Email SPoofing Block Help with SPF in Mailscanner

Sun May 5 15:47:54 UTC 2019

Was a question not an instruction, the whitelist of your own domain is a
common configuration error and will make sure spoofed emails allegedly from
your own domain will get through.

Martin

On Sun, 5 May 2019 at 14:45, David Jones via MailScanner <
mailscanner at lists.mailscanner.info> wrote:

> Never, ever, ever whitelist either in MailScanner or SpamAssassin any
> domains that your MTA is configured to accept.  This will definitely let
> spoofed emails through.
>
> > On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
> > <mailto:bilal.ahmed at kfueit.edu.pk>> wrote:
> >
> >     Kindly I need a help someone is spoofing address of my domain and
> >     forwarding email to my own domain.____
> >
>
> We need an example email with headers lightly redacted posted to
> someplace like pastebin.com.  It would also help to see the maillog
> entries for that queue ID.
>
> There are multiple ways to block this based on the email headers.
>
> We aren't even sure what domain to check the SPF record for without any
> headers.
>
> You should consider setting these values in MailScanner.conf if not
> already to help with troubleshooting:
>
> Add Envelope From Header = yes
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
>
> These must be on based on what information you provided but make sure:
> Spam Checks = yes
> Use SpamAssassin = yes
>
> >     My SPF is already added in Public DNS.____
> >
>
> Your own SPF setting in DNS will help prevent spoofing to others but
> will not necessarily help spoofing to your own mail server running
> MailScanner/SpamAssassin depending on your mail flow setup.  For
> example, does outbound mail flow for your domain go through this same
> mail server unauthenticated from an internal mail server?  Does an
> internal mail server smarthost to or run locally on this MailScanner
> instance?
>
> If your outbound mail does not go through this MailScanner instance,
> then you have options like this in your /etc/mail/spamassassin/local.cf
> or /etc/mail/spamassassin/mailscanner.cf:
>
> blacklist_from *@yourdomain.com
>
> It appears that your outbound mail does flow through this MailScanner
> box based on the "score SPF_FAIL 15.0" so the entry above would block
> legit email just like the "score SPF_FAIL 15.0" entry.
>
> You might be able to add this to the etc/mail/spamassassin/local.cf or
> /etc/mail/spamassassin/mailscanner.cf:
>
> whitelist_from_rcvd *@yourdomain.com [ip.add.re.ss]
>
> where the "ip.add.re.ss" is the internal IP address of your mail server.
>   Note this is not ideal since you will no longer be filtering outbound
> email.
>
> NOTE: this would only be temporary until a better solution is determined
> after seeing the email headers of a spoofed email and knowing more about
> the mail flow.
>
> >     __ __
> >
> >     Please Any solution to block invalid SPF record address in my
> >     Mailscanner/spamassasian.____
> >
>
> Please provide more detail.  Mail filtering is very complex so we can't
> help without details.
>
> - original email lightly redacted posted to pastebin.com
> - what is the MTA?
> - what RBLs are configured in the MTA?
> - version of MailScanner
> - version of SpamAssassin
>
> >     Because I have seen the spoof address with no SPF record are passing
> >     through Mainscanner.____
> >
>
> This may be more of a question for the SpamAssassin Users mailing list
> if MailScanner is properly using SpamAssassin.
>
> --
> David Jones
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190505/1926adc1/attachment.html>