Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam - From Self
  •  
hardwerk

Messages: 7
Karma: 0
Send a private message to this user
99% of the spam that gets to the users are send with the 'from' address the same as the 'to' address. How to prevent this? We obviously can't mark it as 'spam'.
  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
99% seems to me a very high percentage, i would check to see if anything weird is going on.
In any case you should setup a spf record for your domain and start blocking messages that don't pass the spf check.
  •  
heze54

Messages: 220
Karma: 0
Send a private message to this user
Hi,

I´m using spf record but sometimes I have the same situation.
  •  
tek_san

Messages: 110
Karma: 0
Send a private message to this user
The Spam Filter from KMS is OK, but does not replace a "real" antispam solution.
We use the very effective Nospamproxy and could reduce spam to a minimum.
We had that case as well, that foreigners sent mails with our addresses - from our domains.
This could be solved with a small rule that blocks foreign users of our domains.
Of course this means extra costs, but we were able to reduce spam to a minimum.
I guess, about 5 % or less are mails that pass through. Good for our mailarchive solution as well!
Costs? Depends on your userbase: We paid about 3400 Euro for a 3 year support and software contract for 200 users.
Requirements? A virtual machine, running win 2003 srv, 3 GB of Ram assigned and two vCpu.
regards

Oliver

KC 7.3.1, Win2003 in vsphere 4.1, store drive attached via iSCSI, OS drive attached via NFS.
220+ IMAP Accounts: 210 OSX Mail /Entourage Clients, 10 Outlook 2003 KOC Clients - iPhones, Nokia E66, HTC 4350
Archive:EMA Appliance, SpamFilter: Nospamproxy
  •  
hardwerk

Messages: 7
Karma: 0
Send a private message to this user
99% of the spam that makes it through our spam filter (kms built it in) is from the recipients address.

It looks like the email is not getting scanned though? Does that make sense?
  •  
GlennK

Messages: 252
Karma: 3
Send a private message to this user
heze54 wrote on Tue, 13 October 2009 09:53
Hi,

I.m using spf record but sometimes I have the same situation.


If the sending server is not checking spf records then your use of spf is not going to help. Also, did you create a spf record for your domain?
  •  
heze54

Messages: 220
Karma: 0
Send a private message to this user
Hi,


Yes,

And my server is checking SPF.
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
Hi hardwerk and heze54

Can you post the e-mail headers of mail that has the same sender and recipient domain (your domain)? This will help to analyze and find a solution.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
hardwerk

Messages: 7
Karma: 0
Send a private message to this user
Here is one. It's mainly an image and it doesn't appear to be scanned. This is the bulk of the spam that gets through.


Return-Path: <mkendall<_a.t_>imperiumsolutions.net>
Date: Mon, 19 Oct 2009 10:36:43 -0500
Received: from 223-10.pppoe.vitebsk.by ([86.57.223.10])
by mail1.imperiumsolutions.net
for mkendall<_a.t_>imperiumsolutions.net;
Mon, 19 Oct 2009 10:36:42 -0500
From: © VIAGRA ® Official <mkendall<_a.t_>imperiumsolutions.net>
To: mkendall<_a.t_>imperiumsolutions.net
Subject: Dear mkendall<_a.t_>imperiumsolutions.net 79% 0FF on Pfizer !
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit


Here is another one:

Return-Path: <mkendall<_a.t_>imperiumsolutions.net>
Date: Fri, 9 Oct 2009 08:47:47 -0500
Received: from host-78-13-244-243.cust-adsl.tiscali.it ([78.13.244.243])
by mail1.imperiumsolutions.net
for mkendall<_a.t_>imperiumsolutions.net;
Fri, 9 Oct 2009 08:47:45 -0500
From: "Ruthann Wallerich" <mkendall<_a.t_>imperiumsolutions.net>
To: mkendall<_a.t_>imperiumsolutions.net
MIME-Version: 1.0
Subject: Transit press release
Message-ID: <I213E99I9FLH502.NLOGJRVSCA.DD1EE7377FC<_a.t_>nome-cd2d26eadb >
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
your domain, imperiumsolutions.net does not have a spf record so anything is accepted.
  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
Now the problem is clear: your domain, imperiumsolutions.net, does not have a spf record so anything is accepted.
You should create a spf record for your domain.
  •  
heze54

Messages: 220
Karma: 0
Send a private message to this user
I deleted the email but see cedis.net and serlogis.net as default domains with spf enable.

Is spf record bad configured?
  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
the spf record for serlogis.net is:
v=spf1 ip4:83.175.212.228 ip4:83.175.212.226 mx mx:mail.cedis.net mx:mail2.cedis.net a a:serlogis.net a:hezesoft.org a:raposos.org a:serced.net a:serlogis.es a:cedis.es ~all
which is valid.
But the last ~all basically says that if messages are sent from IP's others that those specified it is also ok, just not quite as much, it is up to the spf filter to decide what to do with it but it should not be blocked.
In the case of kerio i believe with a spf record like this all mail coming from a <_a.t_>serlogis.net address will be accepted independently of the ip it originated from (someone correct me if i'm wrong).
If your spf record ended with -all only the IP's specified in the record would be valid anything else could be safely discarded (no more spam from <_a.t_>yourdomain).
But before just changing it you should know that -all can also cause problems or at least a little bit of extra work on your side: if the message is not sent form a authorized IP will not be delivered, everybody will have to send messages using your smtp server or you will have to authorize additional smtp servers. You will likely discover that many people have been happily sending messages with a <_a.t_>yourdomainemail address from many additional smtp servers, a number of internet providers force you to do it.
People traveling, checking their messages through remote pop on a different system (but seting their return address to <_a.t_>yourdomain), using their smart phone, a hot spot, etc... also are sometimes using different smtp servers. Anyway, depending on your organization setup and use of email don't just change it to -all, check with everyone, help them adjust to a new way, and then change it.
I hope this will help.
  •  
heze54

Messages: 220
Karma: 0
Send a private message to this user
Hi,

Yes.... sometimes Iḿ out of office and need to use my notebook and thunderbird to send emails.

See this email:

Is spam!!!

Return-Path: <andres<_a.t_>cedis.net>
X-Envelope-To: equintana<_a.t_>cedis.net, equintana<_a.t_>serlogis.net
Date: Wed, 21 Oct 2009 02:38:38 +0200
X-Spam-Status: No, hits=0.0 required=2.7
tests=DNSBL_DNSBL-3.UCEPROTECT.NET: 0.20,AWL: -4.781,BAYES_50: 1.567,
FH_HELO_EQ_D_D_D_D: 0.001,HELO_DYNAMIC_IPADDR2: 4.395,HTML_MESSAGE: 0.001,
MIME_HTML_ONLY: 0.001,MISSING_DATE: 0.001,MISSING_MID: 0.001,
RDNS_NONE: 0,TVD_RCVD_IP: 1.931,CUSTOM_RULE_FROM: ALLOW,
TOTAL_SCORE: 3.317,autolearn=no
X-Spam-Level:
Received: from 93-38-84-49.ip69.fastwebnet.it ([93.38.84.49])
by mail2.cedis.net
for equintana<_a.t_>cedis.net;
Wed, 21 Oct 2009 02:38:37 +0200
To: <equintana<_a.t_>cedis.net>
Subject: Ocupacion parcial
From: Felix Williamson <equintana<_a.t_>cedis.net>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=3C!DOCTYPE HTML PUBLIC =22-//W3C//DTD HTML 4=2E0 Transitional//EN=22=3E
=3CHTML=3E=3CHEAD=3E
=3CMETA http-equiv=3DContent-Type content=3D=22text/html=3B charset=3DWindo=
ws-1252=22=3E
=3C/HEAD=3E
=3CBODY=3E=3Cb=3ESenor =28a=29=3A=3C/b=3E=3Cbr=3E
=3Cbr=3E
Soy gerente facultado de seleccionar los cuadros para una compania internac=
ional grande=2E =3Cbr=3E
=3Cb=3ENuestra compania esta desarrollandose en diferentes direcciones=2C i=
ncluyendo=3A=3C/b=3E=3Cbr=3E
- Bienes inmuebles=3Cbr=3E
- Fundacion y liquidacion de las companias =28tambinn en el extranjero=29=
=3Cbr=3E
- Apertura y acompanamiento de las cuentas bancarias=3Cbr=3E
- Etc=2E=3Cbr=3E
=3Cbr=3E
Actualmente estamos formando un equipo regional de gerentes en Espana=2E=3C=
br=3E
=3Cb=3ESalario=3A 2=2C400 euros mas bonificaciones-=3C/b=3E=3Cbr=3E
Ocupacion parcial=2E=3Cbr=3E
Horario laboral flexible=2E=3Cbr=3E
=3Cbr=3E
=3Cb=3ESi le haya interesado nuestra oferta=2C por favor=2C nos envie los s=
iguientes datos a la direcci0n=20
=3Ca href=3D=22mailto=3AFelix=40union-next=2Ecom=22=3EFelix=40uni on-next=2E=
com=3C/a=3E=3C/b=3E=3A=3Cbr=3E
Nombre completo=3A=3Cbr=3E
Pais=3A=3Cbr=3E
Ciudad=3A=3Cbr=3E
E-mail=3A=3Cbr=3E
Telefono*=3A =3Cbr=3E
=3Cbr=3E
=3Cb=3E* El telefono hace falta indicarlo para que nuestro gerente podria c=
omunicar con Ud=2E en caso de que su interes en la vacancia se confirme=2E=
=3C/b=3E=3Cbr=3E
=3Cbr=3E
Pido de antemano me perdone por los fallos de mi programa postal si Ud=2E r=
eciba mi mensaje procedente no de la direccion mia sino de la suya=2E=3Cbr=
=3E
=3Cb=3ELa direccion mia=3A =3Ca href=3D=22mailto=3AFelix=40union-next=2Ecom=
=22=3EFelix=40union-next=2Ecom=3C/a=3E=3C/b=3E=3Cbr=3E
Hay que enviar los datos necesarios y resumen hacia aqui=2E=3Cbr=3E
=3Cbr=3E
=3Cb=3E=3Cfont size=3D=22+1=22 color=3D=22Red=22=3E!Atencion!=3C/font=3E=3C=
/b=3E=3Cbr=3E
=3Cb=3EEstamos buscando a las personas residentes en Espana=2E=3C/b=3E=3Cbr=
=3E
=3Cbr=3E
Con saludos cordiales y mejores deseos=2C=3Cbr=3E
=3Ci=3EGerente de cuadros=3C/i=3E=3Cbr=3E
Quevin=2E=3Cbr=3E=
=3CBR /=3E
=3CBR /=3E
=3CHR /=3E
Centro=26nbsp=3BDistribuidor=26nbsp=3Bde=26nbsp=3BEuskadi=26 nbsp=3BS=2EL=2E=
=3CBR /=3E
=3CBR /=3E
info=40cedis=2Enet=3CBR /=3E
www=2Ecedis=2Enet=26nbsp=3B=3CBR /=3E
=3CBR /=3E
Telefono=3A=26nbsp=3B=26nbsp=3B=26nbsp=3B+=26nbsp=3B34=26nbs p=3B944=2E407=
=2E209=26nbsp=3B=26nbsp=3B+=26nbsp=3B34=26nbsp=3B944=2E261=2 E630=3CBR /=3E=

=3CBR /=3E
Fax=3A=26nbsp=3B=26nbsp=3B=26nbsp=3B=26nbsp=3B=26nbsp=3B=26n bsp=3B=26nbsp=
=3B=26nbsp=3B+=26nbsp=3B34=26nbsp=3B944=2E261=2E022=3CBR /=3E
=3CBR /=3E
=26quot=3BEste=26nbsp=3Bcorreo=26nbsp=3Belectronico=26nbsp=3 Bcontiene=26nbs=
p=3Binformacion=26nbsp=3Bprivada=26nbsp=3Bque=26nbsp=3Bpuede =26nbsp=3Bestar=
=26nbsp=3Blegalmente=26nbsp=3Bprotegida=2C=26nbsp=3Bparcial= 26nbsp=3Bo=26nb=
sp=3Btotalmente=2E=26nbsp=3BEs=26nbsp=3Bsolo=26nbsp=3Bpara=2 6nbsp=3Buso=26n=
bsp=3Bdel=26nbsp=3Bdestinatario=26nbsp=3Bal=26nbsp=3Bque=26n bsp=3Besta=26nb=
sp=3Bdirigido=2E=26nbsp=3BSi=26nbsp=3Bha=26nbsp=3Brecibido=2 6nbsp=3Beste=26=
nbsp=3Bmensaje=26nbsp=3Bpor=26nbsp=3Berror=2C=26nbsp=3Ble=26 nbsp=3Brogamos=
=26nbsp=3Bque=26nbsp=3Blo=26nbsp=3Bnotifique=26nbsp=3Bal=26n bsp=3Bremitente=
=26nbsp=3Bdel=26nbsp=3Bemail=26nbsp=3By=26nbsp=3Bque=26nbsp= 3Bademas=26nbsp=
=3Bborre=26nbsp=3Bde=26nbsp=3Bsu=26nbsp=3Bsistema=26nbsp=3Be l=26nbsp=3Bmens=
aje=26nbsp=3Basi=26nbsp=3Bcomo=26nbsp=3Btodas=26nbsp=3Bsus=2 6nbsp=3Bcopias=
=2C=26nbsp=3Bincluyendo=26nbsp=3Blas=26nbsp=3Bposibles=26nbs p=3Bcopias=26nb=
sp=3Bdel=26nbsp=3Bmismo=26nbsp=3Ben=26nbsp=3Bsu=26nbsp=3Bdis co=26nbsp=3Bdur=
o=2C=26nbsp=3By=26nbsp=3Bse=26nbsp=3Babstenga=26nbsp=3Bde=26 nbsp=3Busar=2C=
=26nbsp=3Brevelar=2C=26nbsp=3Bdistribuir=26nbsp=3Ba=26nbsp=3 Bterceros=2C=26=
nbsp=3Bimprimir=26nbsp=3Bo=26nbsp=3Bcopiar=26nbsp=3Bninguna= 26nbsp=3Bde=26n=
bsp=3Blas=26nbsp=3Bpartes=26nbsp=3Bde=26nbsp=3Beste=26nbsp=3 Bmensaje=26quot=
=3B=2E=3CBR /=3E
=3CBR /=3E
=26quot=3BThis=26nbsp=3Be-mail=26nbsp=3Bcontains=26nbsp=3Bpr oprietary=26nbs=
p=3Binformation=26nbsp=3Bsome=26nbsp=3Bor=26nbsp=3Ball=26nbs p=3Bof=26nbsp=
=3Bwhich=26nbsp=3Bmay=26nbsp=3Bbe=26nbsp=3Blegally=26nbsp=3B protected=2E=26=
nbsp=3BIt=26nbsp=3Bis=26nbsp=3Bfor=26nbsp=3Bsole=26nbsp=3Bus e=26nbsp=3Bof=
=26nbsp=3Bthe=26nbsp=3Bintended=26nbsp=3Brecipient=26nbsp=3B only=2E=26nbsp=
=3BIf=26nbsp=3Byou=26nbsp=3Bhave=26nbsp=3Breceived=26nbsp=3B this=26nbsp=3Bm=
essage=26nbsp=3Bby=26nbsp=3Bmistake=2C=26nbsp=3Byou=26nbsp=3 Bare=26nbsp=3Br=
equested=26nbsp=3Bto=26nbsp=3Bnotify=26nbsp=3Bthe=26nbsp=3Be -mail=26nbsp=3B=
sender=26nbsp=3Band=26nbsp=3Berase=26nbsp=3Bboth=26nbsp=3Bth e=26nbsp=3Bmess=
age=26nbsp=3Band=26nbsp=3Bany=26nbsp=3Bcopies=26nbsp=3Bfrom= 26nbsp=3Byour=
=26nbsp=3Bsystem=2C=26nbsp=3Bincluding=26nbsp=3Bhard=26nbsp= 3Bdisk=26nbsp=
=3Bcopies=2E=26nbsp=3B=26nbsp=3BYou=26nbsp=3Bare=26nbsp=3Bfu rther=26nbsp=3B=
requested=26nbsp=3Bto=26nbsp=3Brefrain=26nbsp=3Bfrom=26nbsp= 3Busing=2C=26nb=
sp=3Bdistributing=26nbsp=3Bto=26nbsp=3Bthird=26nbsp=3Bpartie s=2C=26nbsp=3Bp=
rinting=26nbsp=3Bor=26nbsp=3Bmaking=26nbsp=3Bcopies=26nbsp=3 Bof=26nbsp=3Ban=
y=26nbsp=3Bparts=26nbsp=3Bof=26nbsp=3Bthis=26nbsp=3Bmessage= 26quot=3B=3CBR=
/=3E
=3CBR /=3E
Antes=26nbsp=3Bde=26nbsp=3Bimprimir=26nbsp=3Bpiensa=26nbsp=3 Ben=26nbsp=3Btu=
=26nbsp=3Bresponsabilidad=26nbsp=3By=26nbsp=3Bcompromiso=26n bsp=3Bcon=26nbs=
p=3Bel=26nbsp=3BMEDIO=26nbsp=3BAMBIENTE=3CBR /=3E
Mensaje=26nbsp=3Banalizado=26nbsp=3By=26nbsp=3Bprotegido=2C= 26nbsp=3Btecnol=
ogia=26nbsp=3Bantivirus=26nbsp=3Bamavis+clamav=3CBR /=3E
=3CBR /=3E
=3CBR /=3E
=3CBR /=3E
=3C/BODY=3E=3C/HTML=3E

freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
In your last mail, I see in the headers:

Quote:
CUSTOM_RULE_FROM: ALLOW


This means that you have a custom rule that allows any mail that comes from cedis.net. Try to remove that rule.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Verschobene Mails kurzzeitig unauffindbar
Next Topic: Retrieving Mail in Apple Mail doesn't happen or is really delayed
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 01:14:51 CET 2017

Total time taken to generate the page: 0.00538 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.