Email SPoofing Block Help with SPF in Mailscanner

David Jones djones at ena.com
Mon May 6 23:54:26 UTC 2019


On 5/6/19 4:13 PM, yuwang wrote:
> I have a similar set up: mail servers have internal IPs for the local 
> network and public IPs for external. Here is how I resolved SPF checking:
> 
> We have internal DNS servers that host internal DNS records (hostnames 
> and IPs, etc). I created TXT records on our internal DNS servers for our 
> mail SPF record and list all our mail servers' internal IPs. I also set 
> up DMARC and DKIM records.
> 

If you have your MTA and SpamAssassin setup correctly you don't need 
internal DNS records for MX, SPF, DKIM, etc.  See the internal_networks 
comments below for details.

> If your DNS servers also serve queries from outside, you will need to 
> use split DNS.
> 
> Hope this helps.
> 
> James
> 
> 
> On 2019-05-06 11:25, bilal.ahmed at kfueit.edu.pk wrote:
>> Dear Experts,
>>
>> First of all thanks for your advice , exactly you people are right
>> that I whitelist all my domain it lets the spammers forge email
>> address with my domain email address to get pass through.
>>
>> My MTA Postfix  , IMAP Server is Cyrus,  Postfix Version: 3.1.0 ,
>> MailScanner Version: 5.0.7,  SpamAssassin Version: 3.4.1
>>

Besides the SPF problem, there are many Postfix tuning options that can 
be done:

main.cf = drop messages that spoof your own domain in the Message-ID
     header_checks = pcre:/etc/postfix/header_checks
     /^Message-ID:.*@mydomain\.com>/      DISCARD

postscreen  <- simple to setup and a MUST do
python-policyd-spf
opendkim
opendmarc
sqlgrey
postfwd

postscreen weighted RBLs
===========================
postscreen_access_list =
   permit_mynetworks,
   cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
   cidr:/etc/postfix/postscreen_access.cidr

postscreen_cache_retention_time      = 7d
postscreen_bare_newline_ttl          = 7d
postscreen_greet_ttl                 = 7d
postscreen_non_smtp_command_ttl      = 7d
postscreen_pipelining_ttl            = 7d
postscreen_dnsbl_ttl                 = 1m
postscreen_dnsbl_threshold           = 8
postscreen_dnsbl_action              = enforce
postscreen_greet_action              = enforce
postscreen_greet_wait                = ${stress?1}${stress:11}s
postscreen_bare_newline_action       = enforce
postscreen_bare_newline_enable       = yes
postscreen_non_smtp_command_enable   = yes
postscreen_pipelining_enable         = yes
postscreen_dnsbl_whitelist_threshold = -1
postscreen_blacklist_action          = drop

postscreen_dnsbl_sites =
   dnsbl.sorbs.net=127.0.0.[10;14]*9
   dnsbl.sorbs.net=127.0.0.5*7
   b.barracudacentral.org=127.0.0.2*7
   dnsbl.inps.de=127.0.0.2*7
   bl.mailspike.net=127.0.0.[10;11;12]*7
   hostkarma.junkemailfilter.com=127.0.0.2*4
   dnsbl.sorbs.net=127.0.0.7*4
   bl.spamcop.net=127.0.0.2*4

...

I have a huge list of dnsbl_sites.  See the SpamAssassin Users mailing 
list archives for more details.

A GOOD SET OF RBLS IN POSTSCREEN_DNSBL_SITES WILL REJECT THE MAJORITY OF 
JUNK/SPAM WITHOUT ANY OTHER CHANGES/ADDITIONS.

>> My scenario is that my Email server is hosted internally at Private ip
>> address range . My TXT Record at public dns is for my public faced IP
>> address.
>>

Internal mail servers behind NAT need to have a dedicated/two-way NAT so 
outbound traffic shows as the same IP as in the inbound to get FCrDNS 
correct.  This is for outbound mail delivery and SPF checks passing 
outbound to the Internet.

Get on the mail server and run "curl ifconfig.me" at a shell prompt and 
make sure it matches the inbound IP for the A record.  Then run "dig -x 
[IP} +short".  Now run "dig [PTR value]" and make sure it points back to 
the same IP.

# curl ifconfig.me
96.4.1.10
[root at smtp2n.ena spamassassin]# dig -x 96.4.1.10 +short
smtp2n.ena.net.
[root at smtp2n.ena spamassassin]# dig smtp2n.ena.net +short
96.4.1.10

Web version of this same check above:

http://multirbl.valli.org/fcrdns-test/96.4.1.10.html

>> Issue is that when I send email at GMAIL,Yahoo,Hotmail etc my SPF is
>> valid as shown at their received email headers. SPF is valid checked
>> at MXTOOLS as well.
>>

Sure would be nice to see those headers so we can help.

>> But my own mailscanner says SPF Fails may be because email server ip
>> is private and TXT record is for mail server public faced IP.
>>

Make sure you have your Postfix mynetworks and the SpamAssassin 
internal_networks setup essentially with the same internal network 
blocks.  Then trusted_networks can be extra networks that are outside of 
your organization.  Note that the SA trusted_networks doesn't mean they 
will never send spam but will never originate spam or forge the Received 
headers.

SPF checks should be done performed against the last external mail 
server and not on any internal IPs.

I have been testing out an idea to include Office 365 IPs in the 
trusted_networks list.  If the first mail server puts the original 
client's IP address in as an X-Originating-IP header then this is very 
effective to detect as the last-external against RBLs for better 
accuracy.  The internal Microsoft mail servers at Office 365 are listed 
on various RBLs but that causes a lot of FPs due to the large shared 
platform.

https://wiki.apache.org/spamassassin/TrustedRelays

Microsoft has been putting in the X-Originating-IP header for a while. 
Older Exchange servers and other mail servers don't add the first hop 
Received: or the X-Originating-IP headers but as I find more platforms 
that do, I am expanding out my trusted_networks list to find the "true 
edge" behind large shared platforms.


>> I am doing all this SPF check to get rid of spoofed emails that using
>> my domain address so  I have whitelisted my internal network and
>> host:mydomain
>>
>> How to get rid of this SPF fail on my own mailscanner so that my own
>> emails not get high score ?
>>
>> Any other solution to prevent Email spoofing ?
>>
>> BILAL AHMAD
>>
>> Network Administrator
>>
>> Cell: +92 333 7451870  |  Tel: +92 68 5882400  |  Ext. 2499
>>
>> www.kfueit.edu.pk
>>
>>>> On Sat, 4 May 2019 at 20:38, <bilal.ahmed at kfueit.edu.pk
>>>> <mailto:bilal.ahmed at kfueit.edu.pk>> wrote:
>>>>
>>>> Kindly I need a help someone is spoofing address of my domain
>>> and
>>>> forwarding email to my own domain.____
>>>>
>>>
>>> We need an example email with headers lightly redacted posted to
>>> someplace like pastebin.com [1].  It would also help to see the
>>> maillog
>>> entries for that queue ID.
>>>

Still need an example email sent via pastebin.com to actually give solid 
recommendations.  We are all guessing still.

>>> There are multiple ways to block this based on the email headers.
>>>
>>> We aren't even sure what domain to check the SPF record for without
>>> any
>>> headers.
>>>
>>> You should consider setting these values in MailScanner.conf if not
>>> already to help with troubleshooting:
>>>
>>> Add Envelope From Header = yes
>>> Detailed Spam Report = yes
>>> Include Scores In SpamAssassin Report = yes
>>> Always Include SpamAssassin Report = yes
>>> Spam Score = yes
>>>

Did you check these settings?

>>> These must be on based on what information you provided but make
>>> sure:
>>> Spam Checks = yes
>>> Use SpamAssassin = yes
>>>
>>>> My SPF is already added in Public DNS.____
>>>>
>>>
>>> Your own SPF setting in DNS will help prevent spoofing to others but
>>>
>>> will not necessarily help spoofing to your own mail server running
>>> MailScanner/SpamAssassin depending on your mail flow setup.  For
>>> example, does outbound mail flow for your domain go through this
>>> same
>>> mail server unauthenticated from an internal mail server?  Does an
>>> internal mail server smarthost to or run locally on this MailScanner
>>>
>>> instance?
>>>
>>> If your outbound mail does not go through this MailScanner instance,
>>>
>>> then you have options like this in your
>>> /etc/mail/spamassassin/local.cf [2]
>>> or /etc/mail/spamassassin/mailscanner.cf [3]:
>>>
>>> blacklist_from *@yourdomain.com [4]
>>>
>>> It appears that your outbound mail does flow through this
>>> MailScanner
>>> box based on the "score SPF_FAIL 15.0" so the entry above would
>>> block
>>> legit email just like the "score SPF_FAIL 15.0" entry.
>>>
>>> You might be able to add this to the etc/mail/spamassassin/local.cf
>>> [2] or
>>> /etc/mail/spamassassin/mailscanner.cf [3]:
>>>
>>> whitelist_from_rcvd *@yourdomain.com [4] [ip.add.re.ss]
>>>
>>> where the "ip.add.re.ss" is the internal IP address of your mail
>>> server.
>>> Note this is not ideal since you will no longer be filtering
>>> outbound
>>> email.
>>>
>>> NOTE: this would only be temporary until a better solution is
>>> determined
>>> after seeing the email headers of a spoofed email and knowing more
>>> about
>>> the mail flow.
>>>
>>>> __ __
>>>>
>>>> Please Any solution to block invalid SPF record address in my
>>>> Mailscanner/spamassasian.____
>>>>
>>>
>>> Please provide more detail.  Mail filtering is very complex so we
>>> can't
>>> help without details.
>>>
>>> - original email lightly redacted posted to pastebin.com [1]
>>> - what is the MTA?
>>> - what RBLs are configured in the MTA?
>>> - version of MailScanner
>>> - version of SpamAssassin
>>>

This information is still needed.

>>>> Because I have seen the spoof address with no SPF record are
>>> passing
>>>> through Mainscanner.____
>>>>
>> -- 
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>> Links:
>> ------
>> [1] http://pastebin.com
>> [2] http://local.cf
>> [3] http://mailscanner.cf
>> [4] http://yourdomain.com
> 
> 
Excellent links to use to help us help you.



-- 
David Jones


More information about the MailScanner mailing list