Email SPoofing Block Help with SPF in Mailscanner
Peter H. Lemieux
mailscanner at replies.cyways.com
Mon May 6 17:34:05 UTC 2019
If the purpose is simply to stop mail arriving from outside your network
using your domain in the From:, I agree with Kevin that adding rules to
Postfix would be a better choice. I generally deny all mail from
outside sources that has my domain in the From field. I use sendmail,
so I just have an entry in /etc/mail/access with
example.com REJECT
In postfix you'd probably want to add rulesets for
smtpd_client_restrictions and smtpd_sender_restrictions.
Peter
On 5/6/19 1:09 PM, Kevin Miller wrote:
> Assuming that you have access to your postfix server, I’d block SPF
> there rather than in spamassassin. Maybe consider installing
> postfix-policyd-spf-python. Any domains that are configured to
> hard-fail will be dealt with there, saving processing time. A soft fail
> will be passed through to normal spam filtering. If you wish to use spf
> in conjunction with spamassassin you’ll still have that flexibility.
> Since your domain is set to hard-fail, those spoofed messages will never
> see the light of day.
>
> ...Kevin
>
> --
>
> Kevin Miller
>
> Network/email Administrator, CBJ MIS Dept.
>
> 155 South Seward Street
>
> Juneau, Alaska 99801
>
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
> *From:* MailScanner
> <mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info> *On
> Behalf Of *bilal.ahmed at kfueit.edu.pk
> *Sent:* Monday, May 06, 2019 7:26 AM
> *To:* 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
> *Subject:* RE: Email SPoofing Block Help with SPF in Mailscanner
>
> Dear Experts,
>
> First of all thanks for your advice , exactly you people are right that
> I whitelist all my domain it lets the spammers forge email address with
> my domain email address to get pass through.
>
> My MTA Postfix , IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
> MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
>
> My scenario is that my Email server is hosted internally at Private ip
> address range . My TXT Record at public dns is for my public faced IP
> address.
>
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
> valid as shown at their received email headers. SPF is valid checked at
> MXTOOLS as well.
>
> But my own mailscanner says SPF Fails may be because email server ip is
> private and TXT record is for mail server public faced IP.
>
> I am doing all this SPF check to get rid of spoofed emails that using my
> domain address so I have whitelisted my internal network and host:mydomain
>
> How to get rid of this SPF fail on my own mailscanner so that my own
> emails not get high score ?
>
> Any other solution to prevent Email spoofing ?
>
> *Bilal Ahmad*
>
> Network Administrator
>
> Cell: +92 333 7451870 | Tel: +92 68 5882400 | Ext. 2499
>
> www.kfueit.edu.pk <http://www.kfueit.edu.pk>
>
> *From:* MailScanner
> <mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info
> <mailto:mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info>>
> *On Behalf Of *David Jones via MailScanner
> *Sent:* Monday, 6 May 2019 10:39 AM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>>
> *Cc:* David Jones <djones at ena.com <mailto:djones at ena.com>>
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Martin,
>
> I knew you wouldn't have done that which is why I removed your name from
> the top of the reply. My response was for the OP and others that might
> have done that. :)
>
> Dave
>
> ------------------------------------------------------------------------
>
> *From:*MailScanner
> <mailscanner-bounces+djones=ena.com at lists.mailscanner.info
> <mailto:mailscanner-bounces+djones=ena.com at lists.mailscanner.info>> on
> behalf of Martin Hepworth <maxsec at gmail.com <mailto:maxsec at gmail.com>>
> *Sent:* Sunday, May 5, 2019 10:47 AM
> *To:* MailScanner Discussion
> *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
>
> Was a question not an instruction, the whitelist of your own domain is a
> common configuration error and will make sure spoofed emails allegedly
> from your own domain will get through.
>
> Martin
>
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> <mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>> wrote:
>
> Never, ever, ever whitelist either in MailScanner or SpamAssassin any
> domains that your MTA is configured to accept. This will definitely
> let
> spoofed emails through.
>
> > On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
> <mailto:bilal.ahmed at kfueit.edu.pk>
> > <mailto:bilal.ahmed at kfueit.edu.pk
> <mailto:bilal.ahmed at kfueit.edu.pk>>> wrote:
> >
> > Kindly I need a help someone is spoofing address of my domain and
> > forwarding email to my own domain.____
> >
>
> We need an example email with headers lightly redacted posted to
> someplace like pastebin.com <http://pastebin.com>. It would also
> help to see the maillog
> entries for that queue ID.
>
> There are multiple ways to block this based on the email headers.
>
> We aren't even sure what domain to check the SPF record for without any
> headers.
>
> You should consider setting these values in MailScanner.conf if not
> already to help with troubleshooting:
>
> Add Envelope From Header = yes
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
>
> These must be on based on what information you provided but make sure:
> Spam Checks = yes
> Use SpamAssassin = yes
>
> > My SPF is already added in Public DNS.____
> >
>
> Your own SPF setting in DNS will help prevent spoofing to others but
> will not necessarily help spoofing to your own mail server running
> MailScanner/SpamAssassin depending on your mail flow setup. For
> example, does outbound mail flow for your domain go through this same
> mail server unauthenticated from an internal mail server? Does an
> internal mail server smarthost to or run locally on this MailScanner
> instance?
>
> If your outbound mail does not go through this MailScanner instance,
> then you have options like this in your
> /etc/mail/spamassassin/local.cf <http://local.cf>
> or /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
>
> blacklist_from *@yourdomain.com <http://yourdomain.com>
>
> It appears that your outbound mail does flow through this MailScanner
> box based on the "score SPF_FAIL 15.0" so the entry above would block
> legit email just like the "score SPF_FAIL 15.0" entry.
>
> You might be able to add this to the etc/mail/spamassassin/local.cf
> <http://local.cf> or
> /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
>
> whitelist_from_rcvd *@yourdomain.com <http://yourdomain.com>
> [ip.add.re.ss]
>
> where the "ip.add.re.ss" is the internal IP address of your mail
> server.
> Note this is not ideal since you will no longer be filtering
> outbound
> email.
>
> NOTE: this would only be temporary until a better solution is
> determined
> after seeing the email headers of a spoofed email and knowing more
> about
> the mail flow.
>
> > __ __
> >
> > Please Any solution to block invalid SPF record address in my
> > Mailscanner/spamassasian.____
> >
>
> Please provide more detail. Mail filtering is very complex so we can't
> help without details.
>
> - original email lightly redacted posted to pastebin.com
> <http://pastebin.com>
> - what is the MTA?
> - what RBLs are configured in the MTA?
> - version of MailScanner
> - version of SpamAssassin
>
> > Because I have seen the spoof address with no SPF record are
> passing
> > through Mainscanner.____
> >
>
> This may be more of a question for the SpamAssassin Users mailing list
> if MailScanner is properly using SpamAssassin.
>
> --
> David Jones
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
>
>
More information about the MailScanner
mailing list