Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to deal - Spam sent by a local user
  •  
jonahpa

Messages: 23
Karma: 0
Send a private message to this user
In a header message below, user1<_a.t_>our_domain.com is sending Spam to his own address, plus to some of our users.

The IP used for sending is not ours.

How to deal with this kind of problem in KMS?

Thanks in advance.

Quote:



Return-Path: <user1<_a.t_>our_domain.com>
X-Envelope-To: user1<_a.t_>our_domain.com , user2<_a.t_>our_domain.com , user4<_a.t_>our_domain.com
X-Spam-Status: No, hits=5.0 required=7.0
tests=BAYES_00: -1.665,HELO_DYNAMIC_IPADDR2: 3.792,MIME_BASE64_BLANKS: 0.184,
MIME_BASE64_TEXT: 2.749,TOTAL_SCORE: 5.060
X-Spam-Level: *****
Received: from 201-250-186-108.speedy.com.ar ([201.250.186.108])
by our_domain.com;
Tue, 16 Sep 2008 23:36:52 +0200
X-Originating-IP: 224.73.94.56 by smtp.201.250.186.108; Tue, 16 Sep 2008 19:31:02 -0300
Message-ID: <irvcqsJBVVVuser1<_a.t_>our_domain.com >
From: "user1<_a.t_>our_domain.com " <user1<_a.t_>our_domain.com >
Reply-To: "user1<_a.t_>our_domain.com " <user1<_a.t_>our_domain.com >
To: user1<_a.t_>our_domain.com
Subject: Summer qual1ty w4tches offer
Date: Tue, 16 Sep 2008 17:36:02 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64


  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
You could set up SPF. Then, mail coming in from any user <_a.t_>yourdomain.com from outside servers will get rejected for failing the SPF check.

Scott
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
It sounds like you are saying that someone outside your network is sending you spam falsely specifying that your email address is the from/reply address. We occasionally have that problem.
Usually the virus and spam catchers catch it.

201-250-186-108.speedy.com.ar looks like an isp assigned address and Spamassassin (HELO_DYNAMIC_IPADDR2: 3.792) seems to agree, instead of a "legitimate" isp sponsored mail relay, and you may be able to prevent these by using the appropriate DNSBL to reject mail from these sources.

I am testing with SPF which, I understand, verifies that an email is coming from a mail server authorized to send for that email address. You may want to look into this also.

  •  
Kerio_Ken

Messages: 18
Karma: 0
Send a private message to this user
My solution to this problem is to use SPF *AND* Caller ID. Both are necessary. SPF blocks spoofing in the envelope, but Caller ID is still necessary. Caller ID can block based on what is in the actual mail headers.

As an example:

My SPF record:
Tiger# dig TXT emua.net +short
"v=spf1 a mx -all"

(Note, the "-all" is what actually causes emails to be blocked. There might be reasons to not use it, however. Be careful.)

My Caller-ID record:
Tiger# dig TXT _ep.emua.net +short
"<ep xmlns='http://ms.net/1'><out><m> <r>75.149.45.65</r> </m></out></ep>"

Now,here's how it works. I will try to spoof my email address:

---
Tiger# telnet webmail.emua.net 25
Trying 75.149.45.65...
Connected to webmail.emua.net.
Escape character is '^]'.
220 webmail.emua.net ESMTP ready
HELO emua.net
250 webmail.emua.net
MAIL FROM: carlos<_a.t_>emua.net
550 5.7.0 Please see http://www.openspf.com/why.html?sender=carlos%40emua.net& ;ip=63.206.215.182&receiver=webmail.emua.net
---

Notice, SPF blocked this one. However, it will not block the message where Caller-ID will. Here's how Caller-ID works:

---
MAIL FROM: carlos<_a.t_>kerio.com
RCPT TO: carlos<_a.t_>emua.net
250 2.1.5 Recipient <carlos<_a.t_>emua.net> ok
DATA
354 Enter mail, end with CRLF.CRLF
From: carlos<_a.t_>emua.net
Subject: Buy my stuff!!! V|4gra

Buy V|4gra!!!
.
550 5.7.0 Caller-ID for the message does not match
---

See, I almost got the mail through, but Caller-ID pulled through and blocked it!! So, if you think Caller-ID is obsolete, think again. SPF would have allowed this one through.

- Ken
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
very cool... and seems to work

though

i have no idea how to actually set it up for myself

a step by step guide on setting this up would be most useful... THANKS

we seem to be getting more and more of this type of spam.. as well as one from that says:

"Message detected as spam: Delivery Status Notification" and appears to be from the users email... to the same user

i guess it is more or less the same issue

any help would be HUGELY appreciated

thanks in advance

yukioMishima
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
anyone?

any help greatly appreciated

thanks

yukioMishima
  •  
Kerio_Ken

Messages: 18
Karma: 0
Send a private message to this user
yukioMishima -

There is really not much to set up. The caller-id and spf records are not configured in Kerio at all. They are simply DNS "TXT" records that exist in your domain. In Kerio, you merely select the checkboxes to look up caller-id and spf records.

So, a very simple SPF record for company.com would be:
"v=spf1 a mx -all"

Including the double quotes. This allows the A and MX records for company.com to send email from company.com.

A simple caller-id record for company.com might be:
"<ep xmlns='http://ms.net/1'><out><m> <r>75.148.44.65</r> </m></out></ep>"

Including the double quotes.

Your DNS provider should be able to configure the SPF and Caller-ID records for you.

You can look up an SPF record by simply looking up the TXT record for the domain name. That is why in my previous example I sent "dig" commands for TXT and the domain name.

dig TXT company.com +short

To look up a Caller-ID record, you would use _ep.domainname so _ep.company.com for example.

dig TXT _ep.company.com +short

You would only do these lookups to see if your DNS provider set up the records the way you want.

Finally, the whole purpose of these records is to tell other mailservers what IP addresses are allowed to send email from your domain.

If you are curious how to do it in bind, it would be the following 2 lines:

_ep TXT "<ep xmlns='http://ms.net/1'><out><m> <r>75.148.44.65</r> </m></out></ep>"
company.com. IN TXT "v=spf1 a mx -all"

Finally, you can learn about spf at http://www.openspf.org/
For info about Caller-ID, it is http://www.microsoft.com/downloads/details.aspx?FamilyID=9a9 e8a28-3e85-4d07-9d0f-6daeabd3b71b&displaylang=en
  •  
Kerio_Ken

Messages: 18
Karma: 0
Send a private message to this user
I almost forgot. There is one setting in KMS that is important for this to work. In the Admin Console, go to Configuration->Content Filter->SPF, then check the "Block the message" checkbox. Otherwise, KMS will simply log the SPF failures, but allow the messages through.
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
kerio ken

thanks for the detailed info

as our ISP handles our DNS (and our mail in/out) i assume i will need to discuss this with them

thanks

yukioMishima
  •  
feijin

Messages: 24
Karma: 0
Send a private message to this user
please try it:
HELO youcomputername
[COLOR=blue]Tiger# telnet webmail.emua.net 25
Trying 75.149.45.65...
Connected to webmail.emua.net.
Escape character is '^]'.
220 webmail.emua.net ESMTP ready
[B]HELO youcomputername[/B]
250 webmail.emua.net
MAIL FROM: carlos<_a.t_>emua.net

RCPT TO: carlos<_a.t_>emua.net
250 2.1.5 Recipient <carlos<_a.t_>emua.net> ok
DATA
354 Enter mail, end with CRLF.CRLF
From: carlos<_a.t_>emua.net
Subject: Buy my stuff!!! V|4gra[/COLOR]


spamer!!!

Kerio_Ken wrote on Fri, 26 September 2008 06:06


---
Tiger# telnet webmail.emua.net 25
Trying 75.149.45.65...
Connected to webmail.emua.net.
Escape character is '^]'.
220 webmail.emua.net ESMTP ready
HELO emua.net
250 webmail.emua.net
MAIL FROM: carlos<_a.t_>emua.net
550 5.7.0 Please see http://www.openspf.com/why.html?sender=carlos%40emua.net& ;amp ;ip=63.206.215.182&receiver=webmail.emua.net
---

Notice, SPF blocked this one. However, it will not block the message where Caller-ID will. Here's how Caller-ID works:

---
MAIL FROM: carlos<_a.t_>kerio.com
RCPT TO: carlos<_a.t_>emua.net
250 2.1.5 Recipient <carlos<_a.t_>emua.net> ok
DATA
354 Enter mail, end with CRLF.CRLF
From: carlos<_a.t_>emua.net
Subject: Buy my stuff!!! V|4gra

- Ken

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
He? What is this supposed to do?
SPF check could be configured to accept the message and increase spam score. The message will be then dropped by spam filter after evaluating other spam tests and not directly in the SMTP session.

All you've showed is that this server does not directly reject sender in SMTP. But you can't know whether the message is dropped lately or not.
  •  
feijin

Messages: 24
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Fri, 02 January 2009 17:40

He? What is this supposed to do?
SPF check could be configured to accept the message and increase spam score. The message will be then dropped by spam filter after evaluating other spam tests and not directly in the SMTP session.

All you've showed is that this server does not directly reject sender in SMTP. But you can't know whether the message is dropped lately or not.


can you tell me a email address for test?
I well send The Spam message from yourself。

The spf and caller id check is Invalid。
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I'm pretty sure the SPF check works perfectly. There are few mistakes in your test:

1. Your IP address is on the SpamHaus DNS blocklist. In such case this particular server is configured to drop the connection after RCPT TO command and do not perform SPF check (because it is unnecessary).
2. The data posted to the telnet session are invalid and does not correspond to standard SMTP. RCPT TO command is not recognized by the server and in fact, all data sent to the session are dropped due to violation of SMTP protocol.
  •  
feijin

Messages: 24
Karma: 0
Send a private message to this user
please use a clean ip for this test.

"mail from" addr & "rcpt to" addr bouth in the local domain.

I can send a spam mail to you Email addr.
But I do not know your password!

please test it.
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
pdobry:~ pdobry$ telnet webmail.emua.net 25
Trying 75.149.45.65...
Connected to webmail.emua.net.
Escape character is '^]'.
220 webmail.emua.net ESMTP ready
mail from: carlos<_a.t_>emua.net
550 5.7.0 Please see http://www.openspf.com/why.html?sender=carlos%40emua.net& ;amp ;ip=195.99.181.219&receiver=webmail.emua.net
quit
221 2.0.0 SMTP closing connection
Connection closed by foreign host.


As you can see, SPF works properly.
You can verify it on your own server if you want.

[Updated on: Sun, 04 January 2009 17:19]

Previous Topic: Invites not sent, no alert!
Next Topic: Outlook Express / IMAP Issue: Items not moved to 'Sent Items'
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 22:48:05 CET 2017

Total time taken to generate the page: 0.00570 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.