Re: Relayed outbound spam checking

Fri, 27 Jul 2018 07:07:38 -0700 


Quoting Dusan Obradovic <[email protected]>:


On Jul 25, 2018, at 12:50, Simon Wilson <[email protected]> wrote:

Quoting Simon Wilson <[email protected]>:


Hi list, wondering if I can get some help with the below.


I have run a small Postfix mail server for many years, with  
amavisd and spamassassin. We have about 10 users, 95% of the time  
using only Horde Webmail as the interface to send mail.



The server is set to only allow mail send through port 587, and  
only for authenticated users. This auth is generally only through  
the Horde server on the same subnet, but I do have a requirement  
for port 587 to be externally accessible for direct (non-Horde)  
submission.



I had outbound mail not spam scanning, but got stung when one of  
our users had their email/password on a cracked list, and the  
server spent 24 hours relaying authenticated email that was spam.  
Ouch.



Immediate fix was to change the user's password, stopped the  
problem, but I want to prevent similar happening again. I enabled  
spam scanning on outbound (commented out bypass_spam_checks_maps    
=> [1] in the policy ban), with Amavisd set to kill level 6.2...  
BUT one of my users is in Ecuador, on the end of a dodgy internet  
connection with a dodgy ISP, and his outbound email starting  
getting dropped, as coming through Horde shows the path from the  
web client in use, and SA scanning was penalising based on his  
location:


Content analysis details:   (8.5 points, 6.2 required)

pts rule name              description

---- ----------------------  
--------------------------------------------------

3.3 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                          [190.131.127.84 listed in zen.spamhaus.org]
1.4 RCVD_IN_BRBL_LASTEXT   RBL: No description available.

                          [190.131.127.84 listed in  
bb.barracudacentral.org]

0.0 HTML_MESSAGE           BODY: HTML included in message
0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                          [score: 0.4956]
1.0 RDNS_DYNAMIC           Delivered to internal network by host with
                          dynamic-looking rDNS
2.0 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
                          1)


I have set kill level to 10 to let his through but that is  
obviously not helping with the original issue... and with it set  
to 10 kill level I do not get notified.



I want to be notified for ONE policy bank, if a user sends a  
SPAMMY mail (say hits from 2.5 to 10) but let the mail through;  
but kill_level 10 for SPAM. That way I can let email from Ecuador  
client through, but still be notified if anyone else starts  
sending mail above 2.5 (none of the rest of my outgoing is ever  
above 2.5).


Policy bank that applies is currently:


$policy_bank{'ORIGINATING'} = {  # mail supposedly originating  
from our users

originating => 1,  # declare that mail was submitted by our smtp client
allow_disclaimers => 1,  # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps  => ["spamalert\@$mydomain"],
warnbadhsender   => 1,
spam_kill_level_maps => [10],
# bypass_spam_checks_maps   => [1],  # don't spam-check this mail
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10025',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1],  # allow sending any file names and types
terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

Any advice or suggestions would be appreciated.


--
Simon Wilson
M: 0400 12 11 16


So my query seems to have been too complex.

Let's simplify:

Default non-policy-bank setup is:


$sa_tag_level_deflt  = -999;  # add spam info headers if at, or  
above that level

$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level

$sa_kill_level_deflt = 1000;  # triggers spam evasive actions (e.g.  
blocks mail)



So always add headers; call it spam above 6.2; but let it through  
for imapd and sieve to deal with.



How do I configure a *policy bank* that applies to  
sasl-authenticated port-587-submitted outbound mail only to:

1. spam scan
2. if it hits above 2.5, let it out, but notify admin of spammy outbound
3. if it hits above 10, discard it, notify admin of spam outbound


Alternately any other recommendations to catch email accounts where  
password has been compromised so sasl_auth is passed, to prevent  
submission port abuse.


Thanks
Simon.

--
Simon Wilson
M: 0400 12 11 16




Ideally, Spamassassin should skip rbl tests (RCVD_IN_*) for  
authenticated submission so you can lower spam_kill_level_maps score  
with originating policy.


https://wiki.apache.org/spamassassin/TrustPath
https://wiki.apache.org/spamassassin/DynablockIssues



Thank you Dusan. I have resolved issues with trusted_networks and  
internal_networks, and now email that is SASL auth'ed through the  
webserver to 587 is correctly identified as trusted from the mail  
server not the web server, and while SA-scanned, it is not RBL'ed,  
which is perfect.



The second article also got me thinking... so I also enabled Postfix's  
smtpd_sender_login_maps on 587 only which would have cut over 80% of  
the relayed SASL-auth'ed spam due to it not being "from" an address  
owned by the auth'ed user



I'll watch that and see how emails from my son's dynamic IP get tagged  
over a few days, then come back to configuration in Amavisd kill levels.


Thank you :)
Simon.



--
Simon Wilson
M: 0400 12 11 16























					Reply via email to