Current time: 11-26-2024, 03:04 AM Hello There, Guest! (LoginRegister)


Post Reply 
Mail appeared to be SPAM or forged
Author Message
pstanbra Offline
Junior Member
*

Posts: 61
Joined: May 2010
Reputation: 0
Post: #1
Exclamation Mail appeared to be SPAM or forged
I cannot find a definitive answer to this so hopefully this post will assist others once answered.

After installing isp-control v 1.7 on Debian, following the instructions, Mail seems to be not working right in the sense that there is a configuration issue regarding postfix.


Sep 10 03:26:17 web1 postfix/smtpd[7245]: NOQUEUE: reject: RCPT from out1.ip06ir2.opaltelecom.net[62.24.128.242]: 550 5.7.1 <to address.co.uk>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (vvresidential.com); fro m=<SBSMonAcct@from.com> to=<.co.uk> proto=ESMTP helo=<out1.ip06ir2.opaltelecom.net>


The issue is, many computers send mail through their ISP's SMTP server. Most IP address do not have reverse DNS relating to a mail server and again, most do not have a mail server locally anyway.

What needs to be done to fix this issue.
Can this fix be added into the next release.
(This post was last modified: 09-10-2011 07:21 PM by pstanbra.)
09-10-2011 07:16 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #2
RE: Mail appeared to be SPAM or forged
First of all, this is simply policyd-weight doing its job, so it will not be fixed because it is not a bug.

Anyway, I do not understand what is your specific issue. Are *your users* reciving these messages, or people who sends mails to them?

In the former case, the problem is that they are not authenticating against the server (they haven't checked the "this server requires authentication" in their mail clients).

In the later case, the problem is that the sender's ISP is badly configured. At this point you have three options: (1) Notify the user's ISP about their misconfiguration, and wait for them to solve it; (2) Disable policyd-weight completely by removing the corresponding "check_policy_service" line from /etc/postfix/main.cf (there are two policy_services, one is postgrey and the other policyd-weight); or (3) Add a sender_dependent whitelist and list the badly configured ISPs there.
09-10-2011 10:09 PM
Visit this user's website Find all posts by this user Quote this message in a reply
JCircle Offline
Junior Member
*

Posts: 32
Joined: May 2011
Reputation: 0
Post: #3
RE: Mail appeared to be SPAM or forged
you can also check here http://www.scconsult.com/bill/dnsblhelp.html
for more info as to why your ip might be on this list.
09-11-2011 09:04 PM
Find all posts by this user Quote this message in a reply
pstanbra Offline
Junior Member
*

Posts: 61
Joined: May 2010
Reputation: 0
Post: #4
RE: Mail appeared to be SPAM or forged
(09-11-2011 09:04 PM)JCircle Wrote:  you can also check here http://www.scconsult.com/bill/dnsblhelp.html
for more info as to why your ip might be on this list.

Thank-You both for your comments. I think this will help a lot of people as to clarify the situation.

In my case - my clients are receiving 2 types of messages. The one I've described above and


Your message did not reach some or all of the intended recipients.

Subject: RE: Board Meeting Oct 2011
Sent: 12/09/2011 09:53

The following recipient(s) cannot be reached:

'name on 12/09/2011 09:53
554 5.7.0 Reject, id=03125-14 - SPAM

'name' on 12/09/2011 09:53
554 5.7.0 Reject, id=03125-14 - SPAM

'Namei' on 12/09/2011 09:53
554 5.7.0 Reject, id=03125-14 - SPAM

'name' on 12/09/2011 09:53
554 5.7.0 Reject, id=03125-14 - SPAM




If I look at the mail.log - the error is:

Sep 12 01:26:56 web1 postfix/smtpd[28165]: connect from 201-3-18-104.gnace701.dsl.brasiltelecom.net.br[201.3.18.104]
Sep 12 01:26:59 web1 postfix/policyd-weight[3823]: weighted check: IN_DYN_PBL_SPAMHAUS=3.25 IN_SBL_XBL_SPAMHAUS=4.35 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25; <client=201.3.18.104> <helo=201-3-18-104.gnac

550 5.7.1 <from email>: Recipient address rejected: Your MTA is listed in too many
DNSBLs; check http://www.robtex.com/rbl/201.3.18.104.html; from=<from email> to=<from email> proto=SMTP helo=<201-3-18-104.gnace701.dsl.brasiltelecom.net.br>

OUR server IP is not on any Blacklist.
If we do a DNSBL check on 201.3.18.104 - we can see it is listed on a few Blacklists

1. I presume the message the customer receives is FROM our MailServer and not from the Remote Server.

2. I assume that some check has been conducted on the destination mail server IP. However if this is so - why does the fact that THEY are on a blacklist matter if the Customer is sending mail TO THEM. (assuming im correct on this point). What is the procedure no NOT check on SENDING to mail server but leave RECEIVING from servers with BL checking on

3. If 3 is incorrect - What is going on?
(This post was last modified: 09-12-2011 08:01 PM by pstanbra.)
09-12-2011 07:10 PM
Visit this user's website Find all posts by this user Quote this message in a reply
pstanbra Offline
Junior Member
*

Posts: 61
Joined: May 2010
Reputation: 0
Post: #5
RE: Mail appeared to be SPAM or forged
(09-10-2011 10:09 PM)kilburn Wrote:  First of all, this is simply policyd-weight doing its job, so it will not be fixed because it is not a bug.



In the later case, the problem is that the sender's ISP is badly configured. At this point you have three options: (1) Notify the user's ISP about their misconfiguration, and wait for them to solve it;

I would not say it is in configured. The client simply sends mail through his ISPs SMTP server.

(2) Disable policyd-weight completely by removing the corresponding "check_policy_service" line from /etc/postfix/main.cf (there are two policy_services, one is postgrey and the other policyd-weight);

Surely everyone with this version on isp-control faces these problems. There are many people out there if not most that have a domain based email address sending through an external SMTP server or smarthost. Is it wise to simply disable this checking or is there another workaround? If this affects so many people - why is it not disabled by default?
This comment comes from using things such as plesk and control panel where there is no such user config needed - install and go is all that is needed.


or (3) Add a sender_dependent whitelist and list the badly configured ISPs there.
too many clients to manage - ok for one off problems i guess

http://isp-control.net/forum/thread-1506...eight.conf
This post helped me deal with policyd-weight.
This has *i think* resolved part of the problem.

Still having issues with users Sending mail TO a blacklisted IP
(This post was last modified: 09-12-2011 09:30 PM by pstanbra.)
09-12-2011 08:47 PM
Visit this user's website Find all posts by this user Quote this message in a reply
dahweeds Offline


Posts: 3
Joined: May 2009
Reputation: 0
Post: #6
RE: Mail appeared to be SPAM or forged
I had similar problems just now, after moving my "ispcp powered" server to my home from another location that had a static ip. I use my server for my own webs, not actual clients, so I had not real urgency to fix it. But it was annoying not to get mail from my office emails. myoffice emails are running on a shared hosting at a large company.

According to the OR

".... In the later case, the problem is that the sender's ISP is badly configured. "

I did not believe it, since that host is among the top ten of hosting services on the net, according to their CEO blog. And I really do not get many bouncers from other destinations and I send a lot of mail to many clients and random support inquirers. So the bouncing back from my "ispcp powered" server were kind of abnormal.

Anyway, when I disabled policyd_weight, I was able to send mail to my home, from the office. No errors.

So there is the question on my mind regarding OR's :

"... simply policyd-weight doing its job ..."

I wanted to figure out how it works, or if there is anything else I can do.

So I compared some of the weight check logs to think it over. I found 3 mails in a row. 2 that came through to my domain and one that was bouncing back, sent from my office at the big hosting company server.

Well, the long story (short) looks like below. (edited for brevity and to protect identities).

Arrived mail 1.
Code:
/var/log/socklog/mail/@400000004fa5f48c0abedcb4.s:7233:mail.info:
    May  5 23:15:04 postfix/policyd-weight[28613]:
        CL_IP_EQ_FROM_MX=-3.1             < ---  This like looks like the kicker.
        <client=###.16.98.133>
            <helo=mail.zmailer.org>      < ---  Nice email testing tool if you need it!
            <from=postmaster@mail.zmailer.org>
            <to=meetjesus@mydomain>;
        rate: -1.125  < --- I think this number determines bouncing or not.

Arrived mail 2.
Code:
/var/log/socklog/mail/@400000004fa5f48c0abedcb4.s:7241:mail.info:
    May  5 23:15:32 postfix/policyd-weight[28613]:
        weighted check:  
            CL_IP_EQ_FROM_MX=-3.1;            < ---  same level reported .
        <client=###.132.180.67>
            <helo=vger.genericl.org>
            <from=postmaster@vger.genericl.org>
            <to=meetjesus@mydomain>;
        rate: -3.35  < --- pretty low score.

Look closely at this one which bounced back to the sender.
Code:
        /var/log/socklog/mail/@400000004fa5f48c0abedcb4.s:7249:mail.info:
    May  5 23:17:25 postfix/policyd-weight[5283]:
        weighted check:  
            CL_IP_EQ_HELO_IP=-2       < ---  It is higher. Maybe caused extra checks?
                (check from: .mycompany.
                    - helo: .oproxy5-pub.bighost.
                    - helo-domain: .bighost.)  
            FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.062
            CLIENT_NOT_MX/A_FROM_DOMAIN=5.75
            CLIENT/24_NOT_MX/A_FROM_DOMAIN=5.75;
        <client=###.222.38.55>
            <helo=oproxy5-pub.bighost.com>
            <from=myofficemail@mycompany.com>
            <to=meetjesus@mydomain>;
        rate: 11.312  < --- wow! this is high by comparison.

This last mail, that was bouncing back to my office, has a pretty high score. I don't think the mail was configured wrong at the hosting service.

Rather, my guess is, they have so many accounts on their servers, that there is a much higher chance some client on their systems are getting flagged as spammers, which increases the chance of the mail servers getting high scores in my little server.

So, it might be better for me to use the white list idea, than to use the cancel policyd_weight idea. Or, I might look into setting the policyd_weight bounce levels in order to allow a little bit higher rejection level.

I just thought I would post this as a "my two cents" .

Some other notes.
From `man policyd-weight.conf`

CL_IP_EQ_HELO_IP
Client IP matches the A record of the HELO argument.
@helo_from_mx_eq_ip_score (1.5, -3.1)
Define scores for the match of Client IP against MX records. Positive (SPAM) values are used in case the MAIL FROM matches not the HELO argument AND the client seems to be dynamic AND the client is no MX for HELO and MAIL FROM arguments. The total DNSBL score is added to its bad score.

Log Entries:
CL_IP_EQ_FROM_MX - Client IP matches the MAIL FROM domain/host MX record
CL_IP_EQ_HELO_MX - Client IP matches the HELO domain/host MX record
CLIENT_NOT_MX/A_FROM_DOMAIN - Client is not a verified HELO and doesn't match A/MX records of MAIL FROM argument
CLIENT/24_NOT_MX/A_FROM_DOMAIN - Client's subnet does not match A/MX records of the MAIL FROM argument
05-08-2012 12:40 AM
Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #7
RE: Mail appeared to be SPAM or forged
this <helo=oproxy5-pub.bighost.com> seems to be not listed as an official MX for the domain <from=myofficemail@mycompany.com>

So its not configured the right way.
And because someone tries to send mail from a domain who's not the MX of that domain its one of the most common methods of spammers (i.e. forging being someone you're actually not ... ) so policyd behaved perfectly right.

If they're using a proxy or cluster to deliver outgoing mails - this cluster must be hidden behind valid MX entries ( hidden because otherwise each hostname has to appear in each dns zone as a valid MX)
05-08-2012 06:00 PM
Visit this user's website Find all posts by this user Quote this message in a reply
dahweeds Offline


Posts: 3
Joined: May 2009
Reputation: 0
Post: #8
RE: Mail appeared to be SPAM or forged
(05-08-2012 06:00 PM)ephigenie Wrote:  this <helo=oproxy5-pub.bighost.com> seems to be not listed as an official MX for the domain <from=myofficemail@mycompany.com>

Thanks for checking in. The emails in the post are probably not valid. In fact, those are just examples. as mentioned in the OR. If you have this trouble, you would need to test the system with valid email addresses.

Quote:Well, the long story (short) looks like below. (edited for brevity and to protect identities).
05-15-2012 12:02 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)