Email SPoofing Block Help with SPF in Mailscanner

yuwang yuwang at cs.fsu.edu
Mon May 6 21:13:19 UTC 2019


I have a similar set up: mail servers have internal IPs for the local 
network and public IPs for external. Here is how I resolved SPF 
checking:

We have internal DNS servers that host internal DNS records (hostnames 
and IPs, etc). I created TXT records on our internal DNS servers for our 
mail SPF record and list all our mail servers' internal IPs. I also set 
up DMARC and DKIM records.

If your DNS servers also serve queries from outside, you will need to 
use split DNS.

Hope this helps.

James


On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote:
> Dear Experts,
> 
> First of all thanks for your advice , exactly you people are right
> that I whitelist all my domain it lets the spammers forge email
> address with my domain email address to get pass through.
> 
> My MTA Postfix  , IMAP Server is Cyrus,  Postfix Version: 3.1.0 ,
> MailScanner Version: 5.0.7,  SpamAssassin Version: 3.4.1
> 
> My scenario is that my Email server is hosted internally at Private ip
> address range . My TXT Record at public dns is for my public faced IP
> address.
> 
> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
> valid as shown at their received email headers. SPF is valid checked
> at MXTOOLS as well.
> 
> But my own mailscanner says SPF Fails may be because email server ip
> is private and TXT record is for mail server public faced IP.
> 
> I am doing all this SPF check to get rid of spoofed emails that using
> my domain address so  I have whitelisted my internal network and
> host:mydomain
> 
> How to get rid of this SPF fail on my own mailscanner so that my own
> emails not get high score ?
> 
> Any other solution to prevent Email spoofing ?
> 
> BILAL AHMAD
> 
> Network Administrator
> 
> Cell: +92 333 7451870  |  Tel: +92 68 5882400  |  Ext. 2499
> 
> www.kfueit.edu.pk
> 
> FROM: MailScanner
> <mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info>
> ON BEHALF OF David Jones via MailScanner
> SENT: Monday, 6 May 2019 10:39 AM
> TO: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> CC: David Jones <djones at ena.com>
> SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner
> 
> Martin,
> 
> I knew you wouldn't have done that which is why I removed your name
> from the top of the reply.  My response was for the OP and others that
> might have done that.  :)
> 
> Dave
> 
> -------------------------
> 
> FROM: MailScanner
> <mailscanner-bounces+djones=ena.com at lists.mailscanner.info> on behalf
> of Martin Hepworth <maxsec at gmail.com>
> SENT: Sunday, May 5, 2019 10:47 AM
> TO: MailScanner Discussion
> SUBJECT: Re: Email SPoofing Block Help with SPF in Mailscanner
> 
> Was a question not an instruction, the whitelist of your own domain is
> a common configuration error and will make sure spoofed emails
> allegedly from your own domain will get through.
> 
> Martin
> 
> On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
> <mailscanner at lists.mailscanner.info> wrote:
> 
>> Never, ever, ever whitelist either in MailScanner or SpamAssassin
>> any
>> domains that your MTA is configured to accept.  This will definitely
>> let
>> spoofed emails through.
>> 
>>> On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
>>> <mailto:bilal.ahmed at kfueit.edu.pk>> wrote:
>>> 
>>> Kindly I need a help someone is spoofing address of my domain
>> and
>>> forwarding email to my own domain.____
>>> 
>> 
>> We need an example email with headers lightly redacted posted to
>> someplace like pastebin.com [1].  It would also help to see the
>> maillog
>> entries for that queue ID.
>> 
>> There are multiple ways to block this based on the email headers.
>> 
>> We aren't even sure what domain to check the SPF record for without
>> any
>> headers.
>> 
>> You should consider setting these values in MailScanner.conf if not
>> already to help with troubleshooting:
>> 
>> Add Envelope From Header = yes
>> Detailed Spam Report = yes
>> Include Scores In SpamAssassin Report = yes
>> Always Include SpamAssassin Report = yes
>> Spam Score = yes
>> 
>> These must be on based on what information you provided but make
>> sure:
>> Spam Checks = yes
>> Use SpamAssassin = yes
>> 
>>> My SPF is already added in Public DNS.____
>>> 
>> 
>> Your own SPF setting in DNS will help prevent spoofing to others but
>> 
>> will not necessarily help spoofing to your own mail server running
>> MailScanner/SpamAssassin depending on your mail flow setup.  For
>> example, does outbound mail flow for your domain go through this
>> same
>> mail server unauthenticated from an internal mail server?  Does an
>> internal mail server smarthost to or run locally on this MailScanner
>> 
>> instance?
>> 
>> If your outbound mail does not go through this MailScanner instance,
>> 
>> then you have options like this in your
>> /etc/mail/spamassassin/local.cf [2]
>> or /etc/mail/spamassassin/mailscanner.cf [3]:
>> 
>> blacklist_from *@yourdomain.com [4]
>> 
>> It appears that your outbound mail does flow through this
>> MailScanner
>> box based on the "score SPF_FAIL 15.0" so the entry above would
>> block
>> legit email just like the "score SPF_FAIL 15.0" entry.
>> 
>> You might be able to add this to the etc/mail/spamassassin/local.cf
>> [2] or
>> /etc/mail/spamassassin/mailscanner.cf [3]:
>> 
>> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss]
>> 
>> where the "ip.add.re.ss" is the internal IP address of your mail
>> server.
>> Note this is not ideal since you will no longer be filtering
>> outbound
>> email.
>> 
>> NOTE: this would only be temporary until a better solution is
>> determined
>> after seeing the email headers of a spoofed email and knowing more
>> about
>> the mail flow.
>> 
>>> __ __
>>> 
>>> Please Any solution to block invalid SPF record address in my
>>> Mailscanner/spamassasian.____
>>> 
>> 
>> Please provide more detail.  Mail filtering is very complex so we
>> can't
>> help without details.
>> 
>> - original email lightly redacted posted to pastebin.com [1]
>> - what is the MTA?
>> - what RBLs are configured in the MTA?
>> - version of MailScanner
>> - version of SpamAssassin
>> 
>>> Because I have seen the spoof address with no SPF record are
>> passing
>>> through Mainscanner.____
>>> 
>> 
>> This may be more of a question for the SpamAssassin Users mailing
>> list
>> if MailScanner is properly using SpamAssassin.
>> 
>> --
>> David Jones
>> 
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> --
> 
> --
> Martin Hepworth, CISSP
> Oxford, UK
> 
> Links:
> ------
> [1] http://pastebin.com
> [2] http://local.cf
> [3] http://mailscanner.cf
> [4] http://yourdomain.com


More information about the MailScanner mailing list