Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » problems with spam
  •  
ahu

Messages: 38

Karma: 0
Send a private message to this user
Hi all,

recently our users receive more and more spam. I already activated any Anti-Spam feature that Kerio 8.0 provides:
Blacklist, SpamAssassin,Caller ID, SPF, Greylisting, Spam Repellent
And typically, these Mails have a Return-Path which is the spammers real address and X-Enveleope-To and From and To are the same, which is the original Spam receiver. Here something from the source (changed server and receiver)

Return-Path: <gapedwev1076<_at_>gmail.com>
X-Envelope-To: somebody<_at_>mycompany.com
X-Spam-Status: No, hits=0.0 required=6.0
tests=DNSBL_IX.DNSBL.MANITU.NET: 10.00,AWL: -6.711,BAYES_60: 3.515,
HTML_MESSAGE: 0.001,HTML_TAG_BALANCE_BODY: 1.157,MIME_HTML_ONLY: 0.001,
MISSING_MID: 0.497,T_URIBL_BLACK_OVERLAP: 0.01,T_URIBL_SEM_FRESH: 0.01,
T_URIBL_SEM_FRESH_10: 0.01,T_URIBL_SEM_FRESH_15: 0.01,URIBL_BLACK: 1.725,
URIBL_DBL_SPAM: 1.7,URIBL_RHS_DOB: 1.514,URIBL_WS_SURBL: 1.608,
CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 15.047,autolearn=no
X-Spam-Level: 
Received: from [190.254.55.76] ([190.254.55.76])
by mail.mycompany.com
for somebody<_at_>mycompany.com;
Thu, 14 Feb 2013 22:30:59 +0100
Date: Thu, 14 Feb 2013 16:44:44 -0500
From: <somebody<_at_>mycompany.com>
To: <somebody<_at_>mycompany.com>


So why the hell is this not recognized as spam? How can I tell Kerio, that if From and To are the same, while From is not the real sender and is one of our own users, but not really send from him, that this is spam?

Thanks for any hints
Andreas
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Define a Caller-ID DNS record for your domain. It will stop this kind of emails.
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
One problem I see from the headers is that you have a FROM rule that whitelists the mail:

CUSTOM_RULE_FROM: ALLOW

Get rid of that rule and this mail will be considered as spam as it has a score of 15.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
ahu

Messages: 38

Karma: 0
Send a private message to this user
Pavel Dobry (Kerio) wrote on Fri, 15 February 2013 10:25
Define a Caller-ID DNS record for your domain. It will stop this kind of emails.

I now activated Caller ID and SPF and added proper entries to our DNS:
host -t TXT mycompany.com
mycompany.com descriptive text "v=spf1 mx ip4:123.45.67.89 ip4:45.67.89.12 ip4:34.56.78.90 -all"
mycompany.com descriptive text "<ep xmlns='http://ms.net/1'><out><m> <r>123.45.67.89</r> <r>45.67.89.12</r> <r>34.56.78.90</r>  </m></out></ep>"

But still I just got such an e-mail
Return-Path: <luridnessdr<_at_>msplaw.com>
X-Envelope-To: me<_at_>mycompany.com
X-Spam-Status: No, hits=3.2 required=6.0
	tests=BAYES_50: 1.567,T_URIBL_SEM: 0.01,T_URIBL_SEM_RED: 0.01,
	URIBL_DBL_SPAM: 1.7,TOTAL_SCORE: 3.287,autolearn=no
X-Spam-Level: ***
Received: from msplaw.com ([181.37.129.124])
	by mail.mycompany.com
	for me<_at_>mycompany.com;
	Thu, 4 Apr 2013 17:09:51 +0200
Received: from apache by mycompany.de with local (Exim 4.67)
	(envelope-from <me<_at_>mycompany.com>,
	<someoneelse<_at_>mycompany.com>)
	id FSWEFI-HEKKND-EM
	for <me<_at_>mycompany.com>,
	<someoneelse<_at_>mycompany.com>; Thu, 4 Apr 2013 09:09:51 -0600
To: <me<_at_>mycompany.com>,
	<someoneelse<_at_>mycompany.com>
Subject: Interesting hack forum so far!

[04/Apr/2013 17:09:52] Recv: Queue-ID: 515d97be-0000c4f5, Service: SMTP, From: <luridnessdr@msplaw.com>, To: <me@mycompany.com>, Size: 843, Sender-Host: 181.37.129.124, Subject: Interesting hack forum so far!, Msg-Id: <FBFQ8L-TGV707-8A<_at_>msplaw.com>


Now I am not sure if this Caller ID even works, it is a bit strange when I compare my DNS with kerio.com
host -t TXT kerio.com
kerio.com descriptive text "v=spf1 mx include:samepage.io include:spf.kerio.com " "include:spf.messagelabs.com include:mktomail.com ip4:209.34.68.0/24 " "include:salesforce.com include:srs.bis.na.blackberry.com include:srs.bis.eu.blackberry.com " "ip4:194.168.19.221/32 ip4:194.168.19.142/32 -all"


But when I use this test page: http://www.kerio.com/callerid/ there are many more entries then just in the DNS TXT record, especially the TXT record just has SPF but the page showing Caller ID entries as well.
While compared to my Domain:
No Caller ID record was found for mycompany.com

Thanks for your help

[Updated on: Thu, 04 April 2013 17:22]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Caller-ID records (ie. that <ep... text) must be configured for domain _ep.mycompany.com, not mycompany.com. SPF seems to be correct.

[Updated on: Thu, 04 April 2013 17:32]

  •  
camisy

Messages: 114
Karma: 12
Send a private message to this user
do you use own mx or are you downloading messages via pop3 from another server? Also your allow rule looks strange to me.
Previous Topic: Archiv only for one month
Next Topic: E-Mail send with other E-Mail Adress
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Oct 20 01:41:42 CEST 2017

Total time taken to generate the page: 0.00397 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.