Postfix - Spamdetection

Discussion in 'General' started by clam, Jun 6, 2006.

  1. clam

    clam New Member

    Hi there !

    All my mails, which I send from the office workstation, will be identified as Spam , because my client IP is listed in dnsbl.sorbs.net !

    My Server ISPConfig-2.1.2(postix) is not listed in dnsbl.sorbs.net!


    So is there a method to hide all hosts inside a domain behind their mail gateway, and to make it appear as if the mail comes from the gateway itself, instead of from my office maschine which is listed in some dnsbls.


    Thanks ,
    Florian

    I sent a mail to myself and got the following :
    ------------------------------------------------
    Content preview: [...]

    Content analysis details: (8.5 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.0 NO_REAL_NAME From: does not include a real name
    0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
    1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
    0.0 HTML_MESSAGE BODY: HTML included in message
    0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    [score: 0.4942]
    2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
    [xx.xxx.xx.175 listed in dnsbl.sorbs.net]
    1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    [xx.xx.xx.175 listed in combined.njabl.org]
    1.8 MISSING_SUBJECT Missing Subject: header
    2.3 EMPTY_MESSAGE Message appears to be empty with no Subject: text
    -1.8 AWL AWL: From: address is in the auto white-list

    The original message was not completely plain text, and may be unsafe to
    open with some email clients; in particular, it may contain a virus,
    or confirm that your address can receive spam. If you wish to view
    it, it may be safer to save it to a file and open it with an editor.
     
  2. fobicodam

    fobicodam New Member

    Spam

    If you are not a spammer then you can go to the site and ask them to remove you from the list. If you are, then no, there is no way.:D
     
  3. clam

    clam New Member

    Yes , I can ask to remove the whole IP-Class out of the list .

    The Spamreport-Mail said: " sent directly from dynamic IP address" , which is not true . The mail was sent by workstation , which IP-Adresse is listed, through our mailserver !! And the mailserver isn't listed ! The problem is, that the client is listed, which send emails through the mailserver.

    It would be okay if my client send directly mails out !
     
  4. fobicodam

    fobicodam New Member

    Sorry, but thats not the way it works... if your workstation ip is listed its because the machine is sending spam and not through your server..
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Almost all dynamic IP addresses are blacklisted, but this does not matter at all when your server IP is not listed and you configured your mailclient to use your server as SMTP gateway.
     
  6. clam

    clam New Member

    The Mailserver is running on a debian sarge 3.1 ispconfig 2.2.x !

    The Mailclient of my workstation is Outlook and the ip of this workstation is listed in a dnbl ! The smtp server of my client is the mailserver .

    So how can I tell postfix to remove all the header code from the client machine (dynamical ip, which is listed) , to get rid of the spamstatus .

    Is there a way to configure postfix to do that ?

    My workstation is a normal client outlook with pop & smtp == ispconfig mailserver postfix .


    Header of a Mail, which was identified as spam :

    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from tudc76d48b7eb6 (xxx.xxx.175.26.11.univie.teleweb.at [xx.xx.175])
    by server.mydomain.com(Postfix) with ESMTP id E0266704125
    for <[email protected]>; Wed, 7 Jun 2006 10:24:19 +0200 (CEST)
    Message-ID: <001301c68a0b$8040edd0$af4bb23e@tudc76d48b7eb6>
    From: <[email protected]>
    To: <[email protected]>
    Subject: test relay
    Date: Wed, 7 Jun 2006 10:22:22 +0200
    MIME-Version: 1.0
    X-Security: MIME headers sanitized on server.mydomain.com
    See http://www.impsec.org/email-tools/sanitizer-intro.html
    for details. $Revision: 1.138 $Date: 2003-01-26 11:25:54-08
    X-Security: The postmaster has not enabled quarantine of poisoned messages.
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0010_01C68A1C.43895970"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Virus-Scan: Scanned by TrashScan v0.12 running on server.mydomain.com

    best regards,
    Florian
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    It is not nescessary to remove any headers. As I posted above:

    It is normal that the IP of your workstation is balcklisted! This will not result in a spam status of the email that is sent trough a non blacklisted gateway!

    I recommend to do some further research if your mail gateway server is really not blacklisted in any other balcklist. If your email has been marked as spam by spamassasin, please post the spamassassin headers of the message with the scores and rules.
     
  8. clam

    clam New Member

    Hi Till !

    Here the Message + Headers :

    Message:
    ---------
    Spam detection software, running on the system "panel.wal-net.at", has
    identified this incoming email as possible spam. The original message
    has been attached to this so you can view it (if it isn't spam) or label
    similar future email. If you have any questions, see
    the administrator of that system for details.

    Content preview: [...]

    Content analysis details: (5.7 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.0 NO_REAL_NAME From: does not include a real name
    0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
    1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
    0.0 HTML_MESSAGE BODY: HTML included in message
    0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    [score: 0.4995]
    1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    [62.178.75.175 listed in combined.njabl.org]
    1.5 AWL AWL: From: address is in the auto white-list

    The original message was not completely plain text, and may be unsafe to
    open with some email clients; in particular, it may contain a virus,
    or confirm that your address can receive spam. If you wish to view
    it, it may be safer to save it to a file and open it with an editor.


    Headersource of the original Message:

    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from tudc76d48b7eb6 (chello062178075175.26.11.univie.teleweb.at [62.178.75.175])
    by panel.wal-net.at (Postfix) with ESMTP id 184DC704125
    for <[email protected]>; Wed, 7 Jun 2006 13:10:41 +0200 (CEST)
    Message-ID: <000a01c68a22$bd2b71e0$af4bb23e@tudc76d48b7eb6>
    From: <[email protected]>
    To: <[email protected]>
    Subject: TEST MAIL
    Date: Wed, 7 Jun 2006 13:08:42 +0200
    MIME-Version: 1.0
    X-Security: MIME headers sanitized on panel.wal-net.at
    See http://www.impsec.org/email-tools/sanitizer-intro.html
    for details. $Revision: 1.138 $Date: 2003-01-26 11:25:54-08
    X-Security: The postmaster has not enabled quarantine of poisoned messages.
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0007_01C68A33.806F2290"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Virus-Scan: Scanned by TrashScan v0.12 running on panel.wal-net.at

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0007_01C68A33.806F2290
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable


    ------=_NextPart_000_0007_01C68A33.806F2290
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; =
    charset=3Diso-8859-1">
    <META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV>&nbsp;</DIV></BODY></HTML>

    ------=_NextPart_000_0007_01C68A33.806F2290--


    ---------------


    Thanks,
    Florian
     
  9. falko

    falko Super Moderator Howtoforge Staff

    It seems as if you're sending from chello062178075175.26.11.univie.teleweb.at directly to panel.wal-net.at. Which SMTP server are you using in your Outlook Express settings?
     
  10. clam

    clam New Member

    I use panel.wal-net.at as SMTP server for all my outgoing mails ! Should I use another server ?

    regards ,
    Florian
     
  11. falko

    falko Super Moderator Howtoforge Staff

    You can try that.
    But in the above exaample you sent to an account that is on panel.wal-net.at, right?
     
  12. clam

    clam New Member

    Above example :

    - Mail to [email protected] -> [email protected]
    - [email protected] is on panel.wal-net.at
    - smtp localdelivery (procmail)
    - smtp auth

    -----------------------


    A lot of people who use Ispconfig(postfix+spamassasign) as outgoing mailserver , should have the same problem, if the use dynamical ips as workstation like i do . I can delete the spamrules out of procmail spamassasin configuration. I'm afraid that a lot of other server with the same configuration will identify all my mail as spam.

    thanks for your time Till , you do a great job

    florian
     
  13. falko

    falko Super Moderator Howtoforge Staff

    Did you configure Postfix to use blacklists? What's in /etc/postfix/main.cf?
     
  14. clam

    clam New Member

    Yes , I have configured postfix to use some of those blacklists !



    And here is my main.cf:
    ---------------------------------------------------
    panel:/etc/postfix# vi main.cf
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    bounce_queue_lifetime = 2d
    myhostname = panel.wal-net.at

    smtpd_helo_required = yes
    smtpd_helo_restrictions = reject_invalid_hostname
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    #mydestination = wal-net.at, silvester.wal-net.at, localhost.wal-net.at, localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,reject_rbl_client relays.ordb.org,reject_rbl_client opm.blitzed.org,reject_rbl_client list.dsbl.org,
    reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtpd_use_tls = no
    smtp_tls_note_starttls_offer = no
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names
     
  15. falko

    falko Super Moderator Howtoforge Staff

    Can you remove those blacklists and try again?
     
  16. clam

    clam New Member

    I have also enabled smtp authentication and without a sucessfull smtp authentication I'll got an relaying denied error from my mailserver ! ( Thats okay so , thats why I'll don't remove those lines out of the main.cf). --> All those lines will be ignored if smtpauth was sucessfully. So it makes no sense to remove it.

    thanks till and falko for your help,

    regards
    florian
     

Share This Page