Email SPoofing Block Help with SPF in Mailscanner

Peter H. Lemieux mailscanner at replies.cyways.com
Mon May 6 17:34:05 UTC 2019


If the purpose is simply to stop mail arriving from outside your network 
using your domain in the From:, I agree with Kevin that adding rules to 
Postfix would be a better choice.  I generally deny all mail from 
outside sources that has my domain in the From field.  I use sendmail, 
so I just have an entry in /etc/mail/access with

example.com          REJECT

In postfix you'd probably want to add rulesets for 
smtpd_client_restrictions and smtpd_sender_restrictions.

Peter

On 5/6/19 1:09 PM, Kevin Miller wrote:
> Assuming that you have access to your postfix server, I’d block SPF 
> there rather than in spamassassin.  Maybe consider installing 
> postfix-policyd-spf-python.  Any domains that are configured to 
> hard-fail will be dealt with there, saving processing time.  A soft fail 
> will be passed through to normal spam filtering.  If you wish to use spf 
> in conjunction with spamassassin you’ll still have that flexibility.  
> Since your domain is set to hard-fail, those spoofed messages will never 
> see the light of day.
> 
> ...Kevin
> 
> --
> 
> Kevin Miller
> 
> Network/email Administrator, CBJ MIS Dept.
> 
> 155 South Seward Street
> 
> Juneau, Alaska 99801
> 
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
> 
> *From:* MailScanner 
> <mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info> *On 
> Behalf Of *bilal.ahmed at kfueit.edu.pk
> *Sent:* Monday, May 06, 2019 7:26 AM
> *To:* 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
> *Subject:* RE: Email SPoofing Block Help with SPF in Mailscanner
> 
> Dear Experts,
> 
> First of all thanks for your advice , exactly you people are right that 
> I whitelist all my domain it lets the spammers forge email address with 
> my domain email address to get pass through.
> 
> My MTA Postfix  , IMAP Server is Cyrus, Postfix Version: 3.1.0 , 
> MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
> 
> My scenario is that my Email server is hosted internally at Private ip 
> address range . My TXT Record at public dns is for my public faced IP 
> address.
> 
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is 
> valid as shown at their received email headers. SPF is valid checked at 
> MXTOOLS as well.
> 
> But my own mailscanner says SPF Fails may be because email server ip is 
> private and TXT record is for mail server public faced IP.
> 
> I am doing all this SPF check to get rid of spoofed emails that using my 
> domain address so  I have whitelisted my internal network and host:mydomain
> 
> How to get rid of this SPF fail on my own mailscanner so that my own 
> emails not get high score ?
> 
> Any other solution to prevent Email spoofing ?
> 
> *Bilal Ahmad*
> 
> Network Administrator
> 
> Cell: +92 333 7451870 |  Tel: +92 68 5882400 |  Ext. 2499
> 
> www.kfueit.edu.pk <http://www.kfueit.edu.pk>
> 
> *From:* MailScanner 
> <mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info 
> <mailto:mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info>> 
> *On Behalf Of *David Jones via MailScanner
> *Sent:* Monday, 6 May 2019 10:39 AM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info 
> <mailto:mailscanner at lists.mailscanner.info>>
> *Cc:* David Jones <djones at ena.com <mailto:djones at ena.com>>
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
> 
> Martin,
> 
> I knew you wouldn't have done that which is why I removed your name from 
> the top of the reply.  My response was for the OP and others that might 
> have done that.  :)
> 
> Dave
> 
> ------------------------------------------------------------------------
> 
> *From:*MailScanner 
> <mailscanner-bounces+djones=ena.com at lists.mailscanner.info 
> <mailto:mailscanner-bounces+djones=ena.com at lists.mailscanner.info>> on 
> behalf of Martin Hepworth <maxsec at gmail.com <mailto:maxsec at gmail.com>>
> *Sent:* Sunday, May 5, 2019 10:47 AM
> *To:* MailScanner Discussion
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
> 
> Was a question not an instruction, the whitelist of your own domain is a 
> common configuration error and will make sure spoofed emails allegedly 
> from your own domain will get through.
> 
> Martin
> 
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner 
> <mailscanner at lists.mailscanner.info 
> <mailto:mailscanner at lists.mailscanner.info>> wrote:
> 
>     Never, ever, ever whitelist either in MailScanner or SpamAssassin any
>     domains that your MTA is configured to accept.  This will definitely
>     let
>     spoofed emails through.
> 
>      > On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
>     <mailto:bilal.ahmed at kfueit.edu.pk>
>      > <mailto:bilal.ahmed at kfueit.edu.pk
>     <mailto:bilal.ahmed at kfueit.edu.pk>>> wrote:
>      >
>      >     Kindly I need a help someone is spoofing address of my domain and
>      >     forwarding email to my own domain.____
>      >
> 
>     We need an example email with headers lightly redacted posted to
>     someplace like pastebin.com <http://pastebin.com>.  It would also
>     help to see the maillog
>     entries for that queue ID.
> 
>     There are multiple ways to block this based on the email headers.
> 
>     We aren't even sure what domain to check the SPF record for without any
>     headers.
> 
>     You should consider setting these values in MailScanner.conf if not
>     already to help with troubleshooting:
> 
>     Add Envelope From Header = yes
>     Detailed Spam Report = yes
>     Include Scores In SpamAssassin Report = yes
>     Always Include SpamAssassin Report = yes
>     Spam Score = yes
> 
>     These must be on based on what information you provided but make sure:
>     Spam Checks = yes
>     Use SpamAssassin = yes
> 
>      >     My SPF is already added in Public DNS.____
>      >
> 
>     Your own SPF setting in DNS will help prevent spoofing to others but
>     will not necessarily help spoofing to your own mail server running
>     MailScanner/SpamAssassin depending on your mail flow setup.  For
>     example, does outbound mail flow for your domain go through this same
>     mail server unauthenticated from an internal mail server?  Does an
>     internal mail server smarthost to or run locally on this MailScanner
>     instance?
> 
>     If your outbound mail does not go through this MailScanner instance,
>     then you have options like this in your
>     /etc/mail/spamassassin/local.cf <http://local.cf>
>     or /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
> 
>     blacklist_from *@yourdomain.com <http://yourdomain.com>
> 
>     It appears that your outbound mail does flow through this MailScanner
>     box based on the "score SPF_FAIL 15.0" so the entry above would block
>     legit email just like the "score SPF_FAIL 15.0" entry.
> 
>     You might be able to add this to the etc/mail/spamassassin/local.cf
>     <http://local.cf> or
>     /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
> 
>     whitelist_from_rcvd *@yourdomain.com <http://yourdomain.com>
>     [ip.add.re.ss]
> 
>     where the "ip.add.re.ss" is the internal IP address of your mail
>     server.
>        Note this is not ideal since you will no longer be filtering
>     outbound
>     email.
> 
>     NOTE: this would only be temporary until a better solution is
>     determined
>     after seeing the email headers of a spoofed email and knowing more
>     about
>     the mail flow.
> 
>      >     __ __
>      >
>      >     Please Any solution to block invalid SPF record address in my
>      >     Mailscanner/spamassasian.____
>      >
> 
>     Please provide more detail.  Mail filtering is very complex so we can't
>     help without details.
> 
>     - original email lightly redacted posted to pastebin.com
>     <http://pastebin.com>
>     - what is the MTA?
>     - what RBLs are configured in the MTA?
>     - version of MailScanner
>     - version of SpamAssassin
> 
>      >     Because I have seen the spoof address with no SPF record are
>     passing
>      >     through Mainscanner.____
>      >
> 
>     This may be more of a question for the SpamAssassin Users mailing list
>     if MailScanner is properly using SpamAssassin.
> 
>     -- 
>     David Jones
> 
> 
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> -- 
> 
> -- 
> Martin Hepworth, CISSP
> Oxford, UK
> 
> 
> 
> 


More information about the MailScanner mailing list