Email from same domain been flagged as spam

14 posts / 0 new
Last post
#1 Wed, 08/05/2009 - 15:30
rogeriobrito

Email from same domain been flagged as spam

Hello all.

I have some domains in virtualmin that are getting all mail from the same domain flagged as spam. I've tried some things but I could not avoid it to happen.

So please, can anyone tell me, what's the right way to have all messages from the same domain to never be flagged as spam? Like when account1@mydomain.com sends an email to account2@mydomain.com?

Thanks a lot Rogerio

Thu, 08/06/2009 - 09:19
theashman

Do you have PTR/SPF records for you domain? if not, this could be your problem

Thu, 08/06/2009 - 23:28 (Reply to #2)
rogeriobrito

Hello theashman,

BIND is installed and I'm using the default configuration for the domain records, but the system is NOT configured to use local BIND for DNS resolution. And I don't have PTR/SPF on my main DNS servers.

Could this be the problem? If it is, what would be best? To add PTR/SPF on my default DNS server, or to have the system configured to use local BIND to resolve DNS?

Thank you

Sun, 08/09/2009 - 16:36
andreychek

Howdy,

In System Settings -> Module Config -> Spam Filtering Options, you can set "Default spam whitelist option" to "Yes".

That will make it so all new Virtual Servers added to the system are added to the SpamAssassin whitelist.

For existing domains, you may be able to add something like this to your local.cf file:

whitelist_fromĀ  *@example.com

Mon, 08/10/2009 - 12:00 (Reply to #4)
rogeriobrito

Hi Andrey The configuration was already set, I have disabled it and enabled it again last night.

Is there anything else I should do? What else can I do to know why it is not working?

Thanks a lot Rogerio

Mon, 08/10/2009 - 12:06 (Reply to #5)
andreychek

Howdy,

The above setting will only help for newly created Virtual Servers.

In order to affect existing Virtual Servers, you can manually add the "whitelist_from" line I mentioned above.

-Eric

Mon, 08/10/2009 - 19:13 (Reply to #6)
rogeriobrito

Hello Andrey, thanks a lot for your help.

I''ve added the line:

whitelist_from *@problemdomain.com

on the /etc/mail/spamassassin/local.cf file. It this the right file? My other domains were not on the file.

And I've noticed something... checking some users auto-whitelist I've found that they have a positive "score to apply". Positive score means spam, right? See the list bellow, it's only a sample from the auto-whitelist file that has more 4600 entries.

carlos@barrosdecoracoes.com.br 77.253 2 45.299 carlos@barrosdecoracoes.com.br 222.253 2 46.86 carlos@barrosdecoracoes.com.br 81.183 2 47.258 carlos@barrosdecoracoes.com.br 41.196 2 48.46 carlos@barrosdecoracoes.com.br 201.13 2 48.681 carlos@barrosdecoracoes.com.br 117.199 2 48.97 carlos@barrosdecoracoes.com.br 95.90 2 55.03 carlos@barrosdecoracoes.com.br 201.42 2 56.858 carlos@barrosdecoracoes.com.br 189.78 2 63.84 carlos@barrosdecoracoes.com.br 200.232 2 64.342 carlos@barrosdecoracoes.com.br 222.252 3 64.458 carmen@barrosdecoracoes.com.br 201.26 42 264.912 graziella@barrosdecoracoes.com.br 201.26 46 309.613

I also noticed on the auto-whitelist file that there are LOTS of emails addresses on the whitelist that don't exist. For example, the list above is for the user carlos@barrosdecoracoes.com.br. On his auto-whitelist I've found:

ocarlos@barrosdecoracoes.com.br 218.5 1 20.659 pcarlos@barrosdecoracoes.com.br 177.115 1 16.558 qcarlos@barrosdecoracoes.com.br 236.157 1 13.26 rcarlos@barrosdecoracoes.com.br 195.205 1 4.976 tcarlos@barrosdecoracoes.com.br 109.167 1 20.884 ucarlos@barrosdecoracoes.com.br 64.140 1 15.519 vcarlos@barrosdecoracoes.com.br 151.76 1 16.968 wcarlos@barrosdecoracoes.com.br 79.187 1 17.473 xcarlos@barrosdecoracoes.com.br 21.180 1 15.763 ycarlos@barrosdecoracoes.com.br 205.253 1 24.84 zcarlos@barrosdecoracoes.com.br 137.121 1 5.965

Those accounts don't exist on virtualmin. How did they get on the whitelist?

Does a positive score on the auto-whitelist mean spam? Or not spam? Could this be the problem?

Thanks again for your help

Rogerio

Wed, 10/14/2009 - 23:33
rogeriobrito

Hello Eric,

Following your instructions I was able to avoid emails from the same domain to be marked as spam. But now that has become a problem. The users on the that domain are receiving A LOT of spam, because the spammers use a FROM/TO field with the same domain.

I'm sure the spammer didn't do any SMTP auth, so my question is, how do force SMTP auth for everybody? That way I would avoid it, right? All my clients are already configured to use SMTP Auth.

On my SMTP server options I have:

  • HELO is required: NO
  • Restrict ETRN command upon...: default
  • Restrictions on sends in HELO commands: default
  • Restrictions on sender addresses: default
  • Restrictions on recipient addresses: permit_mynetworks permit_sasl_authenticated reject_unauth_destination
  • Restrict mail relaying: default.

Please help

Thank you

  • Rogerio
Mon, 10/26/2009 - 13:28
rogeriobrito

Any ideas anyone?

How do I force SMTP auth for everybody (not coming from localhost)?

Thank you

  • Rogerio
Mon, 10/26/2009 - 19:05
miner

You could have your users send their outbound mail via the submission port 587 on your server and require auth on that port. This is pretty standard practice.

Inbound mail to your domains comes in on port 25 and cannot possibly use AUTHentication. You could deny mail on that port which is from your domains, but then your users wouldn't be able to email to each other unless you permit_sasl_authenticated before you check_sender_access

Good secure and spam-resistant email server configuration requires a great deal of study and oversight. Don't shortchange it. I expect the Virtualmin defaults with postfix to be a very good starting point. Modify them carefully and only with good understanding.

Mon, 10/26/2009 - 21:10
rogeriobrito

Thanks Miner,

My virtualmin box is configured to NOT use local DNS (bind). Could this be causing spam to pass through?

Tue, 10/27/2009 - 08:24
miner

rogeriobrito, DNS is pretty much the same no matter where you get it, locally or remotely; so the answer to your question is "no".

Tue, 10/27/2009 - 13:06
rogeriobrito

Hi miner, yes I know, but the thing is on my active DNS servers I don't have TXT records like:

barrosdecoracoes.com.br. IN TXT "v=spf1 a mx a:barrosdecoracoes.com.br ip4:200.170.216.250 ?all"

Virtualmin creates those TXT records automatically and I don't have them on my DNS servers. Could that be a problem? Does spam assassin check them?

Thanks for your help.

. Rogerio

Wed, 10/28/2009 - 12:36
miner

The TXT record for spf can help, not hurt. If you're not going to let Virtualmin handle your DNS locally then you can add it through your DNS host provider.

In order for it to help you block inbound spam claiming to be from your domains, you'll have to configure your email server to use spf validation on incoming mail.

Without local spf checking, it can also help you avoid some out-scatter mail from other hosts who use the spf record to block, rather than bounce, mail which is forged to be from your domains.

I recommend using the spf TXT records for all domains. I do not personally use SPF checking of inbound mail.

Topic locked