Spoofed emails making it through the ME server checks

Discussion forum for Enterprise Edition.
Post Reply
kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Spoofed emails making it through the ME server checks

Post by kiamori » Thu Jan 10, 2019 3:17 am

Why are these emails making it through the checks?

Header:
Received-SPF: pass (mailserver: domain of 3gksa.com designates 38.64.38.198 as permitted sender)
client-ip=38.64.38.198
Received: from mai.hsphereonline.com ([38.64.38.198]) by mailserver with
MailEnable ESMTPS (version=TLS1 cipher=TLS_RSA_WITH_AES_256_CBC_SHA); Tue, 8 Jan 2019 18:41:37 -0600
Received: (qmail 8194 invoked by uid 399); 8 Jan 2019 19:41:48 -0500
Received: from unknown (HELO ?177-21-38-118.customer.sinalbr.com.br?) (sales@3gksa.com@45.70.3.130)
by mail.royaltyservers.com with ESMTPAMMMMMMMMMMMMMMMMMM; 8 Jan 2019 19:41:48 -0500
X-Originating-IP: 45.70.3.130
To: emailaddress@mailserver.com
X-Sender: <sales@3gksa.com>
List-ID: 9ftpfodwi32lmpl55j.lsiv05ogrqrscvdfr8
Abuse-Reports-To: <abuse@mailer.3gksa.com>
From: <emailaddress@mailserver.com>
Date: Wed, 9 Jan 2019 01:41:48 +0100
Errors-To: notification+gid5lr70_@3gksa.com
Subject: This account has been hacked! Change your password right now!
Message-ID: <1svszw.4nr3671fwmxgu14@mail.3gksa.com>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
X-header: 21
List-Unsubscribe:
<https://3gksa.com/unsubscribe/e/2236/mn ... zewb/11409>
List-Help: <mailto:{contact|info|abuse|zaut@3gksa.com?subject=help>
X-Complaints-To: <abuse@3gksa.com>
X-ME-CountryOrigin: CA
X-Envelope-Sender: sales@3gksa.com
X-ME-Bayesian: 50.000000
X-0Spam-Location: NonUS
Return-Path: <sales@3gksa.com>
X-Read: 1

MailEnable-Ian
Site Admin
Posts: 8975
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Spoofed emails making it through the ME server checks

Post by MailEnable-Ian » Thu Jan 10, 2019 4:34 am

Hi,

The SMTP security setting for "Address Spoofing" will only work on the envelope sender address and not the message "from" header. You can see in the message header example that the "Return-Path (envelope sender) address is not spoofed. To help stop these type of messages you will need to increase the spam protection script positive weighting criteria "Envelope sender does not match header sender" so that the message can be scored with a higher spam score. You could then create a postoffice level filter to trigger on the "X-ME-Spam: High" header and add the relevant action of deleting the message or marking it as spam to be delivered the junk email folder.
Regards,

Ian Margarone
MailEnable Support

kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Spoofed emails making it through the ME server checks

Post by kiamori » Mon Feb 11, 2019 3:04 am

@MailEnable-Ian

Would it not make more sense to create a script to check the following:

IF sendingdomain matches recipientdomain AND SPF fail reject/sendtospam
IF is NOT localsender AND sendingdomain matches recipientdomain reject/sendtospam

Could this be done at the SMTP level?

netmo
Posts: 31
Joined: Mon Jun 20, 2011 7:46 pm

Re: Spoofed emails making it through the ME server checks

Post by netmo » Fri Mar 01, 2019 11:24 am

Hi Ian,

Can you please let us know the exact script to add and where to add it.

Thanks.

Post Reply