From bilal.ahmed at kfueit.edu.pk Sat May 4 19:27:05 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 00:27:05 +0500 Subject: Email SPoofing Block Help with SPF in Mailscanner Message-ID: <013f01d502af$5dfafd80$19f0f880$@kfueit.edu.pk> Kindly I need a help someone is spoofing address of my domain and forwarding email to my own domain. My SPF is already added in Public DNS. Please Any solution to block invalid SPF record address in my Mailscanner/spamassasian. Because I have seen the spoof address with no SPF record are passing through Mainscanner. Bilal Ahmad Network Administrator Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 www.kfueit.edu.pk -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 5243 bytes Desc: not available URL: From bilal.ahmed at kfueit.edu.pk Sat May 4 19:37:05 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 00:37:05 +0500 Subject: Spoof email Blocking Help in Mailscanner Message-ID: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> Please help someone is spoofing my email address on my domain. My SPF is valid and added in Public DNS How to block in Mailscanner /spamassasian a email with invalid or no SPF record Bilal Ahmad -------------- next part -------------- An HTML attachment was scrubbed... URL: From bilal.ahmed at kfueit.edu.pk Sat May 4 19:37:05 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 00:37:05 +0500 Subject: Email SPoofing Block Help with SPF in Mailscanner Message-ID: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> Kindly I need a help someone is spoofing address of my domain and forwarding email to my own domain. My SPF is already added in Public DNS. Please Any solution to block invalid SPF record address in my Mailscanner/spamassasian. Because I have seen the spoof address with no SPF record are passing through Mainscanner. Bilal Ahmad Network Administrator Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 www.kfueit.edu.pk -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 5243 bytes Desc: not available URL: From mark at msapiro.net Sat May 4 20:35:45 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 4 May 2019 13:35:45 -0700 Subject: Spoof email Blocking Help in Mailscanner In-Reply-To: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> Message-ID: <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote: > > How to block in Mailscanner /spamassasian? a email with invalid or no > SPF record Ensure you have loadplugin Mail::SpamAssassin::Plugin::SPF in one of your /etc/spamassassin/*.pre files and then set score SPF_FAIL to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From bilal.ahmed at kfueit.edu.pk Sun May 5 01:54:01 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 06:54:01 +0500 Subject: Spoof email Blocking Help in Mailscanner In-Reply-To: <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> Message-ID: <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk> Dear Thanks I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded . Last question how to add score in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf file. I have simply write score SPF_FAIL 15.0 But its still not rejecting invalid SPF email and passing with clean 0.0 Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Sunday, 5 May 2019 1:36 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spoof email Blocking Help in Mailscanner On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote: > > How to block in Mailscanner /spamassasian a email with invalid or no > SPF record Ensure you have loadplugin Mail::SpamAssassin::Plugin::SPF in one of your /etc/spamassassin/*.pre files and then set score SPF_FAIL to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From yuwang at cs.fsu.edu Sun May 5 02:14:54 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Sat, 4 May 2019 22:14:54 -0400 Subject: Spoof email Blocking Help in Mailscanner In-Reply-To: <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk> References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk> Message-ID: <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu> Did you restart your mailscanner daemon? -----Original Message----- From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk Sent: Saturday, May 4, 2019 9:54 PM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Dear Thanks I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded . Last question how to add score in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf file. I have simply write score SPF_FAIL 15.0 But its still not rejecting invalid SPF email and passing with clean 0.0 Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Sunday, 5 May 2019 1:36 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spoof email Blocking Help in Mailscanner On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote: > > How to block in Mailscanner /spamassasian a email with invalid or no > SPF record Ensure you have loadplugin Mail::SpamAssassin::Plugin::SPF in one of your /etc/spamassassin/*.pre files and then set score SPF_FAIL to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From bilal.ahmed at kfueit.edu.pk Sun May 5 03:15:58 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 08:15:58 +0500 Subject: Spoof email Blocking Help in Mailscanner In-Reply-To: <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu> References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk> <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu> Message-ID: <001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk> Yes but not work Dear Now I have added these lines /etc/spamassassin/local.cf and its working meta SPF_NOT_PASS !(SPF_PASS || NO_RELAYS) score SPF_NOT_PASS 4.506 # flag 10% of non-spam that hits this rule as spam. describe SPF_NOT_PASS Not fully validated by SPF. Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Yu Wang Sent: Sunday, 5 May 2019 7:15 AM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Did you restart your mailscanner daemon? -----Original Message----- From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk Sent: Saturday, May 4, 2019 9:54 PM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Dear Thanks I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded . Last question how to add score in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf file. I have simply write score SPF_FAIL 15.0 But its still not rejecting invalid SPF email and passing with clean 0.0 Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Sunday, 5 May 2019 1:36 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spoof email Blocking Help in Mailscanner On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote: > > How to block in Mailscanner /spamassasian a email with invalid or no > SPF record Ensure you have loadplugin Mail::SpamAssassin::Plugin::SPF in one of your /etc/spamassassin/*.pre files and then set score SPF_FAIL to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From bilal.ahmed at kfueit.edu.pk Sun May 5 04:05:56 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Sun, 5 May 2019 09:05:56 +0500 Subject: Spoof email Blocking Help in Mailscanner In-Reply-To: <001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk> References: <019c01d502b0$c4548230$4cfd8690$@kfueit.edu.pk> <02e87139-cc84-18f9-10c6-71da2d9cfac9@msapiro.net> <005901d502e5$6a1bf0c0$3e53d240$@kfueit.edu.pk> <5dd601d502e8$5483a700$fd8af500$@cs.fsu.edu> <001201d502f0$dc8e5660$95ab0320$@kfueit.edu.pk> Message-ID: <006b01d502f7$d91fb850$8b5f28f0$@kfueit.edu.pk> But with this setting I fall in another trouble , because my own all valid email are marked as spam due to this rule. Even I whitelisted my own domain but SPF_NOT_PASS add high score.......... While my SPF is valid and I verified from various testing tools as well. Bilal Ahmad Network Administrator -----Original Message----- From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk Sent: Sunday, 5 May 2019 8:16 AM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Yes but not work Dear Now I have added these lines /etc/spamassassin/local.cf and its working meta SPF_NOT_PASS !(SPF_PASS || NO_RELAYS) score SPF_NOT_PASS 4.506 # flag 10% of non-spam that hits this rule as spam. describe SPF_NOT_PASS Not fully validated by SPF. Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Yu Wang Sent: Sunday, 5 May 2019 7:15 AM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Did you restart your mailscanner daemon? -----Original Message----- From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk Sent: Saturday, May 4, 2019 9:54 PM To: 'MailScanner Discussion' Subject: RE: Spoof email Blocking Help in Mailscanner Dear Thanks I have make sure that loadplugin Mail::SpamAssassin::Plugin::SPF is loaded . Last question how to add score in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf file. I have simply write score SPF_FAIL 15.0 But its still not rejecting invalid SPF email and passing with clean 0.0 Bilal Ahmad -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Sunday, 5 May 2019 1:36 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spoof email Blocking Help in Mailscanner On 5/4/19 12:37 PM, bilal.ahmed at kfueit.edu.pk wrote: > > How to block in Mailscanner /spamassasian a email with invalid or no > SPF record Ensure you have loadplugin Mail::SpamAssassin::Plugin::SPF in one of your /etc/spamassassin/*.pre files and then set score SPF_FAIL to a big number in /etc/MailScanner/spamassassin.conf or /etc/spamassassin/local.cf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From maxsec at gmail.com Sun May 5 08:20:10 2019 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 5 May 2019 09:20:10 +0100 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> Message-ID: Have you whitelisted your own domain? On Sat, 4 May 2019 at 20:38, wrote: > Kindly I need a help someone is spoofing address of my domain and > forwarding email to my own domain. > > My SPF is already added in Public DNS. > > > > Please Any solution to block invalid SPF record address in my > Mailscanner/spamassasian. > > Because I have seen the spoof address with no SPF record are passing > through Mainscanner. > > > > > > > > > > *Bilal Ahmad* > > Network Administrator > > Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 > > www.kfueit.edu.pk > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 5243 bytes Desc: not available URL: From djones at ena.com Sun May 5 13:44:25 2019 From: djones at ena.com (David Jones) Date: Sun, 5 May 2019 13:44:25 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> Message-ID: <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com> Never, ever, ever whitelist either in MailScanner or SpamAssassin any domains that your MTA is configured to accept. This will definitely let spoofed emails through. > On Sat, 4 May 2019 at 20:38, > wrote: > > Kindly I need a help someone is spoofing address of my domain and > forwarding email to my own domain.____ > We need an example email with headers lightly redacted posted to someplace like pastebin.com. It would also help to see the maillog entries for that queue ID. There are multiple ways to block this based on the email headers. We aren't even sure what domain to check the SPF record for without any headers. You should consider setting these values in MailScanner.conf if not already to help with troubleshooting: Add Envelope From Header = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score = yes These must be on based on what information you provided but make sure: Spam Checks = yes Use SpamAssassin = yes > My SPF is already added in Public DNS.____ > Your own SPF setting in DNS will help prevent spoofing to others but will not necessarily help spoofing to your own mail server running MailScanner/SpamAssassin depending on your mail flow setup. For example, does outbound mail flow for your domain go through this same mail server unauthenticated from an internal mail server? Does an internal mail server smarthost to or run locally on this MailScanner instance? If your outbound mail does not go through this MailScanner instance, then you have options like this in your /etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: blacklist_from *@yourdomain.com It appears that your outbound mail does flow through this MailScanner box based on the "score SPF_FAIL 15.0" so the entry above would block legit email just like the "score SPF_FAIL 15.0" entry. You might be able to add this to the etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss] where the "ip.add.re.ss" is the internal IP address of your mail server. Note this is not ideal since you will no longer be filtering outbound email. NOTE: this would only be temporary until a better solution is determined after seeing the email headers of a spoofed email and knowing more about the mail flow. > __ __ > > Please Any solution to block invalid SPF record address in my > Mailscanner/spamassasian.____ > Please provide more detail. Mail filtering is very complex so we can't help without details. - original email lightly redacted posted to pastebin.com - what is the MTA? - what RBLs are configured in the MTA? - version of MailScanner - version of SpamAssassin > Because I have seen the spoof address with no SPF record are passing > through Mainscanner.____ > This may be more of a question for the SpamAssassin Users mailing list if MailScanner is properly using SpamAssassin. -- David Jones From maxsec at gmail.com Sun May 5 15:47:54 2019 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 5 May 2019 16:47:54 +0100 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com> Message-ID: Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through. Martin On Sun, 5 May 2019 at 14:45, David Jones via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Never, ever, ever whitelist either in MailScanner or SpamAssassin any > domains that your MTA is configured to accept. This will definitely let > spoofed emails through. > > > On Sat, 4 May 2019 at 20:38, > > wrote: > > > > Kindly I need a help someone is spoofing address of my domain and > > forwarding email to my own domain.____ > > > > We need an example email with headers lightly redacted posted to > someplace like pastebin.com. It would also help to see the maillog > entries for that queue ID. > > There are multiple ways to block this based on the email headers. > > We aren't even sure what domain to check the SPF record for without any > headers. > > You should consider setting these values in MailScanner.conf if not > already to help with troubleshooting: > > Add Envelope From Header = yes > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > Spam Score = yes > > These must be on based on what information you provided but make sure: > Spam Checks = yes > Use SpamAssassin = yes > > > My SPF is already added in Public DNS.____ > > > > Your own SPF setting in DNS will help prevent spoofing to others but > will not necessarily help spoofing to your own mail server running > MailScanner/SpamAssassin depending on your mail flow setup. For > example, does outbound mail flow for your domain go through this same > mail server unauthenticated from an internal mail server? Does an > internal mail server smarthost to or run locally on this MailScanner > instance? > > If your outbound mail does not go through this MailScanner instance, > then you have options like this in your /etc/mail/spamassassin/local.cf > or /etc/mail/spamassassin/mailscanner.cf: > > blacklist_from *@yourdomain.com > > It appears that your outbound mail does flow through this MailScanner > box based on the "score SPF_FAIL 15.0" so the entry above would block > legit email just like the "score SPF_FAIL 15.0" entry. > > You might be able to add this to the etc/mail/spamassassin/local.cf or > /etc/mail/spamassassin/mailscanner.cf: > > whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss] > > where the "ip.add.re.ss" is the internal IP address of your mail server. > Note this is not ideal since you will no longer be filtering outbound > email. > > NOTE: this would only be temporary until a better solution is determined > after seeing the email headers of a spoofed email and knowing more about > the mail flow. > > > __ __ > > > > Please Any solution to block invalid SPF record address in my > > Mailscanner/spamassasian.____ > > > > Please provide more detail. Mail filtering is very complex so we can't > help without details. > > - original email lightly redacted posted to pastebin.com > - what is the MTA? > - what RBLs are configured in the MTA? > - version of MailScanner > - version of SpamAssassin > > > Because I have seen the spoof address with no SPF record are passing > > through Mainscanner.____ > > > > This may be more of a question for the SpamAssassin Users mailing list > if MailScanner is properly using SpamAssassin. > > -- > David Jones > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Mon May 6 05:39:24 2019 From: djones at ena.com (David Jones) Date: Mon, 6 May 2019 05:39:24 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>, Message-ID: Martin, I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :) Dave ________________________________ From: MailScanner on behalf of Martin Hepworth Sent: Sunday, May 5, 2019 10:47 AM To: MailScanner Discussion Subject: Re: Email SPoofing Block Help with SPF in Mailscanner Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through. Martin On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote: Never, ever, ever whitelist either in MailScanner or SpamAssassin any domains that your MTA is configured to accept. This will definitely let spoofed emails through. > On Sat, 4 May 2019 at 20:38, > >> wrote: > > Kindly I need a help someone is spoofing address of my domain and > forwarding email to my own domain.____ > We need an example email with headers lightly redacted posted to someplace like pastebin.com. It would also help to see the maillog entries for that queue ID. There are multiple ways to block this based on the email headers. We aren't even sure what domain to check the SPF record for without any headers. You should consider setting these values in MailScanner.conf if not already to help with troubleshooting: Add Envelope From Header = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score = yes These must be on based on what information you provided but make sure: Spam Checks = yes Use SpamAssassin = yes > My SPF is already added in Public DNS.____ > Your own SPF setting in DNS will help prevent spoofing to others but will not necessarily help spoofing to your own mail server running MailScanner/SpamAssassin depending on your mail flow setup. For example, does outbound mail flow for your domain go through this same mail server unauthenticated from an internal mail server? Does an internal mail server smarthost to or run locally on this MailScanner instance? If your outbound mail does not go through this MailScanner instance, then you have options like this in your /etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: blacklist_from *@yourdomain.com It appears that your outbound mail does flow through this MailScanner box based on the "score SPF_FAIL 15.0" so the entry above would block legit email just like the "score SPF_FAIL 15.0" entry. You might be able to add this to the etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss] where the "ip.add.re.ss" is the internal IP address of your mail server. Note this is not ideal since you will no longer be filtering outbound email. NOTE: this would only be temporary until a better solution is determined after seeing the email headers of a spoofed email and knowing more about the mail flow. > __ __ > > Please Any solution to block invalid SPF record address in my > Mailscanner/spamassasian.____ > Please provide more detail. Mail filtering is very complex so we can't help without details. - original email lightly redacted posted to pastebin.com - what is the MTA? - what RBLs are configured in the MTA? - version of MailScanner - version of SpamAssassin > Because I have seen the spoof address with no SPF record are passing > through Mainscanner.____ > This may be more of a question for the SpamAssassin Users mailing list if MailScanner is properly using SpamAssassin. -- David Jones -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From bilal.ahmed at kfueit.edu.pk Mon May 6 15:25:31 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Mon, 6 May 2019 20:25:31 +0500 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>, Message-ID: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> Dear Experts, First of all thanks for your advice , exactly you people are right that I whitelist all my domain it lets the spammers forge email address with my domain email address to get pass through. My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 , MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1 My scenario is that my Email server is hosted internally at Private ip address range . My TXT Record at public dns is for my public faced IP address. Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is valid as shown at their received email headers. SPF is valid checked at MXTOOLS as well. But my own mailscanner says SPF Fails may be because email server ip is private and TXT record is for mail server public faced IP. I am doing all this SPF check to get rid of spoofed emails that using my domain address so I have whitelisted my internal network and host:mydomain How to get rid of this SPF fail on my own mailscanner so that my own emails not get high score ? Any other solution to prevent Email spoofing ? Bilal Ahmad Network Administrator Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 www.kfueit.edu.pk From: MailScanner On Behalf Of David Jones via MailScanner Sent: Monday, 6 May 2019 10:39 AM To: MailScanner Discussion Cc: David Jones Subject: Re: Email SPoofing Block Help with SPF in Mailscanner Martin, I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :) Dave _____ From: MailScanner > on behalf of Martin Hepworth > Sent: Sunday, May 5, 2019 10:47 AM To: MailScanner Discussion Subject: Re: Email SPoofing Block Help with SPF in Mailscanner Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through. Martin On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote: Never, ever, ever whitelist either in MailScanner or SpamAssassin any domains that your MTA is configured to accept. This will definitely let spoofed emails through. > On Sat, 4 May 2019 at 20:38, > >> wrote: > > Kindly I need a help someone is spoofing address of my domain and > forwarding email to my own domain.____ > We need an example email with headers lightly redacted posted to someplace like pastebin.com . It would also help to see the maillog entries for that queue ID. There are multiple ways to block this based on the email headers. We aren't even sure what domain to check the SPF record for without any headers. You should consider setting these values in MailScanner.conf if not already to help with troubleshooting: Add Envelope From Header = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score = yes These must be on based on what information you provided but make sure: Spam Checks = yes Use SpamAssassin = yes > My SPF is already added in Public DNS.____ > Your own SPF setting in DNS will help prevent spoofing to others but will not necessarily help spoofing to your own mail server running MailScanner/SpamAssassin depending on your mail flow setup. For example, does outbound mail flow for your domain go through this same mail server unauthenticated from an internal mail server? Does an internal mail server smarthost to or run locally on this MailScanner instance? If your outbound mail does not go through this MailScanner instance, then you have options like this in your /etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf : blacklist_from *@yourdomain.com It appears that your outbound mail does flow through this MailScanner box based on the "score SPF_FAIL 15.0" so the entry above would block legit email just like the "score SPF_FAIL 15.0" entry. You might be able to add this to the etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf : whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss] where the "ip.add.re.ss" is the internal IP address of your mail server. Note this is not ideal since you will no longer be filtering outbound email. NOTE: this would only be temporary until a better solution is determined after seeing the email headers of a spoofed email and knowing more about the mail flow. > __ __ > > Please Any solution to block invalid SPF record address in my > Mailscanner/spamassasian.____ > Please provide more detail. Mail filtering is very complex so we can't help without details. - original email lightly redacted posted to pastebin.com - what is the MTA? - what RBLs are configured in the MTA? - version of MailScanner - version of SpamAssassin > Because I have seen the spoof address with no SPF record are passing > through Mainscanner.____ > This may be more of a question for the SpamAssassin Users mailing list if MailScanner is properly using SpamAssassin. -- David Jones -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Mon May 6 15:54:15 2019 From: thom at vdb.nl (Thom van der Boon) Date: Mon, 6 May 2019 17:54:15 +0200 (CEST) Subject: Email SPoofing Block Help with SPF in Mailscanner Message-ID: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com> An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Mon May 6 17:09:32 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 6 May 2019 17:09:32 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>, <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> Message-ID: <384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local> Assuming that you have access to your postfix server, I'd block SPF there rather than in spamassassin. Maybe consider installing postfix-policyd-spf-python. Any domains that are configured to hard-fail will be dealt with there, saving processing time. A soft fail will be passed through to normal spam filtering. If you wish to use spf in conjunction with spamassassin you'll still have that flexibility. Since your domain is set to hard-fail, those spoofed messages will never see the light of day. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner On Behalf Of bilal.ahmed at kfueit.edu.pk Sent: Monday, May 06, 2019 7:26 AM To: 'MailScanner Discussion' Subject: RE: Email SPoofing Block Help with SPF in Mailscanner Dear Experts, First of all thanks for your advice , exactly you people are right that I whitelist all my domain it lets the spammers forge email address with my domain email address to get pass through. My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 , MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1 My scenario is that my Email server is hosted internally at Private ip address range . My TXT Record at public dns is for my public faced IP address. Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is valid as shown at their received email headers. SPF is valid checked at MXTOOLS as well. But my own mailscanner says SPF Fails may be because email server ip is private and TXT record is for mail server public faced IP. I am doing all this SPF check to get rid of spoofed emails that using my domain address so I have whitelisted my internal network and host:mydomain How to get rid of this SPF fail on my own mailscanner so that my own emails not get high score ? Any other solution to prevent Email spoofing ? Bilal Ahmad Network Administrator Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 www.kfueit.edu.pk From: MailScanner > On Behalf Of David Jones via MailScanner Sent: Monday, 6 May 2019 10:39 AM To: MailScanner Discussion > Cc: David Jones > Subject: Re: Email SPoofing Block Help with SPF in Mailscanner Martin, I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :) Dave ________________________________ From: MailScanner > on behalf of Martin Hepworth > Sent: Sunday, May 5, 2019 10:47 AM To: MailScanner Discussion Subject: Re: Email SPoofing Block Help with SPF in Mailscanner Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through. Martin On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote: Never, ever, ever whitelist either in MailScanner or SpamAssassin any domains that your MTA is configured to accept. This will definitely let spoofed emails through. > On Sat, 4 May 2019 at 20:38, > >> wrote: > > Kindly I need a help someone is spoofing address of my domain and > forwarding email to my own domain.____ > We need an example email with headers lightly redacted posted to someplace like pastebin.com. It would also help to see the maillog entries for that queue ID. There are multiple ways to block this based on the email headers. We aren't even sure what domain to check the SPF record for without any headers. You should consider setting these values in MailScanner.conf if not already to help with troubleshooting: Add Envelope From Header = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score = yes These must be on based on what information you provided but make sure: Spam Checks = yes Use SpamAssassin = yes > My SPF is already added in Public DNS.____ > Your own SPF setting in DNS will help prevent spoofing to others but will not necessarily help spoofing to your own mail server running MailScanner/SpamAssassin depending on your mail flow setup. For example, does outbound mail flow for your domain go through this same mail server unauthenticated from an internal mail server? Does an internal mail server smarthost to or run locally on this MailScanner instance? If your outbound mail does not go through this MailScanner instance, then you have options like this in your /etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: blacklist_from *@yourdomain.com It appears that your outbound mail does flow through this MailScanner box based on the "score SPF_FAIL 15.0" so the entry above would block legit email just like the "score SPF_FAIL 15.0" entry. You might be able to add this to the etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf: whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss] where the "ip.add.re.ss" is the internal IP address of your mail server. Note this is not ideal since you will no longer be filtering outbound email. NOTE: this would only be temporary until a better solution is determined after seeing the email headers of a spoofed email and knowing more about the mail flow. > __ __ > > Please Any solution to block invalid SPF record address in my > Mailscanner/spamassasian.____ > Please provide more detail. Mail filtering is very complex so we can't help without details. - original email lightly redacted posted to pastebin.com - what is the MTA? - what RBLs are configured in the MTA? - version of MailScanner - version of SpamAssassin > Because I have seen the spoof address with no SPF record are passing > through Mainscanner.____ > This may be more of a question for the SpamAssassin Users mailing list if MailScanner is properly using SpamAssassin. -- David Jones -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Mon May 6 17:34:05 2019 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Mon, 6 May 2019 13:34:05 -0400 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com> <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> <384eae9015274efa86e5815e8d9740cc@City-Exch-DB1.cbj.local> Message-ID: <0116b4ad-bcdc-9b25-80f4-7d2e7110460e@replies.cyways.com> If the purpose is simply to stop mail arriving from outside your network using your domain in the From:, I agree with Kevin that adding rules to Postfix would be a better choice. I generally deny all mail from outside sources that has my domain in the From field. I use sendmail, so I just have an entry in /etc/mail/access with example.com REJECT In postfix you'd probably want to add rulesets for smtpd_client_restrictions and smtpd_sender_restrictions. Peter On 5/6/19 1:09 PM, Kevin Miller wrote: > Assuming that you have access to your postfix server, I?d block SPF > there rather than in spamassassin.? Maybe consider installing > postfix-policyd-spf-python.? Any domains that are configured to > hard-fail will be dealt with there, saving processing time.? A soft fail > will be passed through to normal spam filtering.? If you wish to use spf > in conjunction with spamassassin you?ll still have that flexibility. > Since your domain is set to hard-fail, those spoofed messages will never > see the light of day. > > ...Kevin > > -- > > Kevin Miller > > Network/email Administrator, CBJ MIS Dept. > > 155 South Seward Street > > Juneau, Alaska 99801 > > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > *From:* MailScanner > *On > Behalf Of *bilal.ahmed at kfueit.edu.pk > *Sent:* Monday, May 06, 2019 7:26 AM > *To:* 'MailScanner Discussion' > *Subject:* RE: Email SPoofing Block Help with SPF in Mailscanner > > Dear Experts, > > First of all thanks for your advice , exactly you people are right that > I whitelist all my domain it lets the spammers forge email address with > my domain email address to get pass through. > > My MTA Postfix ?, IMAP Server is Cyrus, Postfix Version: 3.1.0 , > MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1 > > My scenario is that my Email server is hosted internally at Private ip > address range . My TXT Record at public dns is for my public faced IP > address. > > Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is > valid as shown at their received email headers. SPF is valid checked at > MXTOOLS as well. > > But my own mailscanner says SPF Fails may be because email server ip is > private and TXT record is for mail server public faced IP. > > I am doing all this SPF check to get rid of spoofed emails that using my > domain address so? I have whitelisted my internal network and host:mydomain > > How to get rid of this SPF fail on my own mailscanner so that my own > emails not get high score ? > > Any other solution to prevent Email spoofing ? > > *Bilal Ahmad* > > Network Administrator > > Cell: +92 333 7451870 |? Tel: +92 68 5882400 |? Ext. 2499 > > www.kfueit.edu.pk > > *From:* MailScanner >

> > *On Behalf Of *David Jones via MailScanner > *Sent:* Monday, 6 May 2019 10:39 AM > *To:* MailScanner Discussion > > *Cc:* David Jones > > *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner > > Martin, > > I knew you wouldn't have done that which is why I removed your name from > the top of the reply.? My response was for the OP and others that might > have done that.? :) > > Dave > > ------------------------------------------------------------------------ > > *From:*MailScanner >

> on > behalf of Martin Hepworth > > *Sent:* Sunday, May 5, 2019 10:47 AM > *To:* MailScanner Discussion > *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner > > Was a question not an instruction, the whitelist of your own domain is a > common configuration error and will make sure spoofed emails allegedly > from your own domain will get through. > > Martin > > On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > > wrote: > > Never, ever, ever whitelist either in MailScanner or SpamAssassin any > domains that your MTA is configured to accept.? This will definitely > let > spoofed emails through. > > > On Sat, 4 May 2019 at 20:38, > > >> wrote: > > > >? ? ?Kindly I need a help someone is spoofing address of my domain and > >? ? ?forwarding email to my own domain.____ > > > > We need an example email with headers lightly redacted posted to > someplace like pastebin.com .? It would also > help to see the maillog > entries for that queue ID. > > There are multiple ways to block this based on the email headers. > > We aren't even sure what domain to check the SPF record for without any > headers. > > You should consider setting these values in MailScanner.conf if not > already to help with troubleshooting: > > Add Envelope From Header = yes > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > Spam Score = yes > > These must be on based on what information you provided but make sure: > Spam Checks = yes > Use SpamAssassin = yes > > >? ? ?My SPF is already added in Public DNS.____ > > > > Your own SPF setting in DNS will help prevent spoofing to others but > will not necessarily help spoofing to your own mail server running > MailScanner/SpamAssassin depending on your mail flow setup.? For > example, does outbound mail flow for your domain go through this same > mail server unauthenticated from an internal mail server?? Does an > internal mail server smarthost to or run locally on this MailScanner > instance? > > If your outbound mail does not go through this MailScanner instance, > then you have options like this in your > /etc/mail/spamassassin/local.cf > or /etc/mail/spamassassin/mailscanner.cf : > > blacklist_from *@yourdomain.com > > It appears that your outbound mail does flow through this MailScanner > box based on the "score SPF_FAIL 15.0" so the entry above would block > legit email just like the "score SPF_FAIL 15.0" entry. > > You might be able to add this to the etc/mail/spamassassin/local.cf > or > /etc/mail/spamassassin/mailscanner.cf : > > whitelist_from_rcvd *@yourdomain.com > [ip.add.re.ss] > > where the "ip.add.re.ss" is the internal IP address of your mail > server. > ? Note this is not ideal since you will no longer be filtering > outbound > email. > > NOTE: this would only be temporary until a better solution is > determined > after seeing the email headers of a spoofed email and knowing more > about > the mail flow. > > >? ? ?__ __ > > > >? ? ?Please Any solution to block invalid SPF record address in my > >? ? ?Mailscanner/spamassasian.____ > > > > Please provide more detail.? Mail filtering is very complex so we can't > help without details. > > - original email lightly redacted posted to pastebin.com > > - what is the MTA? > - what RBLs are configured in the MTA? > - version of MailScanner > - version of SpamAssassin > > >? ? ?Because I have seen the spoof address with no SPF record are > passing > >? ? ?through Mainscanner.____ > > > > This may be more of a question for the SpamAssassin Users mailing list > if MailScanner is properly using SpamAssassin. > > -- > David Jones > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- > > -- > Martin Hepworth, CISSP > Oxford, UK > > > > From yuwang at cs.fsu.edu Mon May 6 21:13:19 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Mon, 06 May 2019 17:13:19 -0400 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com>, <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> Message-ID: <9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu> I have a similar set up: mail servers have internal IPs for the local network and public IPs for external. Here is how I resolved SPF checking: We have internal DNS servers that host internal DNS records (hostnames and IPs, etc). I created TXT records on our internal DNS servers for our mail SPF record and list all our mail servers' internal IPs. I also set up DMARC and DKIM records. If your DNS servers also serve queries from outside, you will need to use split DNS. Hope this helps. James On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote: > Dear Experts, > > First of all thanks for your advice , exactly you people are right > that I whitelist all my domain it lets the spammers forge email > address with my domain email address to get pass through. > > My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 , > MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1 > > My scenario is that my Email server is hosted internally at Private ip > address range . My TXT Record at public dns is for my public faced IP > address. > > Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is > valid as shown at their received email headers. SPF is valid checked > at MXTOOLS as well. > > But my own mailscanner says SPF Fails may be because email server ip > is private and TXT record is for mail server public faced IP. > > I am doing all this SPF check to get rid of spoofed emails that using > my domain address so I have whitelisted my internal network and > host:mydomain > > How to get rid of this SPF fail on my own mailscanner so that my own > emails not get high score ? > > Any other solution to prevent Email spoofing ? > > BILAL AHMAD > > Network Administrator > > Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 > > www.kfueit.edu.pk > > FROM: MailScanner > > ON BEHALF OF David Jones via MailScanner > SENT: Monday, 6 May 2019 10:39 AM > TO: MailScanner Discussion > CC: David Jones > SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner > > Martin, > > I knew you wouldn't have done that which is why I removed your name > from the top of the reply. My response was for the OP and others that > might have done that. :) > > Dave > > ------------------------- > > FROM: MailScanner > on behalf > of Martin Hepworth > SENT: Sunday, May 5, 2019 10:47 AM > TO: MailScanner Discussion > SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner > > Was a question not an instruction, the whitelist of your own domain is > a common configuration error and will make sure spoofed emails > allegedly from your own domain will get through. > > Martin > > On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > wrote: > >> Never, ever, ever whitelist either in MailScanner or SpamAssassin >> any >> domains that your MTA is configured to accept. This will definitely >> let >> spoofed emails through. >> >>> On Sat, 4 May 2019 at 20:38, >> > wrote: >>> >>> Kindly I need a help someone is spoofing address of my domain >> and >>> forwarding email to my own domain.____ >>> >> >> We need an example email with headers lightly redacted posted to >> someplace like pastebin.com [1]. It would also help to see the >> maillog >> entries for that queue ID. >> >> There are multiple ways to block this based on the email headers. >> >> We aren't even sure what domain to check the SPF record for without >> any >> headers. >> >> You should consider setting these values in MailScanner.conf if not >> already to help with troubleshooting: >> >> Add Envelope From Header = yes >> Detailed Spam Report = yes >> Include Scores In SpamAssassin Report = yes >> Always Include SpamAssassin Report = yes >> Spam Score = yes >> >> These must be on based on what information you provided but make >> sure: >> Spam Checks = yes >> Use SpamAssassin = yes >> >>> My SPF is already added in Public DNS.____ >>> >> >> Your own SPF setting in DNS will help prevent spoofing to others but >> >> will not necessarily help spoofing to your own mail server running >> MailScanner/SpamAssassin depending on your mail flow setup. For >> example, does outbound mail flow for your domain go through this >> same >> mail server unauthenticated from an internal mail server? Does an >> internal mail server smarthost to or run locally on this MailScanner >> >> instance? >> >> If your outbound mail does not go through this MailScanner instance, >> >> then you have options like this in your >> /etc/mail/spamassassin/local.cf [2] >> or /etc/mail/spamassassin/mailscanner.cf [3]: >> >> blacklist_from *@yourdomain.com [4] >> >> It appears that your outbound mail does flow through this >> MailScanner >> box based on the "score SPF_FAIL 15.0" so the entry above would >> block >> legit email just like the "score SPF_FAIL 15.0" entry. >> >> You might be able to add this to the etc/mail/spamassassin/local.cf >> [2] or >> /etc/mail/spamassassin/mailscanner.cf [3]: >> >> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss] >> >> where the "ip.add.re.ss" is the internal IP address of your mail >> server. >> Note this is not ideal since you will no longer be filtering >> outbound >> email. >> >> NOTE: this would only be temporary until a better solution is >> determined >> after seeing the email headers of a spoofed email and knowing more >> about >> the mail flow. >> >>> __ __ >>> >>> Please Any solution to block invalid SPF record address in my >>> Mailscanner/spamassasian.____ >>> >> >> Please provide more detail. Mail filtering is very complex so we >> can't >> help without details. >> >> - original email lightly redacted posted to pastebin.com [1] >> - what is the MTA? >> - what RBLs are configured in the MTA? >> - version of MailScanner >> - version of SpamAssassin >> >>> Because I have seen the spoof address with no SPF record are >> passing >>> through Mainscanner.____ >>> >> >> This may be more of a question for the SpamAssassin Users mailing >> list >> if MailScanner is properly using SpamAssassin. >> >> -- >> David Jones >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- > > -- > Martin Hepworth, CISSP > Oxford, UK > > Links: > ------ > [1] http://pastebin.com > [2] http://local.cf > [3] http://mailscanner.cf > [4] http://yourdomain.com From djones at ena.com Mon May 6 22:56:22 2019 From: djones at ena.com (David Jones) Date: Mon, 6 May 2019 22:56:22 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com> References: <57f841db-3f6f-4635-ac57-58347de1a733@email.android.com> Message-ID: <602b04a2-3baa-c92b-2a24-bc385161003d@ena.com> On 5/6/19 10:54 AM, Thom van der Boon wrote: > Dear Bilal, > > First upgrade everything to the latest versions. > > MailScanner? = 5.1.3 > spamassassin = 3.4.2 > The versions he is running are fine and wouldn't change the situation enough to solve the core problem. > One way to get this working > > Set up an extra SMTP server on your internal network. Make sure this > server can not be reached from the internet. > Whitelist the extra SMTP server in Mailscanner based on its IP address > I don't understand the purpose of this recommendation. This could easily turn out to make things worse. > > Op 6 mei 2019 17:26 schreef bilal.ahmed at kfueit.edu.pk: > > Dear Experts, > > First of all thanks for your advice , exactly you people are right > that I whitelist all my domain it lets the spammers forge email > address with my domain email address to get pass through. > > My MTA Postfix ?, IMAP Server is Cyrus, Postfix Version: 3.1.0 , > MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1 > > My scenario is that my Email server is hosted internally at Private > ip address range . My TXT Record at public dns is for my public > faced IP address. > > Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is > valid as shown at their received email headers. SPF is valid checked > at MXTOOLS as well. > > But my own mailscanner says SPF Fails may be because email server ip > is private and TXT record is for mail server public faced IP. > > I am doing all this SPF check to get rid of spoofed emails that > using my domain address so? I have whitelisted my internal network > and host:mydomain > > How to get rid of this SPF fail on my own mailscanner so that my own > emails not get high score ? > > Any other solution to prevent Email spoofing ? > > *Bilal Ahmad* > > Network Administrator > > Cell: +92 333 7451870 |? Tel: +92 68 5882400 |? Ext. 2499 > > www.kfueit.edu.pk > > *From:* MailScanner > > *On Behalf Of *David Jones via MailScanner > *Sent:* Monday, 6 May 2019 10:39 AM > *To:* MailScanner Discussion > *Cc:* David Jones > *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner > > Martin, > > I knew you wouldn't have done that which is why I removed your name > from the top of the reply.? My response was for the OP and others > that might have done that.? :) > > Dave > > ------------------------------------------------------------------------ > > *From:*MailScanner >

> > on behalf of Martin Hepworth > > *Sent:* Sunday, May 5, 2019 10:47 AM > *To:* MailScanner Discussion > *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner > > Was a question not an instruction, the whitelist of your own domain > is a common configuration error and will make sure spoofed emails > allegedly from your own domain will get through. > > Martin > > On Sun, 5 May 2019 at 14:45, David Jones via MailScanner > > wrote: > > Never, ever, ever whitelist either in MailScanner or > SpamAssassin any > domains that your MTA is configured to accept.? This will > definitely let > spoofed emails through. > > > On Sat, 4 May 2019 at 20:38, > > >> wrote: > > > >? ? ?Kindly I need a help someone is spoofing address of my > domain and > >? ? ?forwarding email to my own domain.____ > > > > We need an example email with headers lightly redacted posted to > someplace like pastebin.com .? It would > also help to see the maillog > entries for that queue ID. > > There are multiple ways to block this based on the email headers. > > We aren't even sure what domain to check the SPF record for > without any > headers. > > You should consider setting these values in MailScanner.conf if not > already to help with troubleshooting: > > Add Envelope From Header = yes > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > Spam Score = yes > > These must be on based on what information you provided but make > sure: > Spam Checks = yes > Use SpamAssassin = yes > > >? ? ?My SPF is already added in Public DNS.____ > > > > Your own SPF setting in DNS will help prevent spoofing to others > but > will not necessarily help spoofing to your own mail server running > MailScanner/SpamAssassin depending on your mail flow setup.? For > example, does outbound mail flow for your domain go through this > same > mail server unauthenticated from an internal mail server?? Does an > internal mail server smarthost to or run locally on this > MailScanner > instance? > > If your outbound mail does not go through this MailScanner > instance, > then you have options like this in your > /etc/mail/spamassassin/local.cf > or /etc/mail/spamassassin/mailscanner.cf : > > blacklist_from *@yourdomain.com > > It appears that your outbound mail does flow through this > MailScanner > box based on the "score SPF_FAIL 15.0" so the entry above would > block > legit email just like the "score SPF_FAIL 15.0" entry. > > You might be able to add this to the > etc/mail/spamassassin/local.cf or > /etc/mail/spamassassin/mailscanner.cf : > > whitelist_from_rcvd *@yourdomain.com > [ip.add.re.ss] > > where the "ip.add.re.ss" is the internal IP address of your mail > server. > ? Note this is not ideal since you will no longer be filtering > outbound > email. > > NOTE: this would only be temporary until a better solution is > determined > after seeing the email headers of a spoofed email and knowing > more about > the mail flow. > > >? ? ?__ __ > > > >? ? ?Please Any solution to block invalid SPF record address in my > >? ? ?Mailscanner/spamassasian.____ > > > > Please provide more detail.? Mail filtering is very complex so > we can't > help without details. > > - original email lightly redacted posted to pastebin.com > > - what is the MTA? > - what RBLs are configured in the MTA? > - version of MailScanner > - version of SpamAssassin > > >? ? ?Because I have seen the spoof address with no SPF record > are passing > >? ? ?through Mainscanner.____ > > > > This may be more of a question for the SpamAssassin Users > mailing list > if MailScanner is properly using SpamAssassin. > > -- > David Jones > -- David Jones From djones at ena.com Mon May 6 23:54:26 2019 From: djones at ena.com (David Jones) Date: Mon, 6 May 2019 23:54:26 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu> References: <01a101d502b0$d387f520$7a97df60$@kfueit.edu.pk> <9846d8a9-81a6-209a-1a12-120e253f4f4c@ena.com> <014a01d5041f$f2b9ae50$d82d0af0$@kfueit.edu.pk> <9cc80f69202bcf9758691a31e23e5dfa@cs.fsu.edu> Message-ID: On 5/6/19 4:13 PM, yuwang wrote: > I have a similar set up: mail servers have internal IPs for the local > network and public IPs for external. Here is how I resolved SPF checking: > > We have internal DNS servers that host internal DNS records (hostnames > and IPs, etc). I created TXT records on our internal DNS servers for our > mail SPF record and list all our mail servers' internal IPs. I also set > up DMARC and DKIM records. > If you have your MTA and SpamAssassin setup correctly you don't need internal DNS records for MX, SPF, DKIM, etc. See the internal_networks comments below for details. > If your DNS servers also serve queries from outside, you will need to > use split DNS. > > Hope this helps. > > James > > > On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote: >> Dear Experts, >> >> First of all thanks for your advice , exactly you people are right >> that I whitelist all my domain it lets the spammers forge email >> address with my domain email address to get pass through. >> >> My MTA Postfix? , IMAP Server is Cyrus,? Postfix Version: 3.1.0 , >> MailScanner Version: 5.0.7,? SpamAssassin Version: 3.4.1 >> Besides the SPF problem, there are many Postfix tuning options that can be done: main.cf = drop messages that spoof your own domain in the Message-ID header_checks = pcre:/etc/postfix/header_checks /^Message-ID:.*@mydomain\.com>/ DISCARD postscreen <- simple to setup and a MUST do python-policyd-spf opendkim opendmarc sqlgrey postfwd postscreen weighted RBLs =========================== postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_spf_whitelist.cidr, cidr:/etc/postfix/postscreen_access.cidr postscreen_cache_retention_time = 7d postscreen_bare_newline_ttl = 7d postscreen_greet_ttl = 7d postscreen_non_smtp_command_ttl = 7d postscreen_pipelining_ttl = 7d postscreen_dnsbl_ttl = 1m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?1}${stress:11}s postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes postscreen_dnsbl_whitelist_threshold = -1 postscreen_blacklist_action = drop postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.[10;14]*9 dnsbl.sorbs.net=127.0.0.5*7 b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.[10;11;12]*7 hostkarma.junkemailfilter.com=127.0.0.2*4 dnsbl.sorbs.net=127.0.0.7*4 bl.spamcop.net=127.0.0.2*4 ... I have a huge list of dnsbl_sites. See the SpamAssassin Users mailing list archives for more details. A GOOD SET OF RBLS IN POSTSCREEN_DNSBL_SITES WILL REJECT THE MAJORITY OF JUNK/SPAM WITHOUT ANY OTHER CHANGES/ADDITIONS. >> My scenario is that my Email server is hosted internally at Private ip >> address range . My TXT Record at public dns is for my public faced IP >> address. >> Internal mail servers behind NAT need to have a dedicated/two-way NAT so outbound traffic shows as the same IP as in the inbound to get FCrDNS correct. This is for outbound mail delivery and SPF checks passing outbound to the Internet. Get on the mail server and run "curl ifconfig.me" at a shell prompt and make sure it matches the inbound IP for the A record. Then run "dig -x [IP} +short". Now run "dig [PTR value]" and make sure it points back to the same IP. # curl ifconfig.me 96.4.1.10 [root at smtp2n.ena spamassassin]# dig -x 96.4.1.10 +short smtp2n.ena.net. [root at smtp2n.ena spamassassin]# dig smtp2n.ena.net +short 96.4.1.10 Web version of this same check above: http://multirbl.valli.org/fcrdns-test/96.4.1.10.html >> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is >> valid as shown at their received email headers. SPF is valid checked >> at MXTOOLS as well. >> Sure would be nice to see those headers so we can help. >> But my own mailscanner says SPF Fails may be because email server ip >> is private and TXT record is for mail server public faced IP. >> Make sure you have your Postfix mynetworks and the SpamAssassin internal_networks setup essentially with the same internal network blocks. Then trusted_networks can be extra networks that are outside of your organization. Note that the SA trusted_networks doesn't mean they will never send spam but will never originate spam or forge the Received headers. SPF checks should be done performed against the last external mail server and not on any internal IPs. I have been testing out an idea to include Office 365 IPs in the trusted_networks list. If the first mail server puts the original client's IP address in as an X-Originating-IP header then this is very effective to detect as the last-external against RBLs for better accuracy. The internal Microsoft mail servers at Office 365 are listed on various RBLs but that causes a lot of FPs due to the large shared platform. https://wiki.apache.org/spamassassin/TrustedRelays Microsoft has been putting in the X-Originating-IP header for a while. Older Exchange servers and other mail servers don't add the first hop Received: or the X-Originating-IP headers but as I find more platforms that do, I am expanding out my trusted_networks list to find the "true edge" behind large shared platforms. >> I am doing all this SPF check to get rid of spoofed emails that using >> my domain address so? I have whitelisted my internal network and >> host:mydomain >> >> How to get rid of this SPF fail on my own mailscanner so that my own >> emails not get high score ? >> >> Any other solution to prevent Email spoofing ? >> >> BILAL AHMAD >> >> Network Administrator >> >> Cell: +92 333 7451870? |? Tel: +92 68 5882400? |? Ext. 2499 >> >> www.kfueit.edu.pk >> >>>> On Sat, 4 May 2019 at 20:38, >>> > wrote: >>>> >>>> Kindly I need a help someone is spoofing address of my domain >>> and >>>> forwarding email to my own domain.____ >>>> >>> >>> We need an example email with headers lightly redacted posted to >>> someplace like pastebin.com [1].? It would also help to see the >>> maillog >>> entries for that queue ID. >>> Still need an example email sent via pastebin.com to actually give solid recommendations. We are all guessing still. >>> There are multiple ways to block this based on the email headers. >>> >>> We aren't even sure what domain to check the SPF record for without >>> any >>> headers. >>> >>> You should consider setting these values in MailScanner.conf if not >>> already to help with troubleshooting: >>> >>> Add Envelope From Header = yes >>> Detailed Spam Report = yes >>> Include Scores In SpamAssassin Report = yes >>> Always Include SpamAssassin Report = yes >>> Spam Score = yes >>> Did you check these settings? >>> These must be on based on what information you provided but make >>> sure: >>> Spam Checks = yes >>> Use SpamAssassin = yes >>> >>>> My SPF is already added in Public DNS.____ >>>> >>> >>> Your own SPF setting in DNS will help prevent spoofing to others but >>> >>> will not necessarily help spoofing to your own mail server running >>> MailScanner/SpamAssassin depending on your mail flow setup.? For >>> example, does outbound mail flow for your domain go through this >>> same >>> mail server unauthenticated from an internal mail server?? Does an >>> internal mail server smarthost to or run locally on this MailScanner >>> >>> instance? >>> >>> If your outbound mail does not go through this MailScanner instance, >>> >>> then you have options like this in your >>> /etc/mail/spamassassin/local.cf [2] >>> or /etc/mail/spamassassin/mailscanner.cf [3]: >>> >>> blacklist_from *@yourdomain.com [4] >>> >>> It appears that your outbound mail does flow through this >>> MailScanner >>> box based on the "score SPF_FAIL 15.0" so the entry above would >>> block >>> legit email just like the "score SPF_FAIL 15.0" entry. >>> >>> You might be able to add this to the etc/mail/spamassassin/local.cf >>> [2] or >>> /etc/mail/spamassassin/mailscanner.cf [3]: >>> >>> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss] >>> >>> where the "ip.add.re.ss" is the internal IP address of your mail >>> server. >>> Note this is not ideal since you will no longer be filtering >>> outbound >>> email. >>> >>> NOTE: this would only be temporary until a better solution is >>> determined >>> after seeing the email headers of a spoofed email and knowing more >>> about >>> the mail flow. >>> >>>> __ __ >>>> >>>> Please Any solution to block invalid SPF record address in my >>>> Mailscanner/spamassasian.____ >>>> >>> >>> Please provide more detail.? Mail filtering is very complex so we >>> can't >>> help without details. >>> >>> - original email lightly redacted posted to pastebin.com [1] >>> - what is the MTA? >>> - what RBLs are configured in the MTA? >>> - version of MailScanner >>> - version of SpamAssassin >>> This information is still needed. >>>> Because I have seen the spoof address with no SPF record are >>> passing >>>> through Mainscanner.____ >>>> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> Links: >> ------ >> [1] http://pastebin.com >> [2] http://local.cf >> [3] http://mailscanner.cf >> [4] http://yourdomain.com > > Excellent links to use to help us help you. -- David Jones From Nicola.Piazzi at gruppocomet.it Tue May 7 07:15:47 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 7 May 2019 07:15:47 +0000 Subject: Spamassassin before mailscanner phishing tests ? Message-ID: <9544e8d1bfc74a2c9ef75b28e15ec867@gruppocomet.it> Mailscanner try to detect phishing frauds using patterns that download from openphish and phishtank When i watch messages in mailwatch i have no evidence of this, perhaps mailscanner do this before invoking spamassassin Is possible in some way to detect this in spamassassin tio write a rile and give score ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Tue May 7 23:01:24 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Tue, 07 May 2019 23:01:24 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner Message-ID: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch> Hi Bilal, can I ask you from the beginning what exactly is the problem. Maybe do you mean this: Lets say you own the domain 123dom.com. You receive Emails from (spoofed envelope) sender address bilal at 123dom.com to your own mailbox with the same domain, for example contact at 123dom.com? If yes, let me know. this can be rejected with postfix rules without touching mailscanner. Lot regards Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From bilal.ahmed at kfueit.edu.pk Wed May 8 05:12:51 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Wed, 8 May 2019 10:12:51 +0500 Subject: Email SPoofing Block Help with SPF in Mailscanner In-Reply-To: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch> References: <44d426d0c69ab58f78f98bca6cd02061@schroeffu.ch> Message-ID: <004901d5055c$afaf5090$0f0df1b0$@kfueit.edu.pk> Dear Schroeffu, Exactly I have same problem as mentioned by you. Bilal Ahmad Network Administrator Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499 www.kfueit.edu.pk From: MailScanner On Behalf Of info at schroeffu.ch Sent: Wednesday, 8 May 2019 4:01 AM To: mailscanner at lists.mailscanner.info Subject: RE: Email SPoofing Block Help with SPF in Mailscanner Hi Bilal, can I ask you from the beginning what exactly is the problem. Maybe do you mean this: Lets say you own the domain 123dom.com. You receive Emails from (spoofed envelope) sender address bilal at 123dom.com to your own mailbox with the same domain, for example contact at 123dom.com ? If yes, let me know. this can be rejected with postfix rules without touching mailscanner. Lot regards Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Wed May 8 09:04:27 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Wed, 08 May 2019 09:04:27 +0000 Subject: Email SPoofing Block Help with SPF in Mailscanner Message-ID: <188c75216c076064c6200f8f78e46a69@schroeffu.ch> Hi Bilal, ok so the spam you get seems sent directly to your mailserver. Spambot A) is connecting directly to your mail.dom123.com:25 and says "hey, I am bilal at 123.com (mailto:bilal at 123.com) and I have a mail for contact at 123.com (mailto:contact at 123.com)" and your postfix should, before even MailScanner is scanning for spam, reject this sender domain address. Because its not send by your interal IPs. Make sure you have all the IP-ranges from your internal network in /etc/main.cf in mynetwork = configured, in my case it looks like this: mynetworks = 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16, 192.168.0.0/16, 127.0.0.0/8 Now we will configure postfix to reject all incomming e-mails from domain sender "@123.com" if the sender-ip IS NOT an IP listed in "mynetwork". I guess there are multiple solutions possible in postfix, i got it sucessfully rejected by this way: 1. Create a "do not spoofe this domains file" with your domains here: /etc/postfix/spoofingprotected_domains 2. Fill in this file your domains you want protect from spoofing, for example my file looks like this: #The following entries are to REJECT sender domain. Be sure, permit_mynetworks rule set before this list in main.cf 123dom.com REJECT anotherdomainfromme.com REJECT 3. Make the file readable by postfix by running postmap: "postmap /etc/postfix/spoofingprotected_domains" 4. Now you have to put this "spoofing blacklist" on the right place in /etc/main.cf. Again - there are maybe multiple solutions, but here is mine: Extend the option "smtpd_sender_restrictions =" with this file, but make sure, "permit_mynetworks" is BEFORE the new file spoofingprotected_domains. So postfix will still allow "123dom.com" as sender for your mynetwork= ip adresses, but postfix will reject sender domains in /etc/postfix/spoofingprotected_domains if not your ip. My line looks like this: smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks, hash:/etc/postfix/spoofingprotected_domains 5. Restart Postfix. Done. You should try the new configuration by yourself, login to web-server outside your ip-range and try to send yourself an email from 123dom.com to 123dom.com with telnet. It should deny your mailtest already at step2 like this: ehlo 123dom.com MAIL FROM: MAIL FROM: 554 5.7.1 : Sender address rejected: Access denied (Hehe, "access denied" is an ugly error message, more pretty would be "this domain cannot be a sender-address without being internal ip", but hey, who cares!) And also test if all other mails are still working properly, not that you damage your production : o ) Hope this helps Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Wed May 15 08:05:20 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Wed, 15 May 2019 08:05:20 +0000 Subject: RBL & URIBL skip 4 internal Message-ID: <046a58133a124f578a2dce57ee71ac9c@gruppocomet.it> I use all RBL lastexternal and with trusted_network i am able to skip for internal ip submission and save a lot of checks But this is not done for URIBL URIBL checks for domain in the email Is possible to skip also all URIBL when aemail come from internal network ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Wed May 15 09:32:17 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Wed, 15 May 2019 09:32:17 +0000 Subject: Alert "Problem Messages" is spamming me every hour, delete Processing.db did not help Message-ID: <47f425eb76255763ce95bba8013e2349@schroeffu.ch> Hi Mailscanner Friends, i think i'am affected by an old issue. I am getting spammed from MailScanner Alert every hour because one email is not processed correctly: --- Subject: Problem Messages Archive: Number of messages: 1 Tries Message Last Tried ===== ======= ========== 6 11A003C0065.AC53F Fri May 10 08:56:07 2019 -- MailScanner ---- Now I deleted already this (definitively spam) Mail 11A003C0065.AC53F from /var/spool/MailScanner/quarantine/* where I found it stored, and made: - stop mailscanner - delete /var/spool/MailScanner/incoming/Processing.db - start mailscanner but it does not help. Watching inside of this file "Processing.db" with "strings Processing.db" after delete & restart shows me still this Message ID. From where is MailScanner getting this information that this ID is not processed corretly but i deleted already Processing.db? I cannot find the source of this information. Unfortunately i am still getting spammed every hour by mailscanner --processing hourly cronjob for days now, getting crazy :-) --- /var/spool/MailScanner/incoming# root at mailscanner1:/var/spool/MailScanner/incoming# strings Processing.db SQLite format 3 {tablearchivearchive CREATE TABLE archive (id TEXT, count INT, nexttime INT)J gindexid_uniqprocessing CREATE UNIQUE INDEX id_uniq ON processing(id)[ tableprocessingprocessing CREATE TABLE processing (id TEXT, count INT, nexttime INT) % % % % % % % % % % % % % % % % % % % % % % % 9CB363C188E.A0AB4 From mark at msapiro.net Wed May 15 18:27:37 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 15 May 2019 11:27:37 -0700 Subject: Alert "Problem Messages" is spamming me every hour, delete Processing.db did not help In-Reply-To: <47f425eb76255763ce95bba8013e2349@schroeffu.ch> References: <47f425eb76255763ce95bba8013e2349@schroeffu.ch> Message-ID: <9f97e698-7562-a728-268e-0e38e475bbe7@msapiro.net> On 5/15/19 2:32 AM, info at schroeffu.ch wrote: > > Now I deleted already this (definitively spam) Mail 11A003C0065.AC53F > from /var/spool/MailScanner/quarantine/* where I found it stored, and made: > > - stop mailscanner > - delete /var/spool/MailScanner/incoming/Processing.db > - start mailscanner > > but it does not help. Watching inside of this file "Processing.db" with > "strings Processing.db" after delete & restart shows me still this > Message ID. You don't need 'strings'. 'MailScanner --processing' will show it to you too. Did the message reappear in quarantine after you deleted it. My guess is it's somehow queued in your MTA (postfix?). What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail logs are) show? > From where is MailScanner getting this information that this ID is not > processed corretly but i deleted already Processing.db? I cannot find > the source of this information. Unfortunately i am still getting spammed > every hour by mailscanner --processing hourly cronjob for days now, > getting crazy :-) It comes from the Processing.db. The question is why is it reappearing there? I think it must be comming from the MTA or maybe a MailScanner queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of the running MailScanner, or if you are useing the MailScanner Milter option whats in your milterin and milterout queues? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From belle at bazuin.nl Thu May 16 13:47:30 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 16 May 2019 15:47:30 +0200 Subject: Encrypted attachment blocks, but not for 7z. In-Reply-To: References: Message-ID: Hai, Anyone any tip how to findout why an encrypted 7z file made it through mailscanner. By default im blocking encrypted attachments, it works fine with zip's or rar files only 7z not. Any suggestions? I cant find anything here why this happend. Im running : Debian GNU/Linux 9.9 (stretch) mailscanner 5.1.3-2 Greetz, Louis From iversons at rushville.k12.in.us Thu May 16 14:22:47 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 16 May 2019 10:22:47 -0400 Subject: Encrypted attachment blocks, but not for 7z. In-Reply-To: References:

Message-ID: What version of 7z are you running? On Thu, May 16, 2019, 9:47 AM L.P.H. van Belle via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Hai, > > Anyone any tip how to findout why an encrypted 7z file made it through > mailscanner. > By default im blocking encrypted attachments, it works fine with zip's or > rar files only 7z not. > > Any suggestions? I cant find anything here why this happend. > > Im running : > Debian GNU/Linux 9.9 (stretch) > mailscanner 5.1.3-2 > > > Greetz, > > Louis > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Thu May 16 14:31:16 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 16 May 2019 16:31:16 +0200 Subject: Encrypted attachment blocks, but not for 7z. In-Reply-To: References: Message-ID: Hai Shawn, ? The debian supplied version is used: ? ii? p7zip???????????????????????????????? 16.02+dfsg-3+deb9u1??????????? amd64??????? 7zr file archiver with high compression ratio ii? p7zip-full??????????????????????????? 16.02+dfsg-3+deb9u1??????????? amd64??????? 7z and 7za file archivers with high compression ratio I?just checked the versions, Debian buster still has the same version, only with a few fixes in the build. ? i have : MailScanner.conf:Un7zip Command = /usr/bin/7z ?Usage: 7z [...] [...] ? So thats ok. I?have an exeption list for these files also? : rules/mailwatch.encrypted.rules But the sender domain/ip is not in my white list. ? Greetz, ? Louis ? ? ? Van: Shawn Iverson [mailto:iversons at rushville.k12.in.us] Verzonden: donderdag 16 mei 2019 16:23 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: Re: Encrypted attachment blocks, but not for 7z. What version of 7z are you running? On Thu, May 16, 2019, 9:47 AM L.P.H. van Belle via MailScanner wrote: Hai, Anyone any tip how to findout why an encrypted 7z file made it through mailscanner. By default im blocking encrypted attachments, it works fine with zip's or rar files only 7z not. Any suggestions? I cant find anything here why this happend. Im running : Debian GNU/Linux 9.9 (stretch) mailscanner 5.1.3-2 Greetz, Louis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From bilal.ahmed at kfueit.edu.pk Fri May 17 10:15:02 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Fri, 17 May 2019 15:15:02 +0500 Subject: Quarantine Emails Release Message-ID: <00ad01d50c99$64819080$2d84b180$@kfueit.edu.pk> Dear All, After release of an email in mailwatch the email shown as released in mailwatch. But in actual after the email release a email is received to the end user from postmaster at domain.tld which says that original message is in attachment while the attachment is always empty. Bilal Ahmad Network Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Tue May 21 12:25:20 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Tue, 21 May 2019 12:25:20 +0000 Subject: Alert "Problem Messages" is spamming me every hour, > delete Processing.db did not help In-Reply-To: References: Message-ID: Hi Mark, Hi MailScanner Friends, hadn't time to react earlier sorry, now I just checked it again (it is still spamming me every hour ^_?). > You don't need 'strings'. 'MailScanner --processing' will show it to you > too. Thanks, at the moment "MailScanner --processing" is still displaying the bad message: -- #MailScanner --processing Archive: Number of messages: 1 Tries Message Last Tried ===== ======= ========== 6 11A003C0065.AC53F Fri May 10 08:56:07 2019 -- > It comes from the Processing.db. The question is why is it reappearing > there? I think it must be comming from the MTA or maybe a MailScanner > queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of > the running MailScanner, or if you are useing the MailScanner Milter > option whats in your milterin and milterout queues? I am still using the ^HOLD queue mode, no milter in use. The folder /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is in /var/run/MailScanner.pid but it only contains the pid number: /var/run# cat MailScanner.pid 211918 > What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail > logs are) show? The already rotated log is saying the following lines when searching for the Messasge ID 11A003C0065: root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 * May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065: client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245] May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold: header Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id 11A003C0065??for from mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]; from= to= proto=ESMTP helo= May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59> May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not internal May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message came from May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at processing message 11A003C0065.AC53F May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message came from May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at processing message 11A003C0065.AC53F May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message came from May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at processing message 11A003C0065.AC53F May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message came from May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at processing message 11A003C0065.AC53F May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message came from May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message 11A003C0065.AC53F May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it has been attempted too many times May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused MailScanner to crash several times May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message 11A003C0065.AC53F to SQL May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch: 11A003C0065.AC53F: Logged to MailWatch SQL And attempt 6 with some more informations (virus scanning, restart MailScanner Proc) May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message 11A003C0065.AC53F May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1 messages, 7155 bytes May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning: Starting May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock /var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or directory May 10 08:51:41 vmlxmail1 MailScanner[153430]: Esets::INFECTED::JS/Redirector.NEE trojan May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [ Esets::INFECTED::JS/Redirector.NEE trojan] May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found 3 infections May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from 104.47.49.245 May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message ? MIME ? S2BOB3ITMHJ.html came from May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3 viruses May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor version 5.1.3 starting... May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file /etc/MailScanner/MailScanner.conf May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file /etc/MailScanner/conf.d/README May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from the phishing whitelist May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from the phishing blacklists May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function SQLWhitelist May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up MailWatch SQL Whitelist May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32 whitelist entries May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function MailWatchLogging May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started MailWatch SQL Logging child May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results cache May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin cache database May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin auto-whitelist functionality... May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it has been attempted too many times May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused MailScanner to crash several times May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1 messages, 7155 bytes So I already deleted the whole folder /var/spool/MailScanner/quarantine/20190510/ with its content. In MailWatch WebUI I can see the logged message headers, but no folder/files 11A003C0065.AC53F/message files (because deleted) as expected. I also mysqldump'ed the MailWatch DB and grep'ed inside whats written about 11A003C0065, i think there is only the logged headers of this queued messages inside. The Postfix queue is displaying me with "mailq" command only real queued messages, the message ID 11A003C0065 isn't in the postfix queue displayed. I am still searching in /var/spool/ anywhere where it could be possible where its telling MailScanner at start, that this Message is in --processing queue. No luck until now :-( Many Regards Schroeffu From info at schroeffu.ch Tue May 21 12:53:43 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Tue, 21 May 2019 12:53:43 +0000 Subject: Alert "Problem Messages" is spamming me every hour, > delete Processing.db did not help In-Reply-To: References: Message-ID: <14f79f1bc8ed25b3feb7be2a44da0b41@schroeffu.ch> Oh i found it. The same file was existing twice, /var/spool/MailScanner/incoming/Processing.db was also placed in /ramdisk_store/ /var/spool/MailScanner/ramdisk_store/Processing.db so I did stop ms, deleted the file on both locations, start ms again, now the MailScanner -processing is empty again. Thanks for all the help. From iversons at rushville.k12.in.us Tue May 21 13:05:13 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 21 May 2019 09:05:13 -0400 Subject: Alert "Problem Messages" is spamming me every hour, > delete Processing.db did not help In-Reply-To: References: Message-ID: You may need at this point to halt mail flow at the MTA level, kill Mailscanner processes (do not gracefully stop it ... ramdisk sync could save a copy of the processing.db), and clean up the /var/spool/Mailscanner/incoming directory including deleting the processing.db in there and any child PID directory trees lingering in there. Also, before starting Mailscanner again, disable the ramdisk sync in /etc/Mailscanner/defaults if enabled Turn ramdisk sync back on if it was on originally and you are sure it is resolved. On Tue, May 21, 2019, 8:25 AM wrote: > Hi Mark, Hi MailScanner Friends, > > hadn't time to react earlier sorry, now I just checked it again (it is > still spamming me every > hour ^_?). > > > You don't need 'strings'. 'MailScanner --processing' will show it to you > > too. > > Thanks, at the moment "MailScanner --processing" is still displaying the > bad message: > > -- > #MailScanner --processing > Archive: > > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 11A003C0065.AC53F Fri May 10 08:56:07 2019 > -- > > > It comes from the Processing.db. The question is why is it reappearing > > there? I think it must be comming from the MTA or maybe a MailScanner > > queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of > > the running MailScanner, or if you are useing the MailScanner Milter > > option whats in your milterin and milterout queues? > > I am still using the ^HOLD queue mode, no milter in use. The folder > /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is > in /var/run/MailScanner.pid but it only contains the pid number: > > /var/run# cat MailScanner.pid > 211918 > > > What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail > > logs are) show? > > The already rotated log is saying the following lines when searching for > the Messasge ID > 11A003C0065: > > root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 * > May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065: > client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245] > May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold: > header Received: from > NAM05-DM3-obe.outbound.protection.outlook.com ( > mail-dm3nam05hn0245.outbound.protection.outlook.com > [104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id > 11A003C0065??for from > mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]; > from= to= > proto=ESMTP > helo= > May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: > message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59> > May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: > mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not > internal > May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated > May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at > processing message > 11A003C0065.AC53F > May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at > processing message > 11A003C0065.AC53F > May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at > processing message > 11A003C0065.AC53F > May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at > processing message > 11A003C0065.AC53F > May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at > processing message > 11A003C0065.AC53F > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message > 11A003C0065.AC53F as it > has been attempted too many times > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message > 11A003C0065.AC53F as it caused > MailScanner to crash several times > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to > /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F > May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message > 11A003C0065.AC53F to SQL > May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch: > 11A003C0065.AC53F: Logged to MailWatch > SQL > > And attempt 6 with some more informations (virus scanning, restart > MailScanner Proc) > > May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at > processing message > 11A003C0065.AC53F > May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1 > messages, 7155 bytes > May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning: > Starting > May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock > /var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or > directory > May 10 08:51:41 vmlxmail1 MailScanner[153430]: > Esets::INFECTED::JS/Redirector.NEE trojan > May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [ > Esets::INFECTED::JS/Redirector.NEE trojan] > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found > 3 infections > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F.message came from > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F came from > 104.47.49.245 > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message > 11A003C0065.AC53F.message ? MIME ? > S2BOB3ITMHJ.html came from > May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3 > viruses > May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor > version 5.1.3 > starting... > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file > /etc/MailScanner/MailScanner.conf > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file > /etc/MailScanner/conf.d/README > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from > the phishing whitelist > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from > the phishing blacklists > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init > function SQLWhitelist > May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up > MailWatch SQL Whitelist > May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32 > whitelist entries > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init > function > MailWatchLogging > May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started > MailWatch SQL Logging child > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results > cache > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin > cache database > May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin > auto-whitelist > functionality... > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message > 11A003C0065.AC53F as it > has been attempted too many times > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message > 11A003C0065.AC53F as it caused > MailScanner to crash several times > May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to > /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F > May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1 > messages, 7155 bytes > > So I already deleted the whole folder > /var/spool/MailScanner/quarantine/20190510/ with its content. > In MailWatch WebUI I can see the logged message headers, but no > folder/files 11A003C0065.AC53F/message > files (because deleted) as expected. > > I also mysqldump'ed the MailWatch DB and grep'ed inside whats written > about 11A003C0065, i think > there is only the logged headers of this queued messages inside. > > The Postfix queue is displaying me with "mailq" command only real queued > messages, the message ID 11A003C0065 isn't in the postfix queue displayed. > > I am still searching in /var/spool/ anywhere where it could be possible > where its telling > MailScanner at start, that this Message is in --processing queue. No luck > until now :-( > > Many Regards > Schroeffu > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bilal.ahmed at kfueit.edu.pk Wed May 22 17:13:56 2019 From: bilal.ahmed at kfueit.edu.pk (bilal.ahmed at kfueit.edu.pk) Date: Wed, 22 May 2019 22:13:56 +0500 Subject: How to Properly Release Quarantine Emails in Mailwatch Message-ID: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk> Dear Experts, After release of an email in mailwatch the email shown as released in mailwatch. But in actual after the email release a email is received to the end user from postmaster at domain.tld which says that original message is in attachment while the attachment is always empty. Bilal Ahmad Network Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed May 22 20:18:37 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 22 May 2019 13:18:37 -0700 Subject: How to Properly Release Quarantine Emails in Mailwatch In-Reply-To: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk> References: <000901d510c1$bd7658c0$38630a40$@kfueit.edu.pk> Message-ID: On 5/22/19 10:13 AM, bilal.ahmed at kfueit.edu.pk wrote: > > After release of an email in mailwatch the email shown as released in > mailwatch. > > But in actual after the email release a email is received to the end > user from postmaster at domain.tld which > says that original message is in attachment while the attachment is > always empty. This seems to be a MailWatch issue, not a MailScanner issue. The MailWatch list is -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From belle at bazuin.nl Tue May 28 14:43:24 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 28 May 2019 16:43:24 +0200 Subject: wrong detection of file? Message-ID: Hai Shawn, Have you ever seen something like this. I just e-mailed a file, with a name as shown below. SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf The resport shows : Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) And its shown in mailwatch as : application/pdf; charset=binary Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf I only change the hostname and domain here, i kept the format exact the same. Greetz, Louis From iversons at rushville.k12.in.us Tue May 28 14:58:50 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 28 May 2019 10:58:50 -0400 Subject: wrong detection of file? In-Reply-To: References: Message-ID: Yeah, it is matching by filename, not filetype, and it may be parsing the name wrong. Can you verify this rule is present? deny \.com$ Which should not match because it is not the end of the filename but I bet it is. On Tue, May 28, 2019 at 10:43 AM L.P.H. van Belle via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Hai Shawn, > > > Have you ever seen something like this. > > I just e-mailed a file, with a name as shown below. > SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > The resport shows : > Message: Executable DOS/Windows programs are dangerous in email (SSL > Server Tes.com) > And its shown in mailwatch as : application/pdf; charset=binary > > Now the thing i dont get here is, how is the name "SSL Server Tes.com" > constructed from > The name : SSL Server Test hostname.example.com (Powered by Qualys SSL > Labs).pdf > > I only change the hostname and domain here, i kept the format exact the > same. > > Greetz, > > Louis > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Tue May 28 15:02:00 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 28 May 2019 17:02:00 +0200 Subject: wrong detection of file? In-Reply-To: References: Message-ID: Yes, i have 2 of them. ? filename.rules.conf:deny??????? \.com$????????? Windows/DOS Executable archives.filename.rules.conf:deny?????? \.com$????????? Windows/DOS Executable????????????????????????????????????????????????????????? Executable DOS/Windows programs are dangerous in email Greetz, ? Louis ? Van: Shawn Iverson [mailto:iversons at rushville.k12.in.us] Verzonden: dinsdag 28 mei 2019 16:59 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: Re: wrong detection of file? Yeah, it is matching by filename, not filetype, and it may be parsing the name wrong. Can you verify this rule is present? deny? ? \.com$ Which should not match because it is not the end of the filename but I bet it is. On Tue, May 28, 2019 at 10:43 AM L.P.H. van Belle via MailScanner wrote: Hai Shawn, Have you ever seen something like this. I just e-mailed a file, with a name as shown below. SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf The resport shows : Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) And its shown in mailwatch as :? application/pdf; charset=binary Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf I only change the hostname and domain here, i kept the format exact the same. Greetz, Louis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Tue May 28 15:38:03 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Tue, 28 May 2019 16:38:03 +0100 Subject: wrong detection of file? In-Reply-To: References: Message-ID: Dear Louis, A file ending in ".com" is a computer code executable program. Mailscanner is seeing "example.com" and disallowing it as a potential executable. This is normal expected and by design behaviour, Pete On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote: > Hai Shawn, > > > Have you ever seen something like this. > > I just e-mailed a file, with a name as shown below. > SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > The resport shows : > Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) > And its shown in mailwatch as : application/pdf; charset=binary > > Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from > The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > I only change the hostname and domain here, i kept the format exact the same. > > Greetz, > > Louis > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.JPG Type: image/jpeg Size: 25851 bytes Desc: not available URL: From iversons at rushville.k12.in.us Tue May 28 15:50:17 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 28 May 2019 11:50:17 -0400 Subject: wrong detection of file? In-Reply-To: References:

Message-ID: Although I agree with you, a file with .com in the middle of it, however, should not match. I suspect the filename parser in MailScanner is not parsing the filename properly and is perhaps treating spaced elements of the filename as separate strings. On Tue, May 28, 2019 at 11:38 AM Peter Farrow wrote: > Dear Louis, > > A file ending in ".com" is a computer code executable program. > > Mailscanner is seeing "example.com" and disallowing it as a potential > executable. > > This is normal expected and by design behaviour, > > Pete > > On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote: > > Hai Shawn, > > > Have you ever seen something like this. > > I just e-mailed a file, with a name as shown below. > SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > The resport shows : > Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) > And its shown in mailwatch as : application/pdf; charset=binary > > Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from > The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > I only change the hostname and domain here, i kept the format exact the same. > > Greetz, > > Louis > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.JPG Type: image/jpeg Size: 25851 bytes Desc: not available URL: From Antony.Stone at mailscanner.open.source.it Tue May 28 15:51:22 2019 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 28 May 2019 17:51:22 +0200 Subject: wrong detection of file? In-Reply-To: References:

Message-ID: <201905281751.22336.Antony.Stone@mailscanner.open.source.it> On Tuesday 28 May 2019 at 17:38:03, Peter Farrow wrote: > Dear Louis, > > A file ending in ".com" is a computer code executable program. > > Mailscanner is seeing "example.com" and disallowing it as a potential > executable. So why is it: a) reporting "SSL Server Tes.com" as the filename? b) thinking the filename ends in .com when it actually ends in .pdf (and is what Windows would pay attention to, no matter what's in the middle of the name)? > This is normal expected and by design behaviour, I disagree. Even if it were true, this would be a bug, because MailScanner would be treating filenames differently from the way Windows treats them, and therefore generating false positives. Antony. > On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote: > > Hai Shawn, > > > > > > Have you ever seen something like this. > > > > I just e-mailed a file, with a name as shown below. > > SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf > > > > The resport shows : > > Message: Executable DOS/Windows programs are dangerous in email (SSL > > Server Tes.com) And its shown in mailwatch as : application/pdf; > > charset=binary > > > > Now the thing i dont get here is, how is the name "SSL Server Tes.com" > > constructed from The name : SSL Server Test hostname.example.com > > (Powered by Qualys SSL Labs).pdf > > > > I only change the hostname and domain here, i kept the format exact the > > same. > > > > Greetz, > > > > Louis -- In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are British, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the beer is American, the chefs are British, the supermarkets are German, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. Please reply to the list; please *don't* CC me. From alex at vidadigital.com.pa Tue May 28 15:52:30 2019 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue, 28 May 2019 17:52:30 +0200 Subject: wrong detection of file? In-Reply-To: References:

Message-ID: Or the MIME encoding is splitting it... still, periods in the middle of files have been seen as an inconvenience for some time. There's even a rule for "double extensions" since they can be used to trick people into opening them by naming them filename.doc.exe. > On May 28, 2019, at 5:50 PM, Shawn Iverson via MailScanner wrote: > > Although I agree with you, a file with .com in the middle of it, however, should not match. I suspect the filename parser in MailScanner is not parsing the filename properly and is perhaps treating spaced elements of the filename as separate strings. > > On Tue, May 28, 2019 at 11:38 AM Peter Farrow > wrote: > Dear Louis, > > A file ending in ".com" is a computer code executable program. > > Mailscanner is seeing "example.com " and disallowing it as a potential executable. > > This is normal expected and by design behaviour, > > Pete > > > > On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote: >> Hai Shawn, >> >> >> Have you ever seen something like this. >> >> I just e-mailed a file, with a name as shown below. >> SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf >> >> The resport shows : >> Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) >> And its shown in mailwatch as : application/pdf; charset=binary >> >> Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from >> The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf >> >> I only change the hostname and domain here, i kept the format exact the same. >> >> Greetz, >> >> Louis >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Wed May 29 07:24:13 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 29 May 2019 09:24:13 +0200 Subject: wrong detection of file? In-Reply-To: References: Message-ID: Hai and thank you all for the replies. Quote: I suspect the filename parser in MailScanner is not parsing the filename properly and is perhaps treating spaced elements of the filename as separate strings. I agree here. Im running Debian 9, latest mailscanner, mailwatch for some years now, the systems in highly tuned for the company. We process a lot of pdf doc rtf files and this is the first in a long time thats failed. So somehere in this file name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf The regexp is going wrong. I rechecked the mimetype also just to be sure, that shows the pdf file correctly. Its simple to test youself, goto ssllabs.com, test a webserver, safe the file. Then i saved to PDF with the default windows 10 pdf printer and mailed. Ps, im 2 weeks offline, so i can test this in short term. I consider it low prio, but im my opinion its a bug. Thats why i reported it. Greetz, Louis ________________________________ Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Alex Neuman Verzonden: dinsdag 28 mei 2019 17:52 Aan: MailScanner Discussion Onderwerp: Re: wrong detection of file? Or the MIME encoding is splitting it... still, periods in the middle of files have been seen as an inconvenience for some time. There's even a rule for "double extensions" since they can be used to trick people into opening them by naming them filename.doc.exe. On May 28, 2019, at 5:50 PM, Shawn Iverson via MailScanner wrote: Although I agree with you, a file with .com in the middle of it, however, should not match. I suspect the filename parser in MailScanner is not parsing the filename properly and is perhaps treating spaced elements of the filename as separate strings. On Tue, May 28, 2019 at 11:38 AM Peter Farrow wrote: Dear Louis, A file ending in ".com" is a computer code executable program. Mailscanner is seeing "example.com " and disallowing it as a potential executable. This is normal expected and by design behaviour, Pete On 28/05/2019 15:43, L.P.H. van Belle via MailScanner wrote: Hai Shawn, Have you ever seen something like this. I just e-mailed a file, with a name as shown below. SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf The resport shows : Message: Executable DOS/Windows programs are dangerous in email (SSL Server Tes.com) And its shown in mailwatch as : application/pdf; charset=binary Now the thing i dont get here is, how is the name "SSL Server Tes.com" constructed from The name : SSL Server Test hostname.example.com (Powered by Qualys SSL Labs).pdf I only change the hostname and domain here, i kept the format exact the same. Greetz, Louis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us Cybersecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner