You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Carlos Mennens <ca...@gmail.com> on 2010/04/12 18:38:15 UTC
Mail Marked Spam For VPN Users
On my Postfix server, when my co-workers VPN from their laptops from
home, they then send mail via Outlook and their ISP IP address. When
the message gets to it's recipient, it's marked ***SPAM*** by SA.
User's are complaining that email from internal users are being marked
as 'spam' and they don't know why. When I check the message source, I
can see that the user is connected to their personal ISP
(tampabay.res.rr.com in this case) to tunnel / VPN in and send mail
from their work account. My question is what can I fix to eliminate
this confusion for my co-workers w/o compromising actual spam to get
through? If this is good normal behavior from SA / Postfix, then I
will leave it alone based on your expect recommendations however if
you think I can tune Postfix / SA to handle mail better, I would
greatly appreciate any suggestions. I see below in the headers that
the message is being tagged as spam due to parameters that are typical
or big ISP's. The message source is below:
Return-Path: <el...@mydomain.tld>
X-Original-To: slachance@mydomain.tld
Delivered-To: slachance@mydomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id CD2D7778382;
Mon, 12 Apr 2010 09:08:57 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain.tld
X-Spam-Flag: YES
X-Spam-Score: 5.266
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.266 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845,
FSL_HELO_NON_FQDN_1=0.001, HELO_NO_DOMAIN=0.001,
RCVD_IN_PBL=3.335,
RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982,
O_EQ_FM_DIRECT_MX=0.001]
autolearn=no
Received: from mail.mydomain.tld ([127.0.0.1])
by localhost (mydomain.tld [127.0.0.1]) (amavisd-new, port
10024)
with LMTP id qDSvk1vgoHls; Mon, 12 Apr 2010 09:08:57 -0400
(EDT)
Received: from elugo2 (165-252.200-68.tampabay.res.rr.com [68.200.252.165])
by mail.mydomain.tld (Postfix) with ESMTP id ABF3477838C;
Mon, 12 Apr 2010 09:08:56 -0400 (EDT)
From: "Esteban Lugo" <el...@mydomain.tld>
To: "'Esteban Lugo'" <el...@mydomain.tld>,
"'Richard'" <ri...@somedomain.tld>,
"'Scott'" <s...@mydomain.tld>,
"'David'" <d...@mydomain.tld>,
"'Hassan'" <h...@mydomain.tld>,
"'Travis'" <t...@mydomain.tld>
References: <00...@org>
<75...@HVXMSP1.us.somedomain.tld>
In-Reply-To:
Subject: ***SPAM*** RE: WHL Request 4/12-4/16
Date: Mon, 12 Apr 2010 09:08:54 -0400
Message-ID: <00...@org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000A_01CADA1F.C86A2000"
X-Mailer: Microsoft Office Outlook 12.0
Re: Mail Marked Spam For VPN Users
Posted by John Hardin <jh...@impsec.org>.
On Mon, 12 Apr 2010, Carlos Mennens wrote:
> When users are on the LAN, their client IP is in range of
> 'mynetworks' parameter via Postfix. When they're home and VPN into my
> network, they fire up Outlook / Thunderbird & send email as they would
> if they were sitting in the office. However their client IP is now
> their ISP connected IP and their reverse DNS is not correct so SA
> thinks this is a spammer without a proper RDNS entry per RFC
> guidelines. Is there a way to fix this mix up?
When they connect to your mail server via your VPN, are they connecting to
the _private_ IP address of the mail server? If they are connecting to the
_public_ IP address then the fact that they are using a VPN is probably
irrelevant as traffic isn't traversing the VPN.
I suspect this is a VPN configuration issue, not a SA issue.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 267th Birthday
Re: Mail Marked Spam For VPN Users
Posted by Michael Scheidell <sc...@secnap.net>.
On 4/12/10 1:11 PM, Carlos Mennens wrote:
>
>>>>> (amavisd-new can add credit for smtp-auth users)
>>>>>
> How would I credit -100 points for someone who is using smtp auth?
> User's should be using TLS and SASL authentication so that should be
> fine. I just need to know how I would configure something of the
> such...
>
since you are using amavisd-new, you should look at the amavisd-new
mailing list. look for smtp-auth and policy banks.
several examples, depending on what you are doing.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Mail Marked Spam For VPN Users
Posted by David Morton <mo...@dgrmm.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 4/12/10 12:11 PM, Carlos Mennens wrote:
> On Mon, Apr 12, 2010 at 1:02 PM, Michael Scheidell <sc...@secnap.net> wrote:
>> then read this part if I somehow confused you.
>>
>> On 4/12/10 12:55 PM, Carlos Mennens wrote:
>>>>
>>>>> other option is set up submit port that only available via vpn, or use
>>>>> smtp
>>>>> auth and give anyone coming in via that -100 points.
>>>>> (amavisd-new can add credit for smtp-auth users)
>
> How would I credit -100 points for someone who is using smtp auth?
> User's should be using TLS and SASL authentication so that should be
> fine. I just need to know how I would configure something of the
> such...
One option is to use amavisd-new to do it as others have mentioned - or
as a more generic method, you can have Postfix add a header and look for
that:
/etc/postfix/helo_add_auth_header.regexp :
/.*/ PREPEND X-SMTP-Auth: not_on_myhost
/etc/mail/spamassassin/local.cf:
header __NO_SMTP_AUTH X-SMTP-Auth =~ /not_on_myhost/
meta SMTP_AUTH ( __NO_SMTP_AUTH < 1 )
describe SMTP_AUTH Message sent using SMTP Authentication
tflags SMTP_AUTH nice
score SMTP_AUTH -5
and then on the end of your smtpd_recipient_restrictions in main.cf:
check_client_access pcre:/etc/postfix/helo_add_auth_header.regexp
SMTP Auth connections get ok'd before the regexp file is matched, and
they never get the header, and then spamassassin sees that and gives a
- -5 credit.
- --
David Morton <mo...@dgrmm.net>
Morton Software & Design http://www.dgrmm.net - Ruby on Rails
PHP Applications
Maia Mailguard http://www.maiamailguard.com - Spam management
for mail servers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFLw2CNUy30ODPkzl0RAiwTAJ0c01qY5S/TGJEihJNnXHW9ljPJ2QCgrQ78
WOO94Is1oj/CBYPftPK02B8=
=drjQ
-----END PGP SIGNATURE-----
Re: Mail Marked Spam For VPN Users
Posted by Carlos Mennens <ca...@gmail.com>.
On Mon, Apr 12, 2010 at 1:02 PM, Michael Scheidell <sc...@secnap.net> wrote:
> then read this part if I somehow confused you.
>
> On 4/12/10 12:55 PM, Carlos Mennens wrote:
>>>
>>> > other option is set up submit port that only available via vpn, or use
>>> > smtp
>>> > auth and give anyone coming in via that -100 points.
>>> > (amavisd-new can add credit for smtp-auth users)
How would I credit -100 points for someone who is using smtp auth?
User's should be using TLS and SASL authentication so that should be
fine. I just need to know how I would configure something of the
such...
Re: Mail Marked Spam For VPN Users
Posted by Michael Scheidell <sc...@secnap.net>.
then read this part if I somehow confused you.
On 4/12/10 12:55 PM, Carlos Mennens wrote:
>> > other option is set up submit port that only available via vpn, or use smtp
>> > auth and give anyone coming in via that -100 points.
>> > (amavisd-new can add credit for smtp-auth users)
>>
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Mail Marked Spam For VPN Users
Posted by Carlos Mennens <ca...@gmail.com>.
On Mon, Apr 12, 2010 at 12:43 PM, Michael Scheidell
<sc...@secnap.net> wrote:
> are they not authenticating through, and sending out via (forgive me) an
> exchange server?
> if outlook is authenticating direct to the exchange server, then the
> exchange server would be the source ip, and you would eliminate lots of
> this.
>
> other option is set up submit port that only available via vpn, or use smtp
> auth and give anyone coming in via that -100 points.
> (amavisd-new can add credit for smtp-auth users)
I am totally lost. Who has an Exchange server? I have a Postfix mail
server. When users are on the LAN, their client IP is in range of
'mynetworks' parameter via Postfix. When they're home and VPN into my
network, they fire up Outlook / Thunderbird & send email as they would
if they were sitting in the office. However their client IP is now
their ISP connected IP and their reverse DNS is not correct so SA
thinks this is a spammer without a proper RDNS entry per RFC
guidelines. Is there a way to fix this mix up?
Nobody is authenticating through any Exchange servers or anything like that...
Re: Mail Marked Spam For VPN Users
Posted by Michael Scheidell <sc...@secnap.net>.
On 4/12/10 12:38 PM, Carlos Mennens wrote:
> On my Postfix server, when my co-workers VPN from their laptops from
> home, they then send mail via Outlook and their ISP IP address. When
> the message gets to it's recipient, it's marked ***SPAM*** by SA.
>
are they not authenticating through, and sending out via (forgive me) an
exchange server?
if outlook is authenticating direct to the exchange server, then the
exchange server would be the source ip, and you would eliminate lots of
this.
other option is set up submit port that only available via vpn, or use
smtp auth and give anyone coming in via that -100 points.
(amavisd-new can add credit for smtp-auth users)
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Mail Marked Spam For VPN Users
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 12.04.10 12:38, Carlos Mennens wrote:
> On my Postfix server, when my co-workers VPN from their laptops from
> home, they then send mail via Outlook and their ISP IP address.
If they send mail from your domain, they should always send it through your
server (not their actusl ISPs), using SMTP authentication, possibly with
encryption and through different port than 25 (since many ISPs block 25).
That's what port 587 (submission), SMTP AUTH and STARTTLS are for. If your
postfix adds authentication info to authenticated mail headers, SA will
detect it and skip most of checks that hit.
> X-Spam-Status: Yes, score=5.266 tagged_above=-999 required=5
> tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845,
> FSL_HELO_NON_FQDN_1=0.001, HELO_NO_DOMAIN=0.001,
> RCVD_IN_PBL=3.335,
> RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982,
> O_EQ_FM_DIRECT_MX=0.001]
eh. AMAVIS. This is not amavis mailing list.
and it does not matter if they use VPN or not.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.