also set
up DMARC and DKIM records.
If your DNS servers also serve queries from outside, you will need to
use split DNS.
Hope this helps.
James
On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote:
> Dear Experts,
>
> First of all thanks for your advice , exactly you people are right
> that I whitelist all my domain it lets the spammers forge email
> address with my domain email address to get pass through.
>
> My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
> MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
>
> My scenario is that my Email server is hosted internally at Private ip
> address range . My TXT Record at public dns is for my public faced IP
> address.
>
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
> valid as shown at their received email headers. SPF is valid checked
> at MXTOOLS as well.
>
> But my own mailscanner says SPF Fails may be because email server ip
> is private and TXT record is for mail server public faced IP.
>
> I am doing all this SPF check to get rid of spoofed emails that using
> my domain address so I have whitelisted my internal network and
> host:mydomain
>
> How to get rid of this SPF fail on my own mailscanner so that my own
> emails not get high score ?
>
> Any other solution to prevent Email spoofing ?
>
> BILAL AHMAD
>
> Network Administrator
>
> Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
>
> www.kfueit.edu.pk
>
> FROM: MailScanner
>
> ON BEHALF OF David Jones via MailScanner
> SENT: Monday, 6 May 2019 10:39 AM
> TO: MailScanner Discussion
> CC: David Jones
> SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Martin,
>
> I knew you wouldn't have done that which is why I removed your name
> from the top of the reply. My response was for the OP and others that
> might have done that. :)
>
> Dave
>
> -------------------------
>
> FROM: MailScanner
> on behalf
> of Martin Hepworth
> SENT: Sunday, May 5, 2019 10:47 AM
> TO: MailScanner Discussion
> SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Was a question not an instruction, the whitelist of your own domain is
> a common configuration error and will make sure spoofed emails
> allegedly from your own domain will get through.
>
> Martin
>
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> wrote:
>
>> Never, ever, ever whitelist either in MailScanner or SpamAssassin
>> any
>> domains that your MTA is configured to accept. This will definitely
>> let
>> spoofed emails through.
>>
>>> On Sat, 4 May 2019 at 20:38, >> > wrote:
>>>
>>> Kindly I need a help someone is spoofing address of my domain
>> and
>>> forwarding email to my own domain.____
>>>
>>
>> We need an example email with headers lightly redacted posted to
>> someplace like pastebin.com [1]. It would also help to see the
>> maillog
>> entries for that queue ID.
>>
>> There are multiple ways to block this based on the email headers.
>>
>> We aren't even sure what domain to check the SPF record for without
>> any
>> headers.
>>
>> You should consider setting these values in MailScanner.conf if not
>> already to help with troubleshooting:
>>
>> Add Envelope From Header = yes
>> Detailed Spam Report = yes
>> Include Scores In SpamAssassin Report = yes
>> Always Include SpamAssassin Report = yes
>> Spam Score = yes
>>
>> These must be on based on what information you provided but make
>> sure:
>> Spam Checks = yes
>> Use SpamAssassin = yes
>>
>>> My SPF is already added in Public DNS.____
>>>
>>
>> Your own SPF setting in DNS will help prevent spoofing to others but
>>
>> will not necessarily help spoofing to your own mail server running
>> MailScanner/SpamAssassin depending on your mail flow setup. For
>> example, does outbound mail flow for your domain go through this
>> same
>> mail server unauthenticated from an internal mail server? Does an
>> internal mail server smarthost to or run locally on this MailScanner
>>
>> instance?
>>
>> If your outbound mail does not go through this MailScanner instance,
>>
>> then you have options like this in your
>> /etc/mail/spamassassin/local.cf [2]
>> or /etc/mail/spamassassin/mailscanner.cf [3]:
>>
>> blacklist_from *@yourdomain.com [4]
>>
>> It appears that your outbound mail does flow through this
>> MailScanner
>> box based on the "score SPF_FAIL 15.0" so the entry above would
>> block
>> legit email just like the "score SPF_FAIL 15.0" entry.
>>
>> You might be able to add this to the etc/mail/spamassassin/local.cf
>> [2] or
>> /etc/mail/spamassassin/mailscanner.cf [3]:
>>
>> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss]
>>
>> where the "ip.add.re.ss" is the internal IP address of your mail
>> server.
>> Note this is not ideal since you will no longer be filtering
>> outbound
>> email.
>>
>> NOTE: this would only be temporary until a better solution is
>> determined
>> after seeing the email headers of a spoofed email and knowing more
>> about
>> the mail flow.
>>
>>> __ __
>>>
>>> Please Any solution to block invalid SPF record address in my
>>> Mailscanner/spamassasian.____
>>>
>>
>> Please provide more detail. Mail filtering is very complex so we
>> can't
>> help without details.
>>
>> - original email lightly redacted posted to pastebin.com [1]
>> - what is the MTA?
>> - what RBLs are configured in the MTA?
>> - version of MailScanner
>> - version of SpamAssassin
>>
>>> Because I have seen the spoof address with no SPF record are
>> passing
>>> through Mainscanner.____
>>>
>>
>> This may be more of a question for the SpamAssassin Users mailing
>> list
>> if MailScanner is properly using SpamAssassin.
>>
>> --
>> David Jones
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
> Links:
> ------
> [1] http://pastebin.com
> [2] http://local.cf
> [3] http://mailscanner.cf
> [4] http://yourdomain.com
From djones at ena.com Mon May 6 22:56:22 2019
From: djones at ena.com (David Jones)
Date: Mon, 6 May 2019 22:56:22 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com>
References: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com>
Message-ID: <602b04a2-3baa-c92b-2a24-bc385161003d@ena.com>
On 5/6/19 10:54 AM, Thom van der Boon wrote:
> Dear Bilal,
>
> First upgrade everything to the latest versions.
>
> MailScanner? = 5.1.3
> spamassassin = 3.4.2
>
The versions he is running are fine and wouldn't change the situation
enough to solve the core problem.
> One way to get this working
>
> Set up an extra SMTP server on your internal network. Make sure this
> server can not be reached from the internet.
> Whitelist the extra SMTP server in Mailscanner based on its IP address
>
I don't understand the purpose of this recommendation. This could
easily turn out to make things worse.
>
> Op 6 mei 2019 17:26 schreef bilal.ahmed at kfueit.edu.pk:
>
> Dear Experts,
>
> First of all thanks for your advice , exactly you people are right
> that I whitelist all my domain it lets the spammers forge email
> address with my domain email address to get pass through.
>
> My MTA Postfix ?, IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
> MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
>
> My scenario is that my Email server is hosted internally at Private
> ip address range . My TXT Record at public dns is for my public
> faced IP address.
>
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
> valid as shown at their received email headers. SPF is valid checked
> at MXTOOLS as well.
>
> But my own mailscanner says SPF Fails may be because email server ip
> is private and TXT record is for mail server public faced IP.
>
> I am doing all this SPF check to get rid of spoofed emails that
> using my domain address so? I have whitelisted my internal network
> and host:mydomain
>
> How to get rid of this SPF fail on my own mailscanner so that my own
> emails not get high score ?
>
> Any other solution to prevent Email spoofing ?
>
> *Bilal Ahmad*
>
> Network Administrator
>
> Cell: +92 333 7451870 |? Tel: +92 68 5882400 |? Ext. 2499
>
> www.kfueit.edu.pk
>
> *From:* MailScanner
>
> *On Behalf Of *David Jones via MailScanner
> *Sent:* Monday, 6 May 2019 10:39 AM
> *To:* MailScanner Discussion
> *Cc:* David Jones
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Martin,
>
> I knew you wouldn't have done that which is why I removed your name
> from the top of the reply.? My response was for the OP and others
> that might have done that.? :)
>
> Dave
>
> ------------------------------------------------------------------------
>
> *From:*MailScanner
> >
> on behalf of Martin Hepworth >
> *Sent:* Sunday, May 5, 2019 10:47 AM
> *To:* MailScanner Discussion
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Was a question not an instruction, the whitelist of your own domain
> is a common configuration error and will make sure spoofed emails
> allegedly from your own domain will get through.
>
> Martin
>
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> > wrote:
>
> Never, ever, ever whitelist either in MailScanner or
> SpamAssassin any
> domains that your MTA is configured to accept.? This will
> definitely let
> spoofed emails through.
>
> > On Sat, 4 May 2019 at 20:38,
> > >> wrote:
> >
> >? ? ?Kindly I need a help someone is spoofing address of my
> domain and
> >? ? ?forwarding email to my own domain.____
> >
>
> We need an example email with headers lightly redacted posted to
> someplace like pastebin.com .? It would
> also help to see the maillog
> entries for that queue ID.
>
> There are multiple ways to block this based on the email headers.
>
> We aren't even sure what domain to check the SPF record for
> without any
> headers.
>
> You should consider setting these values in MailScanner.conf if not
> already to help with troubleshooting:
>
> Add Envelope From Header = yes
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
>
> These must be on based on what information you provided but make
> sure:
> Spam Checks = yes
> Use SpamAssassin = yes
>
> >? ? ?My SPF is already added in Public DNS.____
> >
>
> Your own SPF setting in DNS will help prevent spoofing to others
> but
> will not necessarily help spoofing to your own mail server running
> MailScanner/SpamAssassin depending on your mail flow setup.? For
> example, does outbound mail flow for your domain go through this
> same
> mail server unauthenticated from an internal mail server?? Does an
> internal mail server smarthost to or run locally on this
> MailScanner
> instance?
>
> If your outbound mail does not go through this MailScanner
> instance,
> then you have options like this in your
> /etc/mail/spamassassin/local.cf
> or /etc/mail/spamassassin/mailscanner.cf :
>
> blacklist_from *@yourdomain.com
>
> It appears that your outbound mail does flow through this
> MailScanner
> box based on the "score SPF_FAIL 15.0" so the entry above would
> block
> legit email just like the "score SPF_FAIL 15.0" entry.
>
> You might be able to add this to the
> etc/mail/spamassassin/local.cf or
> /etc/mail/spamassassin/mailscanner.cf :
>
> whitelist_from_rcvd *@yourdomain.com
> [ip.add.re.ss]
>
> where the "ip.add.re.ss" is the internal IP address of your mail
> server.
> ? Note this is not ideal since you will no longer be filtering
> outbound
> email.
>
> NOTE: this would only be temporary until a better solution is
> determined
> after seeing the email headers of a spoofed email and knowing
> more about
> the mail flow.
>
> >? ? ?__ __
> >
> >? ? ?Please Any solution to block invalid SPF record address in my
> >? ? ?Mailscanner/spamassasian.____
> >
>
> Please provide more detail.? Mail filtering is very complex so
> we can't
> help without details.
>
> - original email lightly redacted posted to pastebin.com
>
> - what is the MTA?
> - what RBLs are configured in the MTA?
> - version of MailScanner
> - version of SpamAssassin
>
> >? ? ?Because I have seen the spoof address with no SPF record
> are passing
> >? ? ?through Mainscanner.____
> >
>
> This may be more of a question for the SpamAssassin Users
> mailing list
> if MailScanner is properly using SpamAssassin.
>
> --
> David Jones
>
--
David Jones
From djones at ena.com Mon May 6 23:54:26 2019
From: djones at ena.com (David Jones)
Date: Mon, 6 May 2019 23:54:26 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu>
References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk>
<9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>
<014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk>
<9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu>
Message-ID:
On 5/6/19 4:13 PM, yuwang wrote:
> I have a similar set up: mail servers have internal IPs for the local
> network and public IPs for external. Here is how I resolved SPF checking:
>
> We have internal DNS servers that host internal DNS records (hostnames
> and IPs, etc). I created TXT records on our internal DNS servers for our
> mail SPF record and list all our mail servers' internal IPs. I also set
> up DMARC and DKIM records.
>
If you have your MTA and SpamAssassin setup correctly you don't need
internal DNS records for MX, SPF, DKIM, etc. See the internal_networks
comments below for details.
> If your DNS servers also serve queries from outside, you will need to
> use split DNS.
>
> Hope this helps.
>
> James
>
>
> On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote:
>> Dear Experts,
>>
>> First of all thanks for your advice , exactly you people are right
>> that I whitelist all my domain it lets the spammers forge email
>> address with my domain email address to get pass through.
>>
>> My MTA Postfix? , IMAP Server is Cyrus,? Postfix Version: 3.1.0 ,
>> MailScanner Version: 5.0.7,? SpamAssassin Version: 3.4.1
>>
Besides the SPF problem, there are many Postfix tuning options that can
be done:
main.cf = drop messages that spoof your own domain in the Message-ID
header_checks = pcre:/etc/postfix/header_checks
/^Message-ID:.*@mydomain\.com>/ DISCARD
postscreen <- simple to setup and a MUST do
python-policyd-spf
opendkim
opendmarc
sqlgrey
postfwd
postscreen weighted RBLs
===========================
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_cache_retention_time = 7d
postscreen_bare_newline_ttl = 7d
postscreen_greet_ttl = 7d
postscreen_non_smtp_command_ttl = 7d
postscreen_pipelining_ttl = 7d
postscreen_dnsbl_ttl = 1m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?1}${stress:11}s
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_dnsbl_whitelist_threshold = -1
postscreen_blacklist_action = drop
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.[10;14]*9
dnsbl.sorbs.net=127.0.0.5*7
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.[10;11;12]*7
hostkarma.junkemailfilter.com=127.0.0.2*4
dnsbl.sorbs.net=127.0.0.7*4
bl.spamcop.net=127.0.0.2*4
...
I have a huge list of dnsbl_sites. See the SpamAssassin Users mailing
list archives for more details.
A GOOD SET OF RBLS IN POSTSCREEN_DNSBL_SITES WILL REJECT THE MAJORITY OF
JUNK/SPAM WITHOUT ANY OTHER CHANGES/ADDITIONS.
>> My scenario is that my Email server is hosted internally at Private ip
>> address range . My TXT Record at public dns is for my public faced IP
>> address.
>>
Internal mail servers behind NAT need to have a dedicated/two-way NAT so
outbound traffic shows as the same IP as in the inbound to get FCrDNS
correct. This is for outbound mail delivery and SPF checks passing
outbound to the Internet.
Get on the mail server and run "curl ifconfig.me" at a shell prompt and
make sure it matches the inbound IP for the A record. Then run "dig -x
[IP} +short". Now run "dig [PTR value]" and make sure it points back to
the same IP.
# curl ifconfig.me
96.4.1.10
[root at smtp2n.ena spamassassin]# dig -x 96.4.1.10 +short
smtp2n.ena.net.
[root at smtp2n.ena spamassassin]# dig smtp2n.ena.net +short
96.4.1.10
Web version of this same check above:
http://multirbl.valli.org/fcrdns-test/96.4.1.10.html
>> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
>> valid as shown at their received email headers. SPF is valid checked
>> at MXTOOLS as well.
>>
Sure would be nice to see those headers so we can help.
>> But my own mailscanner says SPF Fails may be because email server ip
>> is private and TXT record is for mail server public faced IP.
>>
Make sure you have your Postfix mynetworks and the SpamAssassin
internal_networks setup essentially with the same internal network
blocks. Then trusted_networks can be extra networks that are outside of
your organization. Note that the SA trusted_networks doesn't mean they
will never send spam but will never originate spam or forge the Received
headers.
SPF checks should be done performed against the last external mail
server and not on any internal IPs.
I have been testing out an idea to include Office 365 IPs in the
trusted_networks list. If the first mail server puts the original
client's IP address in as an X-Originating-IP header then this is very
effective to detect as the last-external against RBLs for better
accuracy. The internal Microsoft mail servers at Office 365 are listed
on various RBLs but that causes a lot of FPs due to the large shared
platform.
https://wiki.apache.org/spamassassin/TrustedRelays
Microsoft has been putting in the X-Originating-IP header for a while.
Older Exchange servers and other mail servers don't add the first hop
Received: or the X-Originating-IP headers but as I find more platforms
that do, I am expanding out my trusted_networks list to find the "true
edge" behind large shared platforms.
>> I am doing all this SPF check to get rid of spoofed emails that using
>> my domain address so? I have whitelisted my internal network and
>> host:mydomain
>>
>> How to get rid of this SPF fail on my own mailscanner so that my own
>> emails not get high score ?
>>
>> Any other solution to prevent Email spoofing ?
>>
>> BILAL AHMAD
>>
>> Network Administrator
>>
>> Cell: +92 333 7451870? |? Tel: +92 68 5882400? |? Ext. 2499
>>
>> www.kfueit.edu.pk
>>
>>>> On Sat, 4 May 2019 at 20:38, >>> > wrote:
>>>>
>>>> Kindly I need a help someone is spoofing address of my domain
>>> and
>>>> forwarding email to my own domain.____
>>>>
>>>
>>> We need an example email with headers lightly redacted posted to
>>> someplace like pastebin.com [1].? It would also help to see the
>>> maillog
>>> entries for that queue ID.
>>>
Still need an example email sent via pastebin.com to actually give solid
recommendations. We are all guessing still.
>>> There are multiple ways to block this based on the email headers.
>>>
>>> We aren't even sure what domain to check the SPF record for without
>>> any
>>> headers.
>>>
>>> You should consider setting these values in MailScanner.conf if not
>>> already to help with troubleshooting:
>>>
>>> Add Envelope From Header = yes
>>> Detailed Spam Report = yes
>>> Include Scores In SpamAssassin Report = yes
>>> Always Include SpamAssassin Report = yes
>>> Spam Score = yes
>>>
Did you check these settings?
>>> These must be on based on what information you provided but make
>>> sure:
>>> Spam Checks = yes
>>> Use SpamAssassin = yes
>>>
>>>> My SPF is already added in Public DNS.____
>>>>
>>>
>>> Your own SPF setting in DNS will help prevent spoofing to others but
>>>
>>> will not necessarily help spoofing to your own mail server running
>>> MailScanner/SpamAssassin depending on your mail flow setup.? For
>>> example, does outbound mail flow for your domain go through this
>>> same
>>> mail server unauthenticated from an internal mail server?? Does an
>>> internal mail server smarthost to or run locally on this MailScanner
>>>
>>> instance?
>>>
>>> If your outbound mail does not go through this MailScanner instance,
>>>
>>> then you have options like this in your
>>> /etc/mail/spamassassin/local.cf [2]
>>> or /etc/mail/spamassassin/mailscanner.cf [3]:
>>>
>>> blacklist_from *@yourdomain.com [4]
>>>
>>> It appears that your outbound mail does flow through this
>>> MailScanner
>>> box based on the "score SPF_FAIL 15.0" so the entry above would
>>> block
>>> legit email just like the "score SPF_FAIL 15.0" entry.
>>>
>>> You might be able to add this to the etc/mail/spamassassin/local.cf
>>> [2] or
>>> /etc/mail/spamassassin/mailscanner.cf [3]:
>>>
>>> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss]
>>>
>>> where the "ip.add.re.ss" is the internal IP address of your mail
>>> server.
>>> Note this is not ideal since you will no longer be filtering
>>> outbound
>>> email.
>>>
>>> NOTE: this would only be temporary until a better solution is
>>> determined
>>> after seeing the email headers of a spoofed email and knowing more
>>> about
>>> the mail flow.
>>>
>>>> __ __
>>>>
>>>> Please Any solution to block invalid SPF record address in my
>>>> Mailscanner/spamassasian.____
>>>>
>>>
>>> Please provide more detail.? Mail filtering is very complex so we
>>> can't
>>> help without details.
>>>
>>> - original email lightly redacted posted to pastebin.com [1]
>>> - what is the MTA?
>>> - what RBLs are configured in the MTA?
>>> - version of MailScanner
>>> - version of SpamAssassin
>>>
This information is still needed.
>>>> Because I have seen the spoof address with no SPF record are
>>> passing
>>>> through Mainscanner.____
>>>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>> Links:
>> ------
>> [1] http://pastebin.com
>> [2] http://local.cf
>> [3] http://mailscanner.cf
>> [4] http://yourdomain.com
>
>
Excellent links to use to help us help you.
--
David Jones
From Nicola.Piazzi at gruppocomet.it Tue May 7 07:15:47 2019
From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi)
Date: Tue, 7 May 2019 07:15:47 +0000
Subject: Spamassassin before mailscanner phishing tests ?
Message-ID: <9544e8d1bfc74a2c9ef75b28e15ec867@gruppocomet.it>
Mailscanner try to detect phishing frauds using patterns that download from openphish and phishtank
When i watch messages in mailwatch i have no evidence of this, perhaps mailscanner do this before invoking spamassassin
Is possible in some way to detect this in spamassassin tio write a rile and give score ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From info at schroeffu.ch Tue May 7 23:01:24 2019
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Tue, 07 May 2019 23:01:24 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
Message-ID: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch>
Hi Bilal,
can I ask you from the beginning what exactly is the problem. Maybe do you mean this:
Lets say you own the domain 123dom.com. You receive Emails from (spoofed envelope) sender address bilal at 123dom.com to your own mailbox with the same domain, for example contact at 123dom.com?
If yes, let me know. this can be rejected with postfix rules without touching mailscanner.
Lot regards
Schroeffu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bilal.ahmed at kfueit.edu.pk Wed May 8 05:12:51 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Wed, 8 May 2019 10:12:51 +0500
Subject: Email SPoofing Block Help with SPF in Mailscanner
In-Reply-To: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch>
References: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch>
Message-ID: <004901d5055c$afaf5090$0f0df1b0$@kfueit.edu.pk>
Dear Schroeffu,
Exactly I have same problem as mentioned by you.
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
From: MailScanner On Behalf Of info at schroeffu.ch
Sent: Wednesday, 8 May 2019 4:01 AM
To: mailscanner at lists.mailscanner.info
Subject: RE: Email SPoofing Block Help with SPF in Mailscanner
Hi Bilal,
can I ask you from the beginning what exactly is the problem. Maybe do you mean this:
Lets say you own the domain 123dom.com. You receive Emails from (spoofed envelope) sender address bilal at 123dom.com to your own mailbox with the same domain, for example contact at 123dom.com ?
If yes, let me know. this can be rejected with postfix rules without touching mailscanner.
Lot regards
Schroeffu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From info at schroeffu.ch Wed May 8 09:04:27 2019
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Wed, 08 May 2019 09:04:27 +0000
Subject: Email SPoofing Block Help with SPF in Mailscanner
Message-ID: <188c75216c076064c6200f8f78e46a69@schroeffu.ch>
Hi Bilal,
ok so the spam you get seems sent directly to your mailserver. Spambot A) is connecting directly to your mail.dom123.com:25 and says "hey, I am bilal at 123.com (mailto:bilal at 123.com) and I have a mail for contact at 123.com (mailto:contact at 123.com)" and your postfix should, before even MailScanner is scanning for spam, reject this sender domain address. Because its not send by your interal IPs.
Make sure you have all the IP-ranges from your internal network in /etc/main.cf in mynetwork = configured, in my case it looks like this:
mynetworks = 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16, 192.168.0.0/16, 127.0.0.0/8
Now we will configure postfix to reject all incomming e-mails from domain sender "@123.com" if the sender-ip IS NOT an IP listed in "mynetwork". I guess there are multiple solutions possible in postfix, i got it sucessfully rejected by this way:
1. Create a "do not spoofe this domains file" with your domains here: /etc/postfix/spoofingprotected_domains
2. Fill in this file your domains you want protect from spoofing, for example my file looks like this:
#The following entries are to REJECT sender domain. Be sure, permit_mynetworks rule set before this list in main.cf
123dom.com REJECT
anotherdomainfromme.com REJECT
3. Make the file readable by postfix by running postmap: "postmap /etc/postfix/spoofingprotected_domains"
4. Now you have to put this "spoofing blacklist" on the right place in /etc/main.cf. Again - there are maybe multiple solutions, but here is mine:
Extend the option "smtpd_sender_restrictions =" with this file, but make sure, "permit_mynetworks" is BEFORE the new file spoofingprotected_domains. So postfix will still allow "123dom.com" as sender for your mynetwork= ip adresses, but postfix will reject sender domains in /etc/postfix/spoofingprotected_domains if not your ip. My line looks like this:
smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks, hash:/etc/postfix/spoofingprotected_domains
5. Restart Postfix. Done.
You should try the new configuration by yourself, login to web-server outside your ip-range and try to send yourself an email from 123dom.com to 123dom.com with telnet. It should deny your mailtest already at step2 like this:
ehlo 123dom.com
MAIL FROM:
MAIL FROM:
554 5.7.1 : Sender address rejected: Access denied
(Hehe, "access denied" is an ugly error message, more pretty would be "this domain cannot be a sender-address without being internal ip", but hey, who cares!)
And also test if all other mails are still working properly, not that you damage your production : o )
Hope this helps
Schroeffu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From Nicola.Piazzi at gruppocomet.it Wed May 15 08:05:20 2019
From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi)
Date: Wed, 15 May 2019 08:05:20 +0000
Subject: RBL & URIBL skip 4 internal
Message-ID: <046a58133a124f578a2dce57ee71ac9c@gruppocomet.it>
I use all RBL lastexternal and with trusted_network i am able to skip for internal ip submission and save a lot of checks
But this is not done for URIBL
URIBL checks for domain in the email
Is possible to skip also all URIBL when aemail come from internal network ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From info at schroeffu.ch Wed May 15 09:32:17 2019
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Wed, 15 May 2019 09:32:17 +0000
Subject: Alert "Problem Messages" is spamming me every hour, delete
Processing.db did not help
Message-ID: <47f425eb76255763ce95bba8013e2349@schroeffu.ch>
Hi Mailscanner Friends,
i think i'am affected by an old issue. I am getting spammed from MailScanner Alert every hour because one email is not processed correctly:
---
Subject: Problem Messages
Archive:
Number of messages: 1
Tries Message Last Tried
===== ======= ==========
6 11A003C0065.AC53F Fri May 10 08:56:07 2019
--
MailScanner
----
Now I deleted already this (definitively spam) Mail 11A003C0065.AC53F from /var/spool/MailScanner/quarantine/* where I found it stored, and made:
- stop mailscanner
- delete /var/spool/MailScanner/incoming/Processing.db
- start mailscanner
but it does not help. Watching inside of this file "Processing.db" with "strings Processing.db" after delete & restart shows me still this Message ID.
From where is MailScanner getting this information that this ID is not processed corretly but i deleted already Processing.db? I cannot find the source of this information. Unfortunately i am still getting spammed every hour by mailscanner --processing hourly cronjob for days now, getting crazy :-)
---
/var/spool/MailScanner/incoming#
root at mailscanner1:/var/spool/MailScanner/incoming# strings Processing.db
SQLite format 3
{tablearchivearchive
CREATE TABLE archive (id TEXT, count INT, nexttime INT)J
gindexid_uniqprocessing
CREATE UNIQUE INDEX id_uniq ON processing(id)[
tableprocessingprocessing
CREATE TABLE processing (id TEXT, count INT, nexttime INT)
% % % % % % % % % % % % % % % % % % % % % % %
9CB363C188E.A0AB4
From mark at msapiro.net Wed May 15 18:27:37 2019
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 15 May 2019 11:27:37 -0700
Subject: Alert "Problem Messages" is spamming me every hour, delete
Processing.db did not help
In-Reply-To: <47f425eb76255763ce95bba8013e2349@schroeffu.ch>
References: <47f425eb76255763ce95bba8013e2349@schroeffu.ch>
Message-ID: <9f97e698-7562-a728-268e-0e38e475bbe7@msapiro.net>
On 5/15/19 2:32 AM, info at schroeffu.ch wrote:
>
> Now I deleted already this (definitively spam) Mail 11A003C0065.AC53F
> from /var/spool/MailScanner/quarantine/* where I found it stored, and made:
>
> - stop mailscanner
> - delete /var/spool/MailScanner/incoming/Processing.db
> - start mailscanner
>
> but it does not help. Watching inside of this file "Processing.db" with
> "strings Processing.db" after delete & restart shows me still this
> Message ID.
You don't need 'strings'. 'MailScanner --processing' will show it to you
too.
Did the message reappear in quarantine after you deleted it.
My guess is it's somehow queued in your MTA (postfix?).
What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail
logs are) show?
> From where is MailScanner getting this information that this ID is not
> processed corretly but i deleted already Processing.db? I cannot find
> the source of this information. Unfortunately i am still getting spammed
> every hour by mailscanner --processing hourly cronjob for days now,
> getting crazy :-)
It comes from the Processing.db. The question is why is it reappearing
there? I think it must be comming from the MTA or maybe a MailScanner
queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of
the running MailScanner, or if you are useing the MailScanner Milter
option whats in your milterin and milterout queues?
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From belle at bazuin.nl Thu May 16 13:47:30 2019
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Thu, 16 May 2019 15:47:30 +0200
Subject: Encrypted attachment blocks, but not for 7z.
In-Reply-To:
References:
Message-ID:
Hai,
Anyone any tip how to findout why an encrypted 7z file made it through mailscanner.
By default im blocking encrypted attachments, it works fine with zip's or rar files only 7z not.
Any suggestions? I cant find anything here why this happend.
Im running :
Debian GNU/Linux 9.9 (stretch)
mailscanner 5.1.3-2
Greetz,
Louis
From iversons at rushville.k12.in.us Thu May 16 14:22:47 2019
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Thu, 16 May 2019 10:22:47 -0400
Subject: Encrypted attachment blocks, but not for 7z.
In-Reply-To:
References:
Message-ID:
What version of 7z are you running?
On Thu, May 16, 2019, 9:47 AM L.P.H. van Belle via MailScanner <
mailscanner at lists.mailscanner.info> wrote:
> Hai,
>
> Anyone any tip how to findout why an encrypted 7z file made it through
> mailscanner.
> By default im blocking encrypted attachments, it works fine with zip's or
> rar files only 7z not.
>
> Any suggestions? I cant find anything here why this happend.
>
> Im running :
> Debian GNU/Linux 9.9 (stretch)
> mailscanner 5.1.3-2
>
>
> Greetz,
>
> Louis
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From belle at bazuin.nl Thu May 16 14:31:16 2019
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Thu, 16 May 2019 16:31:16 +0200
Subject: Encrypted attachment blocks, but not for 7z.
In-Reply-To:
References:
Message-ID:
Hai Shawn,
?
The debian supplied version is used:
?
ii? p7zip???????????????????????????????? 16.02+dfsg-3+deb9u1??????????? amd64??????? 7zr file archiver with high compression ratio
ii? p7zip-full??????????????????????????? 16.02+dfsg-3+deb9u1??????????? amd64??????? 7z and 7za file archivers with high compression ratio
I?just checked the versions, Debian buster still has the same version, only with a few fixes in the build.
?
i have :
MailScanner.conf:Un7zip Command = /usr/bin/7z
?Usage: 7z [...] [...]
?
So thats ok.
I?have an exeption list for these files also? : rules/mailwatch.encrypted.rules
But the sender domain/ip is not in my white list.
?
Greetz,
?
Louis
?
?
?
Van: Shawn Iverson [mailto:iversons at rushville.k12.in.us]
Verzonden: donderdag 16 mei 2019 16:23
Aan: MailScanner Discussion
CC: L.P.H. van Belle
Onderwerp: Re: Encrypted attachment blocks, but not for 7z.
What version of 7z are you running?
On Thu, May 16, 2019, 9:47 AM L.P.H. van Belle via MailScanner wrote:
Hai,
Anyone any tip how to findout why an encrypted 7z file made it through mailscanner.
By default im blocking encrypted attachments, it works fine with zip's or rar files only 7z not.
Any suggestions? I cant find anything here why this happend.
Im running :
Debian GNU/Linux 9.9 (stretch)
mailscanner 5.1.3-2
Greetz,
Louis
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bilal.ahmed at kfueit.edu.pk Fri May 17 10:15:02 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Fri, 17 May 2019 15:15:02 +0500
Subject: Quarantine Emails Release
Message-ID: <00ad01d50c99$64819080$2d84b180$@kfueit.edu.pk>
Dear All,
After release of an email in mailwatch the email shown as released in
mailwatch.
But in actual after the email release a email is received to the end user
from postmaster at domain.tld which says that
original message is in attachment while the attachment is always empty.
Bilal Ahmad
Network Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From info at schroeffu.ch Tue May 21 12:25:20 2019
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Tue, 21 May 2019 12:25:20 +0000
Subject: Alert "Problem Messages" is spamming me every hour, > delete
Processing.db did not help
In-Reply-To:
References:
Message-ID:
Hi Mark, Hi MailScanner Friends,
hadn't time to react earlier sorry, now I just checked it again (it is still spamming me every
hour ^_?).
> You don't need 'strings'. 'MailScanner --processing' will show it to you
> too.
Thanks, at the moment "MailScanner --processing" is still displaying the bad message:
--
#MailScanner --processing
Archive:
Number of messages: 1
Tries Message Last Tried
===== ======= ==========
6 11A003C0065.AC53F Fri May 10 08:56:07 2019
--
> It comes from the Processing.db. The question is why is it reappearing
> there? I think it must be comming from the MTA or maybe a MailScanner
> queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of
> the running MailScanner, or if you are useing the MailScanner Milter
> option whats in your milterin and milterout queues?
I am still using the ^HOLD queue mode, no milter in use. The folder /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is in /var/run/MailScanner.pid but it only contains the pid number:
/var/run# cat MailScanner.pid
211918
> What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail
> logs are) show?
The already rotated log is saying the following lines when searching for the Messasge ID
11A003C0065:
root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 *
May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065:
client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]
May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold: header Received: from
NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05hn0245.outbound.protection.outlook.com
[104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id 11A003C0065??for from
mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245];
from= to= proto=ESMTP
helo=
May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065:
message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59>
May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065:
mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not internal
May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message came from
May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at processing message
11A003C0065.AC53F
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message came from
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at processing message
11A003C0065.AC53F
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message came from
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at processing message
11A003C0065.AC53F
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message came from
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at processing message
11A003C0065.AC53F
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message came from
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message
11A003C0065.AC53F
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it
has been attempted too many times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused
MailScanner to crash several times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
/var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message 11A003C0065.AC53F to SQL
May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch: 11A003C0065.AC53F: Logged to MailWatch
SQL
And attempt 6 with some more informations (virus scanning, restart MailScanner Proc)
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message
11A003C0065.AC53F
May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1 messages, 7155 bytes
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning: Starting
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock
/var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or directory
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Esets::INFECTED::JS/Redirector.NEE trojan
May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [
Esets::INFECTED::JS/Redirector.NEE trojan]
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found 3 infections
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message ? MIME ?
S2BOB3ITMHJ.html came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3 viruses
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor version 5.1.3
starting...
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
/etc/MailScanner/MailScanner.conf
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
/etc/MailScanner/conf.d/README
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from the phishing whitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from the phishing blacklists
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function SQLWhitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up MailWatch SQL Whitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32 whitelist entries
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function
MailWatchLogging
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started MailWatch SQL Logging child
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results cache
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin cache database
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin auto-whitelist
functionality...
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it
has been attempted too many times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused
MailScanner to crash several times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
/var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1 messages, 7155 bytes
So I already deleted the whole folder /var/spool/MailScanner/quarantine/20190510/ with its content.
In MailWatch WebUI I can see the logged message headers, but no folder/files 11A003C0065.AC53F/message
files (because deleted) as expected.
I also mysqldump'ed the MailWatch DB and grep'ed inside whats written about 11A003C0065, i think
there is only the logged headers of this queued messages inside.
The Postfix queue is displaying me with "mailq" command only real queued messages, the message ID 11A003C0065 isn't in the postfix queue displayed.
I am still searching in /var/spool/ anywhere where it could be possible where its telling
MailScanner at start, that this Message is in --processing queue. No luck until now :-(
Many Regards
Schroeffu
From info at schroeffu.ch Tue May 21 12:53:43 2019
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Tue, 21 May 2019 12:53:43 +0000
Subject: Alert "Problem Messages" is spamming me every hour, > delete
Processing.db did not help
In-Reply-To:
References:
Message-ID: <14f79f1bc8ed25b3feb7be2a44da0b41@schroeffu.ch>
Oh i found it. The same file was existing twice,
/var/spool/MailScanner/incoming/Processing.db
was also placed in /ramdisk_store/
/var/spool/MailScanner/ramdisk_store/Processing.db
so I did stop ms, deleted the file on both locations, start ms again, now the MailScanner -processing is empty again. Thanks for all the help.
From iversons at rushville.k12.in.us Tue May 21 13:05:13 2019
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 21 May 2019 09:05:13 -0400
Subject: Alert "Problem Messages" is spamming me every hour, > delete
Processing.db did not help
In-Reply-To:
References:
Message-ID:
You may need at this point to halt mail flow at the MTA level, kill
Mailscanner processes (do not gracefully stop it ... ramdisk sync could
save a copy of the processing.db), and clean up the
/var/spool/Mailscanner/incoming directory including deleting the
processing.db in there and any child PID directory trees lingering in there.
Also, before starting Mailscanner again, disable the ramdisk sync in
/etc/Mailscanner/defaults if enabled
Turn ramdisk sync back on if it was on originally and you are sure it is
resolved.
On Tue, May 21, 2019, 8:25 AM wrote:
> Hi Mark, Hi MailScanner Friends,
>
> hadn't time to react earlier sorry, now I just checked it again (it is
> still spamming me every
> hour ^_?).
>
> > You don't need 'strings'. 'MailScanner --processing' will show it to you
> > too.
>
> Thanks, at the moment "MailScanner --processing" is still displaying the
> bad message:
>
> --
> #MailScanner --processing
> Archive:
>
> Number of messages: 1
> Tries Message Last Tried
> ===== ======= ==========
> 6 11A003C0065.AC53F Fri May 10 08:56:07 2019
> --
>
> > It comes from the Processing.db. The question is why is it reappearing
> > there? I think it must be comming from the MTA or maybe a MailScanner
> > queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of
> > the running MailScanner, or if you are useing the MailScanner Milter
> > option whats in your milterin and milterout queues?
>
> I am still using the ^HOLD queue mode, no milter in use. The folder
> /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is
> in /var/run/MailScanner.pid but it only contains the pid number:
>
> /var/run# cat MailScanner.pid
> 211918
>
> > What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail
> > logs are) show?
>
> The already rotated log is saying the following lines when searching for
> the Messasge ID
> 11A003C0065:
>
> root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 *
> May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065:
> client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]
> May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold:
> header Received: from
> NAM05-DM3-obe.outbound.protection.outlook.com (
> mail-dm3nam05hn0245.outbound.protection.outlook.com
> [104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id
> 11A003C0065??for from
> mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245];
> from= to=
> proto=ESMTP
> helo=
> May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065:
> message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59>
> May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065:
> mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not
> internal
> May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at
> processing message
> 11A003C0065.AC53F
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at
> processing message
> 11A003C0065.AC53F
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at
> processing message
> 11A003C0065.AC53F
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at
> processing message
> 11A003C0065.AC53F
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at
> processing message
> 11A003C0065.AC53F
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message
> 11A003C0065.AC53F as it
> has been attempted too many times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message
> 11A003C0065.AC53F as it caused
> MailScanner to crash several times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
> /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message
> 11A003C0065.AC53F to SQL
> May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch:
> 11A003C0065.AC53F: Logged to MailWatch
> SQL
>
> And attempt 6 with some more informations (virus scanning, restart
> MailScanner Proc)
>
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at
> processing message
> 11A003C0065.AC53F
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1
> messages, 7155 bytes
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning:
> Starting
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock
> /var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or
> directory
> May 10 08:51:41 vmlxmail1 MailScanner[153430]:
> Esets::INFECTED::JS/Redirector.NEE trojan
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [
> Esets::INFECTED::JS/Redirector.NEE trojan]
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found
> 3 infections
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message ? MIME ?
> S2BOB3ITMHJ.html came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3
> viruses
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor
> version 5.1.3
> starting...
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
> /etc/MailScanner/MailScanner.conf
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
> /etc/MailScanner/conf.d/README
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from
> the phishing whitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from
> the phishing blacklists
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init
> function SQLWhitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up
> MailWatch SQL Whitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32
> whitelist entries
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init
> function
> MailWatchLogging
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started
> MailWatch SQL Logging child
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results
> cache
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin
> cache database
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin
> auto-whitelist
> functionality...
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message
> 11A003C0065.AC53F as it
> has been attempted too many times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message
> 11A003C0065.AC53F as it caused
> MailScanner to crash several times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
> /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1
> messages, 7155 bytes
>
> So I already deleted the whole folder
> /var/spool/MailScanner/quarantine/20190510/ with its content.
> In MailWatch WebUI I can see the logged message headers, but no
> folder/files 11A003C0065.AC53F/message
> files (because deleted) as expected.
>
> I also mysqldump'ed the MailWatch DB and grep'ed inside whats written
> about 11A003C0065, i think
> there is only the logged headers of this queued messages inside.
>
> The Postfix queue is displaying me with "mailq" command only real queued
> messages, the message ID 11A003C0065 isn't in the postfix queue displayed.
>
> I am still searching in /var/spool/ anywhere where it could be possible
> where its telling
> MailScanner at start, that this Message is in --processing queue. No luck
> until now :-(
>
> Many Regards
> Schroeffu
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bilal.ahmed at kfueit.edu.pk Wed May 22 17:13:56 2019
From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk)
Date: Wed, 22 May 2019 22:13:56 +0500
Subject: How to Properly Release Quarantine Emails in Mailwatch
Message-ID: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk>
Dear Experts,
After release of an email in mailwatch the email shown as released in
mailwatch.
But in actual after the email release a email is received to the end user
from postmaster at domain.tld which says that
original message is in attachment while the attachment is always empty.
Bilal Ahmad
Network Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mark at msapiro.net Wed May 22 20:18:37 2019
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 22 May 2019 13:18:37 -0700
Subject: How to Properly Release Quarantine Emails in Mailwatch
In-Reply-To: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk>
References: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk>
Message-ID:
On 5/22/19 10:13 AM, bilal.ahmed at kfueit.edu.pk wrote:
>
> After release of an email in mailwatch the email shown as released in
> mailwatch.
>
> But in actual after the email release a email is received to the end
> user from postmaster at domain.tld which
> says that original message is in attachment while the attachment is
> always empty.
This seems to be a MailWatch issue, not a MailScanner issue. The
MailWatch list is
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From belle at bazuin.nl Tue May 28 14:43:24 2019
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Tue, 28 May 2019 16:43:24 +0200
Subject: wrong detection of file?
Message-ID:
Hai Shawn,
Have you ever seen something like this.
I just e-mailed a file, with a name as shown below.
SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
The resport shows :
Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com)
And its shown in mailwatch as : application/pdf; charset=binary
Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from
The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
I only change the hostname and domain here, i kept the format exact the same.
Greetz,
Louis
From iversons at rushville.k12.in.us Tue May 28 14:58:50 2019
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 28 May 2019 10:58:50 -0400
Subject: wrong detection of file?
In-Reply-To:
References:
Message-ID:
Yeah, it is matching by filename, not filetype, and it may be parsing the
name wrong.
Can you verify this rule is present?
deny \.com$
Which should not match because it is not the end of the filename but I bet
it is.
On Tue, May 28, 2019 at 10:43 AM L.P.H. van Belle via MailScanner <
mailscanner at lists.mailscanner.info> wrote:
> Hai Shawn,
>
>
> Have you ever seen something like this.
>
> I just e-mailed a file, with a name as shown below.
> SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
>
> The resport shows :
> Message: Executable DOS/Windows programs are dangerous in email (SSL
> Server Tes.com)
> And its shown in mailwatch as : application/pdf; charset=binary
>
> Now the thing i dont get here is, how is the name "SSL Server Tes.com"
> constructed from
> The name : SSL Server Test hostname.example.com (Powered by Qualys SSL
> Labs).pdf
>
> I only change the hostname and domain here, i kept the format exact the
> same.
>
> Greetz,
>
> Louis
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
[image: Cybersecurity]
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From belle at bazuin.nl Tue May 28 15:02:00 2019
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Tue, 28 May 2019 17:02:00 +0200
Subject: wrong detection of file?
In-Reply-To:
References:
Message-ID:
Yes, i have 2 of them.
?
filename.rules.conf:deny??????? \.com$????????? Windows/DOS Executable
archives.filename.rules.conf:deny?????? \.com$????????? Windows/DOS Executable????????????????????????????????????????????????????????? Executable DOS/Windows programs are dangerous in email
Greetz,
?
Louis
?
Van: Shawn Iverson [mailto:iversons at rushville.k12.in.us]
Verzonden: dinsdag 28 mei 2019 16:59
Aan: MailScanner Discussion
CC: L.P.H. van Belle
Onderwerp: Re: wrong detection of file?
Yeah, it is matching by filename, not filetype, and it may be parsing the name wrong.
Can you verify this rule is present?
deny? ? \.com$
Which should not match because it is not the end of the filename but I bet it is.
On Tue, May 28, 2019 at 10:43 AM L.P.H. van Belle via MailScanner wrote:
Hai Shawn,
Have you ever seen something like this.
I just e-mailed a file, with a name as shown below.
SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
The resport shows :
Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com)
And its shown in mailwatch as :? application/pdf; charset=binary
Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from
The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
I only change the hostname and domain here, i kept the format exact the same.
Greetz,
Louis
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
Shawn Iverson, CETL Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From peter.farrow at togethia.net Tue May 28 15:38:03 2019
From: peter.farrow at togethia.net (Peter Farrow)
Date: Tue, 28 May 2019 16:38:03 +0100
Subject: wrong detection of file?
In-Reply-To:
References:
Message-ID:
Dear Louis,
A file ending in ".com" is a computer code executable program.
Mailscanner is seeing "example.com" and disallowing it as a potential
executable.
This is normal expected and by design behaviour,
Pete
On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote:
> Hai Shawn,
>
>
> Have you ever seen something like this.
>
> I just e-mailed a file, with a name as shown below.
> SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
>
> The resport shows :
> Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com)
> And its shown in mailwatch as : application/pdf; charset=binary
>
> Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from
> The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
>
> I only change the hostname and domain here, i kept the format exact the same.
>
> Greetz,
>
> Louis
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.JPG
Type: image/jpeg
Size: 25851 bytes
Desc: not available
URL:
From iversons at rushville.k12.in.us Tue May 28 15:50:17 2019
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 28 May 2019 11:50:17 -0400
Subject: wrong detection of file?
In-Reply-To:
References:
Message-ID:
Although I agree with you, a file with .com in the middle of it, however,
should not match. I suspect the filename parser in MailScanner is not
parsing the filename properly and is perhaps treating spaced elements of
the filename as separate strings.
On Tue, May 28, 2019 at 11:38 AM Peter Farrow
wrote:
> Dear Louis,
>
> A file ending in ".com" is a computer code executable program.
>
> Mailscanner is seeing "example.com" and disallowing it as a potential
> executable.
>
> This is normal expected and by design behaviour,
>
> Pete
>
> On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote:
>
> Hai Shawn,
>
>
> Have you ever seen something like this.
>
> I just e-mailed a file, with a name as shown below.
> SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
>
> The resport shows :
> Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com)
> And its shown in mailwatch as : application/pdf; charset=binary
>
> Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from
> The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
>
> I only change the hostname and domain here, i kept the format exact the same.
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
[image: Cybersecurity]
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.JPG
Type: image/jpeg
Size: 25851 bytes
Desc: not available
URL:
From Antony.Stone at mailscanner.open.source.it Tue May 28 15:51:22 2019
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Tue, 28 May 2019 17:51:22 +0200
Subject: wrong detection of file?
In-Reply-To:
References:
Message-ID: <201905281751.22336.Antony.Stone@mailscanner.open.source.it>
On Tuesday 28 May 2019 at 17:38:03, Peter Farrow wrote:
> Dear Louis,
>
> A file ending in ".com" is a computer code executable program.
>
> Mailscanner is seeing "example.com" and disallowing it as a potential
> executable.
So why is it:
a) reporting "SSL Server Tes.com" as the filename?
b) thinking the filename ends in .com when it actually ends in .pdf (and is
what Windows would pay attention to, no matter what's in the middle of the
name)?
> This is normal expected and by design behaviour,
I disagree.
Even if it were true, this would be a bug, because MailScanner would be
treating filenames differently from the way Windows treats them, and therefore
generating false positives.
Antony.
> On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote:
> > Hai Shawn,
> >
> >
> > Have you ever seen something like this.
> >
> > I just e-mailed a file, with a name as shown below.
> > SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf
> >
> > The resport shows :
> > Message: Executable DOS/Windows programs are dangerous in email (SSL
> > Server Tes.com) And its shown in mailwatch as : application/pdf;
> > charset=binary
> >
> > Now the thing i dont get here is, how is the name "SSL Server Tes.com"
> > constructed from The name : SSL Server Test hostname.example.com
> > (Powered by Qualys SSL Labs).pdf
> >
> > I only change the hostname and domain here, i kept the format exact the
> > same.
> >
> > Greetz,
> >
> > Louis
--
In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are
British, the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.
In Hell, the beer is American, the chefs are British, the supermarkets are
German, the mechanics are French, the lovers are Swiss, the entertainment is
Belgian, and everything is organised by the Italians.
Please reply to the list;
please *don't* CC me.
From alex at vidadigital.com.pa Tue May 28 15:52:30 2019
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Tue, 28 May 2019 17:52:30 +0200
Subject: wrong detection of file?
In-Reply-To:
References: