dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1673
share rss forum feed


PToN
Premium
join:2001-10-04
Houston, TX

Email with dynamic IP blocks

Hello,

We have had this problem for as long as i can remember. Our email server was configured to use Sophos PureMessage for Unix, in my opinion a very solid AV/Spam filtering suite.

However, we experience random blocks when sending email through our email server and when connecting using public WiFi, home internet connections and even some 3G/LTE connections.

Here is a log of the tests the email matched:

quote:
Size=726 pmx_reason=Spam b=ok h=SXL_IP_PROXY h=SXL_IP_DYNAMIC h=SUBJ_1WORD h=HTML_00_01 h=HTML_00_10 h=MIME_LOWER_CASE h=BODYTEXTP_SIZE_3000_LESS h=BODY_SIZE_1000_LESS h=BODY_SIZE_10_99 h=BODY_SIZE_2000_LESS h=BODY_SIZE_5000_LESS h=BODY_SIZE_7000_LESS h=DATE_TZ_NA h=NO_URI_FOUND h=RDNS_GENERIC_POOLED h=RDNS_SUSP h=RDNS_SUSP_GENERIC h=SMALL_BODY h=__CT h=__CTE h=__CT_TEXT_PLAIN h=__HAS_FROM h=__HAS_MSGID h=__HAS_X_MAILER h=__INT_PROD_IPHONE h=__MIME_TEXT_ONLY h=__MIME_VERSION h=__MSGID_APPLEMAIL h=__SANE_MSGID h=__TO_MALFORMED_2 s=Email pmx_action=reject,Spam,-, vs p=0.958 fur=10.80.134.103 r=mobile-166-137-150-010.mycingular.net tm=0.23 a=c/abort

Towards the end we see "p=0.985", this translates to probability of spam = 98.50%.

I havent looked at all the specific score each test gives, but the first 2:
- SXL_IP_PROXY = 8
- SXL_IP_DYNAMIC = 3

That already show that whatever SXL_IP_PROXY is, it's already marking the email as 80% probability of spam.

So my question is: How do you guys handle spam rule hits for Dynamic IP blocks when your own users are sending email through your email server? I am thinking about disabling those 2 rules, but i dont wanna see an increase on spam.

Any suggestions?

Thanks.

tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1

we only allow our users to connect in with a VPN client in order to send email when they are not in the office.

they do this if they decide that using the webmail doesn't give them what they need.



drew
Automatic
Premium
join:2002-07-10
Port Orchard, WA
kudos:6
reply to PToN

Are your users not authenticating to the SMTP server?



boognish
Premium
join:2001-09-26
Baton Rouge, LA
kudos:6
reply to tomdlgns

said by tomdlgns:

we only allow our users to connect in with a VPN client in order to send email when they are not in the office.

they do this if they decide that using the webmail doesn't give them what they need.

This is how I have it set up also. Webmail is available for all and if for some reason they need to connect with outlook then they have to go through the vpn.
--
don't get 2 close 2 my fantasy


PToN
Premium
join:2001-10-04
Houston, TX
reply to drew

Yes, they are authenticating.



drew
Automatic
Premium
join:2002-07-10
Port Orchard, WA
kudos:6

I'm having a hard time understanding why an authenticated user on your network is not set up to be bypassing the outbound spam filter.

If you're worried about DLP, etc. that's a whole other set of things. Scanning outbound attachments, etc. for a virus is also a good thing (keeps your IPs from getting blacklisted), but... spam? Why?
--
flickr | 'Cause I've been waiting, all my life just waiting
For you to shine, shine your light on me



PToN
Premium
join:2001-10-04
Houston, TX

Internal networks bypass most of the tests, however, when user use their phones with either 3G/LTE/WiFi/etc, the connection is seen as an external network (certainly since it is not a 192.168.) and because of that it triggers all tests.



drew
Automatic
Premium
join:2002-07-10
Port Orchard, WA
kudos:6

But you said they authenticate...

I'm not an e-mail expert, but I can see no reason why an authenticated user to the mail server is getting run through all those spam tests on the outbound direction. I would strongly consider changing your configuration if at all possible.

Do your users get spam-tested between internal mailboxes too?
--
flickr | 'Cause I've been waiting, all my life just waiting
For you to shine, shine your light on me



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to PToN

You should be able to bypass certain tests (or all) for authenticated users.

For example when my users are authenticated on postfix I don't send them to regular spam filtering queue, but to alternative filtering queue that is less strict on many items.


guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:2
Reviews:
·Verizon FiOS
reply to PToN

Letting users do smpt mail is a security risk unless your doing SSL connections, which by the sound of it your not, its all clear text, authenticated or not. You should be enforcing vpn to use your corporate send mail if its not local traffic.

If you don't want to do vpn or SSL, the next best step is for https web mail portal for all mail that is not on the local network.



PToN
Premium
join:2001-10-04
Houston, TX

We are doing SSL connections. I dont know where you got that from.

Postfix is setup to forward all mail to "pmx:localhost:10025". PureMessage gets every email and the first test is to decide whether it is from any of my internal (192.168) networks or external networks. The attachment shows the tests done to every email.

I have "smtpd_sasl_authenticated_header=yes" so i guess i could check for this header on the "Mail from internal hosts" test and catch it there.

Thanks.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

To add to my earlier note.
Regular mail is delivered via port 25 as usual.
Internal users have to go through submission port 587/TLS which then sends them to alternative filtering queue that is for example not checking the source IP/domain checks.

Submission port 587 is becoming de-facto standard for submission mail from end users, you should consider switching to it and use 25 for inbound mail. Then you can force TLS on 587 and do alternative filtering easy. All easily done with postfix.