How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Discussion forum for Enterprise Edition.
Post Reply
kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

For example:

Received-SPF: pass ({mailserver}: domain of dcacinc.com designates 185.173.176.61 as permitted sender)
client-ip=185.173.176.61

Received: from dcacinc.com ([185.173.176.61]) by {mailserver} with
MailEnable ESMTP; Thu, 1 Sep 2022 14:58:18 -0500

Received: from 10.253.237.14
by atlas104.aol.mail.gq1.yahoo.com with HTTPS; Tue, 9 Aug 2023 13:46:16 +0000
X-Originating-Ip: [209.85.219.181]
Received-SPF: pass (domain of gmail.com designates 209.85.219.181 as permitted sender)
Authentication-Results: atlas104.aol.mail.gq1.yahoo.com;
dkim=pass header.i=@gmail.com header.s=20210112;
spf=pass smtp.mailfrom=gmail.com;
dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
X-Apparently-To: {localuseremailaddress}; Tue, 9 Aug 2023 13:46:17 +0000
X-YMailAVSC: Gzb.euc3bBuezfdd2CQvkIW0BElvhP7IJt8xkwSuW4gwFVP
JK5BS6weBCt3YjWVB9KjPhelC_LW0l3QSL1z_YRTX9DLZlKJ2JsE8jrUddlP
Yu6a8416WrJ0NOahWb8bWAu8NWbPg4rW0Fs5pjRbiOnlOsQR.oZwHuKvQPDU
e.KG605m_dt.Y25QOgrw5Ya.x9JjCHa.8bacnF8v_slN_3miV2N5UF9bM35Y
fkwrGRNYZW7zBJufJsIPCoLLGdGRr6Oe5qmidBUOBrXwxqGrkn_P6Iae9WH9
llTkYRBqP2CjRVAZTvBCzKHwmr31IHYmQ3t4S4T3j9K64_q9wpCFPqgjFWAC
BbTPM4RXS5veEL7SLY6SuQZoki2be5Xn0YRuu8aLE3QFygvzmZXOAdKYajr0
NLTpaIHfy5H6S2J11nQ5P6jFYlar1ALar5UfmfluwdjEpDLoYdX1LAMVeNVH
N2OLATDpaSmt8G_RLtQwh5RDfefZVsb9rSd2aX1wr897wcRGp_mfq.QPczaV
f316laQogRA5CGp2tXFnG96Biqm7yuN5I7nGZIZPjtQPU2GE.NkendrQ66_s
H.aFUp9ONFUJbYbyqpXzS6YLc517nng0LMT9sp3nn7LTVRrUmntUytV91Nn.
FOuKGgQQXlSM_d2xmfpaWRqddliNSnM3MBKDRj1nD7mK9i_4w5Q474K0GZow
EXzUVZacCtHQrQOyLNtdM8NkHiKcZgAkc5G3__sBPOkFSeQ5BNPZPn2ifcQj
er3Y6IvymW5nc.NDS4BNmB3omVLNLkCnKEsAnLYmVKw2QtZEvQg6Wu_vv3XT
ZGo2qSJsQ11I07w.T3bIEzA4roD8bACe3nmbv69hK9zKvzLOvN1t_5L8h6kr
103iSDgYyE4mH4P_md5zQRkXoBMGjTS6WWWCd4VicP.iZLARXUf.byp8lesH
pNOMWF4ws9sWhQz3QCOwtNJFQLXRnwy_MRsRNDvcSorWZ0gGrfyBcJ_.isbi
CytF0LVIiinrYJhjTLaXWHuV81K6OBG7lgi8ELkrBkAAiFD0rw7WtG89IqNM
.uRM5ZdvY7bOTV62lSZMAPnav
X-YMailISG: LHB5.igWLDuS00Hp2npJeRsOoqxNNCYawr2aYPnsiArfk80b
c3q.D7nfHgS6IuypQ68XZR.lHFjADir8goXHH2sfkzGsBAHR0MyNyJ7ourFk
MemuGht7Tcfk1f3lm.PP.2M_urh0Hc_sEyqbPyoipzxmjB5g4tnR6oACbfYM
9wSO6XaVVhFcz_Z.j40jQFldiQzH1D_HcbRcCXCZRxN9j7wgs4ize6_wA8G5
oa563ZmJeAGCZJAVDMjI_q2YkZAh.QO6ykCA_L0WlYeCs3P_yoSVnTF800ZY
4Xcc0dp38pNTKBh7MJcUDAPwkJYTjPc9rNBpyJOPDyOSCdOIofmLkfVyJaPy
huJV8ogivxNBhEDnHSLG.5kiaeveSNu7XTPjnKn5hy4hlQooyNdvTdgV8tr3
J6yJARFpDebqf1DtZKN.mLRs9L6K9nMlNeANOoRJ1fCaMnSP0HeswsxUP5FR
7XRvBt8SBCmJ4l0F8kp5Pymqa_JGGLgxwNJfRhoQU3MAc07XnMks_cYxJETB
odUaPwkiX9mpIPO32LWAelqNKN5CFoY9QDubu6pSjJC9Hrt5VNQUIE_0GYPc
_0umxRBrfMT0r7P833iWp8K9qOIqOImSbCEy8QBhcsBnT7sQH5vGb669Bxus
PPaUFTmj_VRGH6Q6UcdXNEesyF_NVw7ltBdrbbvN30ZhoGhI2OyoUk79bIKU
CDF.MAqV8vZPdIPsJgVDtMAkoNHA1mqB1Cl7jXalJoIMC9C39.F6jDDlekpR
ywLVjQXmphWA3oxDphKrzZXZdX64xl4By8TwOL2paUhgHRwwiTVlbYEIc1PJ
_rzzVaqeANobgGy7mXK.sHDrwtS6NtR359erCztDz1L9BbUVLV2dal99WjIJ
.6jtAgyz2TeBe4G0HJ.XS_1vjis2WRSVjrxt9UooG3jeYlaw87EaQV8DWPJo
gkMWYkExqkFbvwXBWCowI5xB1iUH.xWKsctMpWBF7rRB83EeRuk9TO72wK7e
Q8crciqYJyOXiuQM8GhWonmkyahy0UNiSarqF5kHbp.XXrPUd1nJ2hQqZqtU
QUfc4eKjBZIGN.7x_sZ57DGXZmeZqzhidlzSOXEGvtqUH0M98k4xLm_wsqHk
OLdxc5JuMQC9HMDOJthSFx7Qp5DMU8bKgim1EHlVFE_zl4kK42zb2adHQEIP
Received: from 209.85.219.181 (EHLO mail-yb1-f181.google.com)
by 10.253.237.14 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Tue, 09 Aug 2023 13:46:16 +0000
Received: by mail-yb1-f181.google.com with SMTP id y127so18363414yby.8
for <{localuseremailaddress}>; Tue, 09 Aug 2023 06:46:16 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc;
bh=p89GgxWz+o9NfdfMykGlW/v8yKSzQpsl0uvhcysizNk=;
b=DBu9bJjlX41CeAMX1Qs418qOc2q/539YirKoxzlDfCj9sQJTliprOEGETamxCpMBg7
UUYmc10W6FNZr2eiVR+9wvV2JohIaAoxM2ibfvmPwYKdjtt+DyE+fNUQ7hUHHWyLvnrL
xbj0RHMAzjs426gY2p6zA+MhuoLWC7gpSFRKtMOrhmmapxOPbjIkBSlKcaCSxEf69w7F
5gDMEfEqOf4fZUvOkB6NpMMIPqBUbWE0jFtb0O85iBuzM4Jq7278MdUOtagMKmlfeotu
MA4zo6AYxKEqxVJKXo+Hh5WHmeoFzR6LoifVgIMERQgQ90S6EKOQHIbI9WyNdWoBdQIR
PW6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc;
bh=p89GgxWz+o9NfdfMykGlW/v8yKSzQpsl0uvhcysizNk=;
b=jggfPFnmHjOaNAFa7ZwANe3vfMqTM2ZhmT7UHM7BAF2wriXXcrIjkTjI2V3AQ+xqZk
Uqdb6uYfpBbT8Uu+TFFVkc7NwugKFM5V1vbd8v2wAgaf+2CEzApvIFf7eYI04DyCndBj
B0b9OvsdFafB2l+SMtTefNI19v+hjqS5ej200WYpP3Y1onGAdCa+SxKwNZOUknps9/RV
KqQ/rIRGLnC4CoohZRb4/2hWZLtLtY3GqMuam3RL+5Z0hwPqKuEKzEc46s/F+FArQreT
JEKl5S2eZHlXsvINsUyDLv0NlCm7mYwSUupogXZYr+ni0cbXZ9DoJ43AXoG5sGNljutY
aNDA==
X-Gm-Message-State: ACgBeo0WU2V52dNbMgaQBkgYrXEe4kkcqqynoeOvuEAR/8/FdX3Wk0UX
wAzvlGgR9dstfZMHQ2jZ6/R35xPkzJVdoDEUoAfPYDOTTAh6IQ==
X-Google-Smtp-Source: AA6agR4CyAvsiddBsPg2CKokYxuvwoYbsx9VoHEy2BJIXhckQHXBTX5xGfxFJWfLYPgOrcp6DWA0OH2IeAX0MjywJh4=
X-Received: by 2002:a25:b48:0:b0:67c:299c:1047 with SMTP id
69-20020a250b48000000b0067c299c1047mr2042124ybl.531.1660052776093; Tue, 09
Aug 2023 06:46:16 -0700 (PDT)
MIME-Version: 1.0
From: T-Mobile<{localuseremailaddress}>
Date: Tue, 9 Aug 2023 06:46:04 -0700
Message-ID: <Sw7UTEUoAGTjdaqJd_oxTMQE28dwM-RMZCfuQleIvZjyV24XUdFt5@mail.gmail.com>
Subject: finish the t-mobil survey and win
To: {user} <{localuseremailaddress}>
Content-Type: text/html;
X-ME-CountryOrigin: RU
X-Envelope-Sender: <>
X-RBL-Result: Generic, Fail
X-ME-Content: Deliver-To=Junk
Precedence: bulk
X-ME-Bayesian: 0.000000
X-0Spam-Country: Non-NA


I have no problem getting them to filter into junk Email but I would like to reject them entirely before they are accepted. How can this be done with ME?

Philb
Posts: 50
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by Philb »

Try using zen.spamhaus.org to check the connecting IP.
https://www.mailenable.com/kb/content/article.asp?ID=ME020084

Have a look at this: https://check.spamhaus.org/listed/?searchterm=185.173.176.61

IMHO, the whole 185.0.0.0/8 is a steaming pile of $#!+

BTW, did you notice the dates in the headers?
Yours log says "MailEnable ESMTP; Thu, 1 Sep 2022 14:58:18 -0500"
The other dates are 09 Aug 2023. There's something definitely odd about that. :D

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

Philb wrote:
Thu Sep 01, 2022 11:37 pm
Try using zen.spamhaus.org to check the connecting IP.
https://www.mailenable.com/kb/content/article.asp?ID=ME020084

Have a look at this: https://check.spamhaus.org/listed/?searchterm=185.173.176.61

IMHO, the whole 185.0.0.0/8 is a steaming pile of $#!+

BTW, did you notice the dates in the headers?
Yours log says "MailEnable ESMTP; Thu, 1 Sep 2022 14:58:18 -0500"
The other dates are 09 Aug 2023. There's something definitely odd about that. :D

spamhaus has to many false positives,

Notice the X-RBL-Result: Generic, Fail
we already use 0spam.org which is great for catching spam like this and filtering it into junk but I am looking for a way to filter based on sender data alone and reject it before it's even accepted.

Philb
Posts: 50
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by Philb »

[quote=kiamori post_id=118762 time=1662078762 user_id=18984]

spamhaus has to many false positives,

Notice the X-RBL-Result: Generic, Fail
we already use 0spam.org which is great for catching spam like this and filtering it into junk but I am looking for a way to filter based on sender data alone and reject it before it's even accepted.
[/quote]

That's not my experience with zen but everyone has their preference.

Assuming you don't get too much good stuff in Junk already, I guess you could just put 0spam.org in the rDNSBL

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

Philb wrote:
Fri Sep 02, 2022 1:11 am

That's not my experience with zen but everyone has their preference.

Assuming you don't get too much good stuff in Junk already, I guess you could just put 0spam.org in the rDNSBL

It's already in the DNSBL, which is set to flag as spam which sends them to junk. I would never set it to reject all based on a DSNBL, no DNSBL is accurate enough for this to work well enough, not even 0spam which I've found to be the most accurate out of over 200 dnsbl's that I've tested.

I think you're missing the point here, I'm looking for a way to filter based on just the sender matching the local user when it is not the local user. "Spoofed emails" and rejecting them before it's processed.

Philb
Posts: 50
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by Philb »

Fair enough. I'm only running a personal mail server and can pretty easily deal with any false positives.

I'm not aware of anything that would help you. Hopefully someone else will have some suggestions.

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

Philb wrote:
Fri Sep 02, 2022 5:35 am
Fair enough. I'm only running a personal mail server and can pretty easily deal with any false positives.

I'm not aware of anything that would help you. Hopefully someone else will have some suggestions.
Yeah, perhaps Ian can chime in with a solution.

This is a fairly large number of clients so anything we can do to improve performance and deliverability is a bonus. We have 67 antispam rules already setup and have about .03% false positive rate right now.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by MailEnable-Ian »

HI,

One option for verifying that the envelope sender matches the from address in the message is within the Spam Protection script as a weighting value which scores a message with low, medium or high spam scores (Envelope sender does not match header sender criteria in spam script). You need to increase the positive weighting for this criteria so that the message is classified as spam (you will need to play around and test what works for you). The spam protection script is actioned by the mailboxes spam rules that are set within web mail. Or you could create a postoffice level filter and trigger on the following headers and then add subject prefixes the message indicating that its spam or mark the message as spam to be delivered to the mailboxes junk email folder.:

X-ME-Spam: Low

X-ME-Spam: Medium

X-ME-Spam: High

More information about the spam protection script can be found here:

https://www.mailenable.com/kb/content/article.asp?ID=ME020391
https://www.mailenable.com/kb/content/article.asp?ID=me020493
https://www.mailenable.com/kb/content/article.asp?ID=me020586
Regards,

Ian Margarone
MailEnable Support

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

MailEnable-Ian wrote:
Sun Sep 04, 2022 11:59 pm
HI,

One option for verifying that the envelope sender matches the from address in the message is within the Spam Protection script as a weighting value which scores a message with low, medium or high spam scores (Envelope sender does not match header sender criteria in spam script). You need to increase the positive weighting for this criteria so that the message is classified as spam (you will need to play around and test what works for you). The spam protection script is actioned by the mailboxes spam rules that are set within web mail. Or you could create a postoffice level filter and trigger on the following headers and then add subject prefixes the message indicating that its spam or mark the message as spam to be delivered to the mailboxes junk email folder.:

X-ME-Spam: Low

X-ME-Spam: Medium

X-ME-Spam: High

More information about the spam protection script can be found here:

https://www.mailenable.com/kb/content/article.asp?ID=ME020391
https://www.mailenable.com/kb/content/article.asp?ID=me020493
https://www.mailenable.com/kb/content/article.asp?ID=me020586
I'm aware of this and we can already filter them, what I am looking to do is block them from being accepted so it generates and NDR to the sender. IS that possible with ME?

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by MailEnable-Ian »

Hi,

The message needs to be accepted in order for the FROM and envelope sender addresses to be compared. Therefore the only way to block this is by deleting the message using the delete message action in the filter and then adding the action to notify sender.
Regards,

Ian Margarone
MailEnable Support

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by kiamori »

MailEnable-Ian wrote:
Mon Sep 05, 2022 6:20 am
Hi,

The message needs to be accepted in order for the FROM and envelope sender addresses to be compared. Therefore the only way to block this is by deleting the message using the delete message action in the filter and then adding the action to notify sender.
But all that would really need to be done is to compare the From and To email, if they are the same, was not sent locally or from a bypass IP address then reject it.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How can we reject emails that claim to be from the recipient but are not? Spoofed emails.

Post by MailEnable-Ian »

Hi,

Maybe there will be improvements in the SMTP security checks to support this in future revisions but at the moment it does not do this and you will need to rely on the filtering mechanism.
Regards,

Ian Margarone
MailEnable Support


Post Reply