<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Martin,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I knew you wouldn't have done that which is why I removed your name from the top of the reply. My response was for the OP and others that might have done that. :)</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Dave<br>
</div>
<div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> MailScanner <mailscanner-bounces+djones=ena.com@lists.mailscanner.info> on behalf of Martin Hepworth <maxsec@gmail.com><br>
<b>Sent:</b> Sunday, May 5, 2019 10:47 AM<br>
<b>To:</b> MailScanner Discussion<br>
<b>Subject:</b> Re: Email SPoofing Block Help with SPF in Mailscanner</font>
<div> </div>
</div>
<div>
<div>
<div dir="auto">Was a question not an instruction, the whitelist of your own domain is a common configuration error and will make sure spoofed emails allegedly from your own domain will get through.</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Martin</div>
<div><br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Sun, 5 May 2019 at 14:45, David Jones via MailScanner <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
Never, ever, ever whitelist either in MailScanner or SpamAssassin any <br>
domains that your MTA is configured to accept. This will definitely let <br>
spoofed emails through.<br>
<br>
> On Sat, 4 May 2019 at 20:38, <<a href="mailto:bilal.ahmed@kfueit.edu.pk" target="_blank">bilal.ahmed@kfueit.edu.pk</a>
<br>
> <mailto:<a href="mailto:bilal.ahmed@kfueit.edu.pk" target="_blank">bilal.ahmed@kfueit.edu.pk</a>>> wrote:<br>
> <br>
> Kindly I need a help someone is spoofing address of my domain and<br>
> forwarding email to my own domain.____<br>
> <br>
<br>
We need an example email with headers lightly redacted posted to <br>
someplace like <a href="http://pastebin.com" rel="noreferrer" target="_blank">pastebin.com</a>. It would also help to see the maillog
<br>
entries for that queue ID.<br>
<br>
There are multiple ways to block this based on the email headers.<br>
<br>
We aren't even sure what domain to check the SPF record for without any <br>
headers.<br>
<br>
You should consider setting these values in MailScanner.conf if not <br>
already to help with troubleshooting:<br>
<br>
Add Envelope From Header = yes<br>
Detailed Spam Report = yes<br>
Include Scores In SpamAssassin Report = yes<br>
Always Include SpamAssassin Report = yes<br>
Spam Score = yes<br>
<br>
These must be on based on what information you provided but make sure:<br>
Spam Checks = yes<br>
Use SpamAssassin = yes<br>
<br>
> My SPF is already added in Public DNS.____<br>
> <br>
<br>
Your own SPF setting in DNS will help prevent spoofing to others but <br>
will not necessarily help spoofing to your own mail server running <br>
MailScanner/SpamAssassin depending on your mail flow setup. For <br>
example, does outbound mail flow for your domain go through this same <br>
mail server unauthenticated from an internal mail server? Does an <br>
internal mail server smarthost to or run locally on this MailScanner <br>
instance?<br>
<br>
If your outbound mail does not go through this MailScanner instance, <br>
then you have options like this in your /etc/mail/spamassassin/<a href="http://local.cf" rel="noreferrer" target="_blank">local.cf</a>
<br>
or /etc/mail/spamassassin/<a href="http://mailscanner.cf" rel="noreferrer" target="_blank">mailscanner.cf</a>:<br>
<br>
blacklist_from *@<a href="http://yourdomain.com" rel="noreferrer" target="_blank">yourdomain.com</a><br>
<br>
It appears that your outbound mail does flow through this MailScanner <br>
box based on the "score SPF_FAIL 15.0" so the entry above would block <br>
legit email just like the "score SPF_FAIL 15.0" entry.<br>
<br>
You might be able to add this to the etc/mail/spamassassin/<a href="http://local.cf" rel="noreferrer" target="_blank">local.cf</a> or
<br>
/etc/mail/spamassassin/<a href="http://mailscanner.cf" rel="noreferrer" target="_blank">mailscanner.cf</a>:<br>
<br>
whitelist_from_rcvd *@<a href="http://yourdomain.com" rel="noreferrer" target="_blank">yourdomain.com</a> [ip.add.re.ss]<br>
<br>
where the "ip.add.re.ss" is the internal IP address of your mail server. <br>
Note this is not ideal since you will no longer be filtering outbound <br>
email.<br>
<br>
NOTE: this would only be temporary until a better solution is determined <br>
after seeing the email headers of a spoofed email and knowing more about <br>
the mail flow.<br>
<br>
> __ __<br>
> <br>
> Please Any solution to block invalid SPF record address in my<br>
> Mailscanner/spamassasian.____<br>
> <br>
<br>
Please provide more detail. Mail filtering is very complex so we can't <br>
help without details.<br>
<br>
- original email lightly redacted posted to <a href="http://pastebin.com" rel="noreferrer" target="_blank">
pastebin.com</a><br>
- what is the MTA?<br>
- what RBLs are configured in the MTA?<br>
- version of MailScanner<br>
- version of SpamAssassin<br>
<br>
> Because I have seen the spoof address with no SPF record are passing<br>
> through Mainscanner.____<br>
> <br>
<br>
This may be more of a question for the SpamAssassin Users mailing list <br>
if MailScanner is properly using SpamAssassin.<br>
<br>
-- <br>
David Jones<br>
<br>
<br>
-- <br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr" class="x_gmail_signature">-- <br>
Martin Hepworth, CISSP<br>
Oxford, UK</div>
</div>
</div>
</body>
</html>