Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Fake mailer
  •  
giocal

Messages: 9
Karma: 0
Send a private message to this user
Hi,
We use last version of Kerio connect.

I've noticed that sending email to our domain via fake emailer (like emkei.cz) the email arrive to our address bypassing all spam repellent.

This is the log on Kerio:
[24/Feb/2017 15:59:21] Recv: Queue-ID: 58b04a43-0000257f, Service: SMTP, From: <aa@gmail.com>, To: <gxxxxx@zzzzz.yy>, Size: 649, Sender-Host: 46.167.245.72, SSL: yes, Subject: 123, Msg-Id: <20170224145850.2FEE0D59D1<_at_>emkei.cz>

Where <aa@gmail.com> is fake gmail address and <gxxxxx<_at_>zzzzz.yy> is my real email address

I've followed all guide to set spam filter on Kerio.
- Spam enabled and working
- Blacklists enabled and working
- Caller ID and SPF checks are enabled and working.

Is that normal? How to avoid fake email?

Best regards

  •  
Vicky

Messages: 656

Karma: 81
Send a private message to this user
Hi Gio,

A lot of this will depend on how you have your settings configured. You can always send a support ticket n and we can go through your spam settings if you like and we can check the header information in the problem email.

You can open a support ticket with the link below:

https://support.kerio.com/kerio_api/incident_wizard/submit_n ew_incident.php?language=en

Best Regards,
  •  
giocal

Messages: 9
Karma: 0
Send a private message to this user
Hi,

I don't want to waste a support ticket for a thing like this.
We want use support ticket only for major issues.
I followed all guide to configure spam ecc and it is configured correctly.

What is the purpose of this forum if we need the use support ticket?

Best regards
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
There are several reasons why a mail could bypass the Spam Checking:


  • The sending IP is on your whitelist
  • You have an "Allow" rule configured that matches the mail
  • The size of the mail is bigger than the threshold set for SpamAssassin


Easiest would be if you would paste the content of the header of such a mail here.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
giocal

Messages: 9
Karma: 0
Send a private message to this user
Thanks freakinvibe,

- The sending Ip is not in my whitelist
- No allow rule for anything
- The size of the mail is not big because is just text.

Header of the message
----------------------------------------
Return-Path: <fakemail<_at_>gmail.com>
X-Spam-Status: No, hits=0.0 required=4.5
tests=BAYES_20: -0.73, TOTAL_SCORE: -0.730,autolearn=ham
X-Spam-Level:
Received: from emkei.cz ([46.167.245.72])
by mail.myrealdomain.it with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for gioxxx.xxx<_at_>yyyyyy.it;
Wed, 8 Mar 2017 14:36:01 +0100
Received: by emkei.cz (Postfix, from userid 33)
id 24EF4D5D1F; Wed, 8 Mar 2017 14:35:21 +0100 (CET)
To: gioxxx.xxx<_at_>yyyyyy.it
Subject: Fake subjet
X-PHP-Originating-Script: 33:index.php
From: "Fake User" <fakemail<_at_>gmail.com>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: fakemail<_at_>gmail.com
Reply-To: fakemail<_at_>gmail.com
Content-Type: text/plain; charset=utf-8
Message-Id: <20170308133522.24EF4D5D1F<_at_>emkei.cz>
Date: Wed, 8 Mar 2017 14:35:21 +0100 (CET)
--------------------------------------


Any idea?

  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
It seems to hit the Bayes rule, so Spam processing is working.

If it is always coming from the same IP range you could put that on your manual IP blacklist.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
giocal

Messages: 9
Karma: 0
Send a private message to this user
Hi,

yes the IP is always the same but I thought that email spoofing was already blocked.
Is simple to block an ip address (or block it by words etc) but I can't block any fake emailer on internet.
I choosed the first fake emailer on google just for testing purposes.


  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Correctly configured SPF check should block this. Just make sure that this IP address is not in the list of exceptions. Enabling SMTP server debug logging can help you troubleshoot SPF checking.
  •  
giocal

Messages: 9
Karma: 0
Send a private message to this user
Here is the log:

[08/Mar/2017 17:40:05][26858] {smtps} Delaying SMTP greeting to 46.167.245.72:49033 for 15 seconds

[08/Mar/2017 17:40:20][26858] {smtps} Sent SMTP greeting to 46.167.245.72:49033

[08/Mar/2017 17:40:20][26858] {smtps} Command EHLO emkei.cz

[08/Mar/2017 17:40:20][26858] {smtps} Sent reply to EHLO: 250 mail.telefonicalombarda.it ...

[08/Mar/2017 17:40:20][26858] {smtps} Command STARTTLS

[08/Mar/2017 17:40:20][26858] {smtps} Successfully switched to TLS mode

[08/Mar/2017 17:40:20][26858] {smtps} Command EHLO emkei.cz

[08/Mar/2017 17:40:20][26858] {smtps} Sent reply to EHLO: 250 mail.telefonicalombarda.it ...

[08/Mar/2017 17:40:20][26858] {smtps} Command MAIL FROM:<test<_at_>gmail.com> SIZE=504

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain gmail.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain gmail.com: v=spf1 redirect=_spf.google.com.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records in domain gmail.com succeeded: 1 records

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain _spf.google.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain _spf.google.com: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records in domain _spf.google.com succeeded: 1 records

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain _netblocks.google.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain _netblocks.google.com: v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records in domain _netblocks.google.com succeeded: 1 records

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain _netblocks2.google.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain _netblocks2.google.com: v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records in domain _netblocks2.google.com succeeded: 1 records

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain _netblocks3.google.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain _netblocks3.google.com: v=spf1 ip4:172.217.0.0/19 ip4:108.177.96.0/19 ~all.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.
[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records for domain _netblocks3.google.com

[08/Mar/2017 17:40:20][26858] {spf} DNS TXT record for domain _netblocks3.google.com: v=spf1 ip4:172.217.0.0/19 ip4:108.177.96.0/19 ~all.

[08/Mar/2017 17:40:20][26858] {spf} DNS SPF record is found, remaining TXT records are discarded.

[08/Mar/2017 17:40:20][26858] {spf} SPF DNS query for TXT (16) records in domain _netblocks3.google.com succeeded: 1 records

[08/Mar/2017 17:40:20][26858] {spf} Checking address: test<_at_>gmail.com

[08/Mar/2017 17:40:20][26858] {spf} SPF result: SoftFail

[08/Mar/2017 17:40:20][26858] {spf} Please see http://www.openspf.net/why.html?sender=test%40gmail.com&ip=46.167.245.72&receiver=mail.xxxxxxxx.yy

[08/Mar/2017 17:40:20][26858] {spf} Received-SPF: softfail (mail.xxxxxxxx.yy: transitioning domain of gmail.com does not designate 46.167.245.72 as permitted sender) client-ip=46.167.245.72; envelope-from=test<_at_>gmail.com;

[08/Mar/2017 17:40:20][26858] {smtps} Sent reply to MAIL: 250 2.1.0 Sender <test<_at_>gmail.com> ok

[08/Mar/2017 17:40:20][26858] {smtps} Command RCPT TO:<gioxxxxxx@xxxxxxxx.yy> ORCPT=rfc822;gioxxxxxx<_at_>xxxxxxxx.yy

[08/Mar/2017 17:40:20][26858] {smtps} Sent reply to RCPT: 250 2.1.5 Recipient <gioxxxxxx<_at_>xxxxxxxx.yy> ok (local)

[08/Mar/2017 17:40:20][26858] {smtps} Command DATA

[08/Mar/2017 17:40:21][26858] {smtps} Retrieving Caller-ID record for domain gmail.com

[08/Mar/2017 17:40:21][26858] {smtps} Retrieval finished, success=no

[08/Mar/2017 17:40:21][26858] {smtps} 507 bytes received in command DATA

[08/Mar/2017 17:40:21][26858] {smtps} Message accepted for delivery

[08/Mar/2017 17:40:21][26858] {smtps} Command QUIT

[08/Mar/2017 17:40:21][26858] {smtps} SMTP server session end

[08/Mar/2017 17:40:21][26858] {smtps} Task 46686 handler END



I noticed SPF SOFTFAIL
Previous Topic: Backing up a Kerio Connect VM
Next Topic: NEW RELEASE: Kerio Connect 9.2.1
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Aug 20 15:43:54 CEST 2017

Total time taken to generate the page: 0.00481 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.