Email SPoofing Block Help with SPF in Mailscanner

David Jones djones at ena.com
Sun May 5 13:44:25 UTC 2019


Never, ever, ever whitelist either in MailScanner or SpamAssassin any 
domains that your MTA is configured to accept.  This will definitely let 
spoofed emails through.

> On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk 
> <mailto:bilal.ahmed at kfueit.edu.pk>> wrote:
> 
>     Kindly I need a help someone is spoofing address of my domain and
>     forwarding email to my own domain.____
> 

We need an example email with headers lightly redacted posted to 
someplace like pastebin.com.  It would also help to see the maillog 
entries for that queue ID.

There are multiple ways to block this based on the email headers.

We aren't even sure what domain to check the SPF record for without any 
headers.

You should consider setting these values in MailScanner.conf if not 
already to help with troubleshooting:

Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes

These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes

>     My SPF is already added in Public DNS.____
> 

Your own SPF setting in DNS will help prevent spoofing to others but 
will not necessarily help spoofing to your own mail server running 
MailScanner/SpamAssassin depending on your mail flow setup.  For 
example, does outbound mail flow for your domain go through this same 
mail server unauthenticated from an internal mail server?  Does an 
internal mail server smarthost to or run locally on this MailScanner 
instance?

If your outbound mail does not go through this MailScanner instance, 
then you have options like this in your /etc/mail/spamassassin/local.cf 
or /etc/mail/spamassassin/mailscanner.cf:

blacklist_from *@yourdomain.com

It appears that your outbound mail does flow through this MailScanner 
box based on the "score SPF_FAIL 15.0" so the entry above would block 
legit email just like the "score SPF_FAIL 15.0" entry.

You might be able to add this to the etc/mail/spamassassin/local.cf or 
/etc/mail/spamassassin/mailscanner.cf:

whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]

where the "ip.add.re.ss" is the internal IP address of your mail server. 
  Note this is not ideal since you will no longer be filtering outbound 
email.

NOTE: this would only be temporary until a better solution is determined 
after seeing the email headers of a spoofed email and knowing more about 
the mail flow.

>     __ __
> 
>     Please Any solution to block invalid SPF record address in my
>     Mailscanner/spamassasian.____
> 

Please provide more detail.  Mail filtering is very complex so we can't 
help without details.

- original email lightly redacted posted to pastebin.com
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin

>     Because I have seen the spoof address with no SPF record are passing
>     through Mainscanner.____
> 

This may be more of a question for the SpamAssassin Users mailing list 
if MailScanner is properly using SpamAssassin.

-- 
David Jones


More information about the MailScanner mailing list