Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: leonardocruz on November 20, 2013, 10:47:16 PM

Title: How blocking emails that apearing sent from my same domain
Post by: leonardocruz on November 20, 2013, 10:47:16 PM

Hi how can block email from spammer, that appear sent from other account (no valid) from my same domain example:

X-Spam-Check-By: mydomain.com
Received: from Unknown (HELO aexp.com) (200.74.215.2)
    by mydomain.com (qpsmtpd/0.84) with ESMTP; Wed, 20 Nov 2013 09:44:23 -0600
Received: from mail158.mydomain.com (10.0.0.105) by mydomain.com (10.0.0.25) with Microsoft SMTP Server (TLS) id GMU8E7S6; Wed, 20 Nov 2013 11:14:22 -0430
Received: from mail0490.mydomain.com (10.176.113.19) by smtp.mydomain.com (10.0.0.71) with Microsoft SMTP Server id HN9W2N4W; Wed, 20 Nov 2013 11:14:22 -0430
Date: Wed, 20 Nov 2013 11:14:22 -0430

I make a testing https://www.wormly.com/test_smtp_server and the mail is send and receive without authentication

Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 postman.mydomain.com ESMTP
SMTP -> FROM SERVER:
250-mydomain.com Hi node-mec2.wormly.com [184.72.226.23]
250-PIPELINING
250-8BITMIME
250-SIZE 25000000
250 STARTTLS
MAIL FROM: test@mydomain.com
SMTP -> FROM SERVER:
250 , sender OK - how exciting to get mail from you!
RCPT TO: test@mydomain.com
SMTP -> FROM SERVER:
250 , recipient ok
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 go ahead
SMTP -> FROM SERVER:
250 Queued! 1384980261 qp 11198 <>
Message completed successfully.

setting in email config:

E-mail retrieval mode    Standard (SMTP)
SMTP authentication    Allow both SMTP and SSMTP

Title: Re: How blocking emails that apearing sent from my same domain
Post by: janet on November 21, 2013, 10:37:23 AM

leonardocruz

See
/var/qmail/control/badmailfromto
Also installing the smeserver-wbl contrib may help

yum install smeserver-wbl --enablerepo=smecontribs
signal-event email-update

Title: Re: How blocking emails that apearing sent from my same domain
Post by: compdoc on February 19, 2014, 09:51:48 PM

>Posted by: leonardocruz
>
>Resolving hostname...
>Connecting...
>SMTP -> FROM SERVER:
>220 postman.mydomain.com ESMTP
>SMTP -> FROM SERVER:
>250-mydomain.com Hi node-mec2.wormly.com [184.72.226.23]


Hopefully, you haven't abandoned this thread.

You want to block emails that appear to come from your domain, but the From:user doesn't exist, or the From:user is you? Those can be hard to block, but we can try.

I'm not sure what log you're showing above, but can you include the section that contains the record of the email you want to block from this file :   /var/log/spamd/current 

The more samples the better. Use pastebin.com if necessary, and please modify any personal information in the log to protect yourself in this public forum.

I need to see this type of information to know if they can be blocked:

Code: [Select]

(all the text below is for one email transaction)

@40000cf2cb4 Feb 15 09:17:26.332 [21344] info: prefork: child states: II
@40000cf2cb4 Feb 15 09:35:34.864 [21424] info: spamd: connection from localhost [127.0.0.1] at port 49312
@40000cf2cb4 Feb 15 09:35:34.872 [21424] info: spamd: checking message <1392942.52f6af993@some.domain> for qpsmtpd:1005
@40000cf2cb4 Feb 15 09:35:41.071 [21424] info: spamd: clean message (5.5/6.0) for qpsmtpd:1005 in 6.2 seconds, 15689 bytes.
@40000cf2cb4 Feb 15 09:35:41.072 [21424] info: spamd: result: . 5 - HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_NONE,T_BAYES_999 scantime=6.2,size=15689,user=qpsmtpd,uid=1025,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=49312,mid=<139242.52993@some.domain>,bayes=1.000000,autolearn=no



Title: Re: How blocking emails that apearing sent from my same domain
Post by: Stefano on February 20, 2014, 10:27:12 AM

you should set up a spf dns record for your domain and enable spf check on your server

Title: Re: How blocking emails that apearing sent from my same domain
Post by: compdoc on February 20, 2014, 11:02:37 PM

I'm pretty sure SME performs SPF verification by default. Cant remember having to edit init.pre myself.

Title: Re: How blocking emails that apearing sent from my same domain
Post by: janet on February 21, 2014, 12:28:07 AM

compdoc

Quote

I'm pretty sure SME performs SPF verification by default. Cant remember having to edit init.pre myself.

It might check SPF for the sending (incoming) mail server, but other receiving mail servers are checking your (outgoing) sme mail servers SPF record (ie for your domain name(s)).

AFAIK it is something that is setup by your ISP or Registrar (or whoever is in charge of your zone records) with regard to your domain name(s) & your connection to the Internet (your ISP).
See
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Appendix#SPF_Records


Manually adding the senders & recipients email address pair to /var/qmail/control/badmailfromto should block those messages.
The smeserver-wbl contrib & server manager panel can also be used to do that with a GUI interface, as well as doing other good things.