Email SPoofing Block Help with SPF in Mailscanner

David Jones djones at ena.com
Mon May 6 22:56:22 UTC 2019 

On 5/6/19 10:54 AM, Thom van der Boon wrote:
> Dear Bilal,
> 
> First upgrade everything to the latest versions.
> 
> MailScanner  = 5.1.3
> spamassassin = 3.4.2
> 

The versions he is running are fine and wouldn't change the situation 
enough to solve the core problem.

> One way to get this working
> 
> Set up an extra SMTP server on your internal network. Make sure this 
> server can not be reached from the internet.
> Whitelist the extra SMTP server in Mailscanner based on its IP address
> 

I don't understand the purpose of this recommendation.  This could 
easily turn out to make things worse.

> 
> Op 6 mei 2019 17:26 schreef bilal.ahmed at kfueit.edu.pk:
> 
>     Dear Experts,
> 
>     First of all thanks for your advice , exactly you people are right
>     that I whitelist all my domain it lets the spammers forge email
>     address with my domain email address to get pass through.
> 
>     My MTA Postfix  , IMAP Server is Cyrus, Postfix Version: 3.1.0 ,
>     MailScanner Version: 5.0.7, SpamAssassin Version: 3.4.1
> 
>     My scenario is that my Email server is hosted internally at Private
>     ip address range . My TXT Record at public dns is for my public
>     faced IP address.
> 
>     Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
>     valid as shown at their received email headers. SPF is valid checked
>     at MXTOOLS as well.
> 
>     But my own mailscanner says SPF Fails may be because email server ip
>     is private and TXT record is for mail server public faced IP.
> 
>     I am doing all this SPF check to get rid of spoofed emails that
>     using my domain address so  I have whitelisted my internal network
>     and host:mydomain
> 
>     How to get rid of this SPF fail on my own mailscanner so that my own
>     emails not get high score ?
> 
>     Any other solution to prevent Email spoofing ?
> 
>     *Bilal Ahmad*
> 
>     Network Administrator
> 
>     Cell: +92 333 7451870 |  Tel: +92 68 5882400 |  Ext. 2499
> 
>     www.kfueit.edu.pk
> 
>     *From:* MailScanner
>     <mailscanner-bounces+bilal.ahmed=kfueit.edu.pk at lists.mailscanner.info>
>     *On Behalf Of *David Jones via MailScanner
>     *Sent:* Monday, 6 May 2019 10:39 AM
>     *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
>     *Cc:* David Jones <djones at ena.com>
>     *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
> 
>     Martin,
> 
>     I knew you wouldn't have done that which is why I removed your name
>     from the top of the reply.  My response was for the OP and others
>     that might have done that.  :)
> 
>     Dave
> 
>     ------------------------------------------------------------------------
> 
>     *From:*MailScanner
>     <mailscanner-bounces+djones=ena.com at lists.mailscanner.info
>     <mailto:mailscanner-bounces+djones=ena.com at lists.mailscanner.info>>
>     on behalf of Martin Hepworth <maxsec at gmail.com
>     <mailto:maxsec at gmail.com>>
>     *Sent:* Sunday, May 5, 2019 10:47 AM
>     *To:* MailScanner Discussion
>     *Subject:* Re: Email SPoofing Block Help with SPF in Mailscanner
> 
>     Was a question not an instruction, the whitelist of your own domain
>     is a common configuration error and will make sure spoofed emails
>     allegedly from your own domain will get through.
> 
>     Martin
> 
>     On Sun, 5 May 2019 at 14:45, David Jones via MailScanner
>     <mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>> wrote:
> 
>         Never, ever, ever whitelist either in MailScanner or
>         SpamAssassin any
>         domains that your MTA is configured to accept.  This will
>         definitely let
>         spoofed emails through.
> 
>          > On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
>         <mailto:bilal.ahmed at kfueit.edu.pk>
>          > <mailto:bilal.ahmed at kfueit.edu.pk
>         <mailto:bilal.ahmed at kfueit.edu.pk>>> wrote:
>          >
>          >     Kindly I need a help someone is spoofing address of my
>         domain and
>          >     forwarding email to my own domain.____
>          >
> 
>         We need an example email with headers lightly redacted posted to
>         someplace like pastebin.com <http://pastebin.com>.  It would
>         also help to see the maillog
>         entries for that queue ID.
> 
>         There are multiple ways to block this based on the email headers.
> 
>         We aren't even sure what domain to check the SPF record for
>         without any
>         headers.
> 
>         You should consider setting these values in MailScanner.conf if not
>         already to help with troubleshooting:
> 
>         Add Envelope From Header = yes
>         Detailed Spam Report = yes
>         Include Scores In SpamAssassin Report = yes
>         Always Include SpamAssassin Report = yes
>         Spam Score = yes
> 
>         These must be on based on what information you provided but make
>         sure:
>         Spam Checks = yes
>         Use SpamAssassin = yes
> 
>          >     My SPF is already added in Public DNS.____
>          >
> 
>         Your own SPF setting in DNS will help prevent spoofing to others
>         but
>         will not necessarily help spoofing to your own mail server running
>         MailScanner/SpamAssassin depending on your mail flow setup.  For
>         example, does outbound mail flow for your domain go through this
>         same
>         mail server unauthenticated from an internal mail server?  Does an
>         internal mail server smarthost to or run locally on this
>         MailScanner
>         instance?
> 
>         If your outbound mail does not go through this MailScanner
>         instance,
>         then you have options like this in your
>         /etc/mail/spamassassin/local.cf <http://local.cf>
>         or /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
> 
>         blacklist_from *@yourdomain.com <http://yourdomain.com>
> 
>         It appears that your outbound mail does flow through this
>         MailScanner
>         box based on the "score SPF_FAIL 15.0" so the entry above would
>         block
>         legit email just like the "score SPF_FAIL 15.0" entry.
> 
>         You might be able to add this to the
>         etc/mail/spamassassin/local.cf <http://local.cf> or
>         /etc/mail/spamassassin/mailscanner.cf <http://mailscanner.cf>:
> 
>         whitelist_from_rcvd *@yourdomain.com <http://yourdomain.com>
>         [ip.add.re.ss]
> 
>         where the "ip.add.re.ss" is the internal IP address of your mail
>         server.
>            Note this is not ideal since you will no longer be filtering
>         outbound
>         email.
> 
>         NOTE: this would only be temporary until a better solution is
>         determined
>         after seeing the email headers of a spoofed email and knowing
>         more about
>         the mail flow.
> 
>          >     __ __
>          >
>          >     Please Any solution to block invalid SPF record address in my
>          >     Mailscanner/spamassasian.____
>          >
> 
>         Please provide more detail.  Mail filtering is very complex so
>         we can't
>         help without details.
> 
>         - original email lightly redacted posted to pastebin.com
>         <http://pastebin.com>
>         - what is the MTA?
>         - what RBLs are configured in the MTA?
>         - version of MailScanner
>         - version of SpamAssassin
> 
>          >     Because I have seen the spoof address with no SPF record
>         are passing
>          >     through Mainscanner.____
>          >
> 
>         This may be more of a question for the SpamAssassin Users
>         mailing list
>         if MailScanner is properly using SpamAssassin.
> 
>         -- 
>         David Jones
> 


-- 
David Jones

More information about the MailScanner mailing list