Email SPoofing Block Help with SPF in Mailscanner
bilal.ahmed at kfueit.edu.pk
bilal.ahmed at kfueit.edu.pk
Mon May 6 15:25:31 UTC 2019
Dear Experts,
First of all thanks for your advice , exactly you people are right that I
whitelist all my domain it lets the spammers forge email address with my
domain email address to get pass through.
My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
My scenario is that my Email server is hosted internally at Private ip
address range . My TXT Record at public dns is for my public faced IP
address.
Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is valid
as shown at their received email headers. SPF is valid checked at MXTOOLS as
well.
But my own mailscanner says SPF Fails may be because email server ip is
private and TXT record is for mail server public faced IP.
I am doing all this SPF check to get rid of spoofed emails that using my
domain address so I have whitelisted my internal network and host:mydomain
How to get rid of this SPF fail on my own mailscanner so that my own emails
not get high score ?
Any other solution to prevent Email spoofing ?
Bilal Ahmad
Network Administrator
Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
www.kfueit.edu.pk
From: MailScanner
<mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info> On
Behalf Of David Jones via MailScanner
Sent: Monday, 6 May 2019 10:39 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: David Jones <djones at ena.com>
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Martin,
I knew you wouldn't have done that which is why I removed your name from the
top of the reply. My response was for the OP and others that might have
done that. :)
Dave
_____
From: MailScanner <mailscanner-bounces+djones=ena.com at lists.mailscanner.info
<mailto:mailscanner-bounces+djones=ena.com at lists.mailscanner.info> > on
behalf of Martin Hepworth <maxsec at gmail.com <mailto:maxsec at gmail.com> >
Sent: Sunday, May 5, 2019 10:47 AM
To: MailScanner Discussion
Subject: Re: Email SPoofing Block Help with SPF in Mailscanner
Was a question not an instruction, the whitelist of your own domain is a
common configuration error and will make sure spoofed emails allegedly from
your own domain will get through.
Martin
On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
<mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info> > wrote:
Never, ever, ever whitelist either in MailScanner or SpamAssassin any
domains that your MTA is configured to accept. This will definitely let
spoofed emails through.
> On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
<mailto:bilal.ahmed at kfueit.edu.pk>
> <mailto:bilal.ahmed at kfueit.edu.pk <mailto:bilal.ahmed at kfueit.edu.pk> >>
wrote:
>
> Kindly I need a help someone is spoofing address of my domain and
> forwarding email to my own domain.____
>
We need an example email with headers lightly redacted posted to
someplace like pastebin.com <http://pastebin.com> . It would also help to
see the maillog
entries for that queue ID.
There are multiple ways to block this based on the email headers.
We aren't even sure what domain to check the SPF record for without any
headers.
You should consider setting these values in MailScanner.conf if not
already to help with troubleshooting:
Add Envelope From Header = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
These must be on based on what information you provided but make sure:
Spam Checks = yes
Use SpamAssassin = yes
> My SPF is already added in Public DNS.____
>
Your own SPF setting in DNS will help prevent spoofing to others but
will not necessarily help spoofing to your own mail server running
MailScanner/SpamAssassin depending on your mail flow setup. For
example, does outbound mail flow for your domain go through this same
mail server unauthenticated from an internal mail server? Does an
internal mail server smarthost to or run locally on this MailScanner
instance?
If your outbound mail does not go through this MailScanner instance,
then you have options like this in your /etc/mail/spamassassin/local.cf
<http://local.cf>
or /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf> :
blacklist_from *@yourdomain.com <http://yourdomain.com>
It appears that your outbound mail does flow through this MailScanner
box based on the "score SPF_FAIL 15.0" so the entry above would block
legit email just like the "score SPF_FAIL 15.0" entry.
You might be able to add this to the etc/mail/spamassassin/local.cf
<http://local.cf> or
/etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf> :
whitelist_from_rcvd *@yourdomain.com <http://yourdomain.com> [ip.add.re.ss]
where the "ip.add.re.ss" is the internal IP address of your mail server.
Note this is not ideal since you will no longer be filtering outbound
email.
NOTE: this would only be temporary until a better solution is determined
after seeing the email headers of a spoofed email and knowing more about
the mail flow.
> __ __
>
> Please Any solution to block invalid SPF record address in my
> Mailscanner/spamassasian.____
>
Please provide more detail. Mail filtering is very complex so we can't
help without details.
- original email lightly redacted posted to pastebin.com
<http://pastebin.com>
- what is the MTA?
- what RBLs are configured in the MTA?
- version of MailScanner
- version of SpamAssassin
> Because I have seen the spoof address with no SPF record are passing
> through Mainscanner.____
>
This may be more of a question for the SpamAssassin Users mailing list
if MailScanner is properly using SpamAssassin.
--
David Jones
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190506/ce45168c/attachment.html>
More information about the MailScanner
mailing list