Need to Validate Trusted Senders

Problem reported by kevind - 9/1/2015 at 2:14 PM

Submitted

Most experts agree that adding an email address or domain to the global Trusted Senders is not good practice. It's an open door -- anyone can spoof the address or domain.

So I suggest qualifying Trusted Senders with SPF or DKIM so that if the name matches AND it passes the test (sent from correct IP, etc.) then let the message through.

Example: add facebookmail.com to Trusted Senders and if it passes SPF and/or DKIM, bypass Greylisting and SpamAssassin. Greylisting delays delivery and SA eats up CPU and could send it to Junk folder. Maybe there's a way to do this already? Like if spam score < 0, don't run SA?

Kevin

40 Replies

Reply to Thread

kevind Replied

10/21/2015 at 1:22 PM

Let's expand on this idea and make SmarterMail's spam processing more efficient:

If a domain/address is listed in global Trusted Senders, the Bayes, SA, CommTouch, and RBL tests are still run. This wastes time & CPU because the message scores 0 for Trusted Sender!
If spam tests are run on a gateway and the score passed to SmarterMail, all the spam tests are run again. This wastes time and CPU because it uses the score from the gateway!
http://portal.smartertools.com/community/a87006/when-using-gateway-why-are-spam-checks-repeated.aspx

If we eliminate this duplicate processing, SmarterMail will run more efficiently with more users & messages.

Thanks,

Kevin

kevind Replied

11/6/2015 at 9:51 AM

SpamAssassin is a nice spam-fighting tool; unfortunately it's a resource hog.

Looking for a way to bypass SpamAssassin for known, legitmate, trusted email, which could account for > 50% of mail passing through server. Tried global trusted senders and gateways, but SM still runs SA on every message.

Can we add something to SM to bypass SA for either:

global trusted senders that pass DMARC or
messages from remote gateways that already have a SA score?

Thanks,

Kevin

kevind Replied

11/6/2015 at 9:59 AM

And yes, I know you can set up a remote SpamAssassin server, but why if over half of your messages don't even need to be checked.

Webio Replied

11/6/2015 at 10:59 AM

Hello,

have you tried Declude?

kevind Replied

11/6/2015 at 2:37 PM

Webio, thanks for reply. Haven't tried Declude. Are you suggesting it as a replacement to SA?

Someone said Declude is a resource hog also:
http://portal.smartertools.com/community/a2507/declude-how-to-and-why-not.aspx

Webio Replied

11/6/2015 at 11:07 PM

IMHO it all depends of configuration. I'm using custom (one from SM installation was causing only problems) installation of ClamAV connected directly to SmarterMail and Declude for SPAM filtering. It works very good. IMHO you should try it.

kevind Replied

11/8/2015 at 5:55 PM

OK, we'll check it out. Thanks for the tip, Webio.

Employee Replied

10/26/2016 at 2:51 PM

Employee Post

Kevin, I've generated a ticket off of this thread so we can track it internally. I'll make sure this gets brought up in our next dev meeting.

In our other post, we'll be messing with the same code most likely so I'll see if we can sneak this in as well.

Employee Replied

10/28/2016 at 9:24 AM

Employee Post

Kevin,

I met with the dev's this morning. They have added this into our tracking system as a feature request, unfortunately I cannot give an ETA on implementation as it needs to go through our standard dev process.

kevind Replied

10/28/2016 at 10:50 AM

Von, appreciate your effort here. But just a little confused with your post on another thread earlier today:

CCC, our developers have added a feature request for specifying a domain and having the whitelist entries dynamically added based on SPF record. They are in agreement that this would benefit a majority of our customers.

Actually it sounds like the solution we're looking for here.

kevind Replied

1/23/2017 at 8:38 AM

Recently in another thread, Tim Uzzanti wrote:

Why not Validate Trusted Senders
- We do not see the value.

Here's a simple example to help explain the value:

You have a very important customer or vendor, XYZ.com, whose email needs to be delivered immediately (no greylisting) and to the Inbox (no quarantine).
So you add XYZ.com to your global Trusted Senders. (note, this could be @ebay.com or @facebookmail.com for consumer-oriented mailboxes)
Now, when you receive email from this domain, everything works great, right? PROBLEM: What if XYZ.com is spoofed?
SOLUTION: SmarterMail adds a check for SPF or DKIM so when email comes in from XYZ.com, the sending IP is verified, mail is delivered, and it works as intended.

This beats adding dozens of IP addresses to the whitelist and maintaining them. With 18 votes for this thread, it seems like some people in the community see the value. Thanks!

Tim Uzzanti Replied

1/23/2017 at 4:35 PM

Employee Post

I agree. We thought you wanted something done at the time of entering the domain or email.

We will make it available in SmarterMail 16.x

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

kevind Replied

1/23/2017 at 8:39 PM

Nice!!! This should really help admins by reducing the amount of time spent managing IPs in the whitelist. Just add the domain instead.

kevind Replied

7/18/2017 at 8:19 AM

Hello. Just following up on this idea. Recently we ran into a problem with Amazon SES trying to deliver messages to SmarterMail and they were delayed for hours because greylisting couldn't handle the multiple IPs. More info here:

https://portal.smartertools.com/community/a87031/amend-greylisting-implementation-to-handle-smtp-clusters.aspx

I think the ideas outlined in this thread could help. Instead of adding multiple IP address ranges and having to maintain them, you could just add 'amazonses.com' and SmarterMail could lookup the valid IP ranges to bypass greylisting. See: https://aws.amazon.com/blogs/ses/amazon-ses-ip-addresses/

Ionel Aurelian Rau Replied

7/19/2017 at 12:01 AM

Yes, we also had this issue, but with customers using MS Office365 - we had no choice but to add a lot of their IP ranges in order to make sure their emails were delivered. Before we did this, their emails were delayed for more than one day and in one case we even lost a project due to this.

Being able to add the domain to the bypass and have SM lookup the IPs would help greatly.

Lasse Balsvad Replied

10/26/2017 at 9:08 AM

I agree. More effort can be put into the spam check routines. It would be nice with an option in the "Anti-Spam administration" where we could select if trusted senders should use the classic spam / trusted sender checks like SPF, DKIM, Reverse Lookup too. Or at least a way to add domain names exceptions to grey listing, so mail aren't delayed. My problem is that it's easier to add an email domain to the trusted senders list, than it is to find and add a lot of mail servers IP-addresses to greylisting. This results in fake senders (spam) from apple.com, gmail.com etc. is received without even checking the reverse lookup which I think is the most important one that I have given a value of 20 in the spam check list.

kevind Replied

10/26/2017 at 11:35 AM

Hi Lasse, thanks for your support. Here's another idea that could be used to block spammers who spoof popular domains:
https://portal.smartertools.com/community/a89630/vulnerability-spoof-any-domain.aspx

Lasse Balsvad Replied

10/26/2017 at 12:20 PM

Hi Kevind

Thanks for reply. I think this is another situation. See the incoming mail delivery information below.

From mail header:
Return-Path: <do_not_replay@apple.com>
Received: from ik1-316-18087.vs.sakura.ne.jp (ik1-316-18087.vs.sakura.ne.jp
...
From: Apple<do_not_replay@apple.com>
Message-Id: <20171026143141.86CCA386EB0@ik1-316-18087.vs.sakura.ne.jp>
X-SmarterMail-Spam: ISpamAssassin 0 [raw: 0], SPF_Fail, DK_None, DKIM_None, Custom Rules [], BARRACUDA, SORBS - Spam
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

-<>-<>-<>-<>-<>-<>-

From server delivery log:
>Delivery started for do_not_replay@apple.com at 16:34:37
>Spam check results: [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_INTERNALSPAMASSASSIN: 0:0], [_SPF: Fail], [_DK: None], [_DKIM: None], [_CUSTOMRULES: ], [BARRACUDA: failed], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [MCAFEE: passed], [NJABL - PROXY: passed], [NJABL - RELAY: passed], [NJABL - SPAM: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SORBS - SPAM: failed], [SPAMCOP: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [SPAMHAUS - XBL: passed], [SPAMHAUS - XBL2: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed]
>Starting local delivery to ****@****.***
>Skipping spam filtering: Trusted Sender (system level)
>Delivery for do_not_replay@apple.com to ****@****.*** has completed (Delivered) Filter: None
>End delivery to ****@****.***
>Delivery finished for do_not_replay@apple.com at 16:34:43 [id:78253870]

-<>-<>-<>-<>-<>-<>-

I know that I have trusted "apple.com", but I have mainly done it to skip graylisting for some domains. So it would be nice to have an option to add domains to a greylisting exception list.

Also if SPF was checked for apple.com I don't think the IP address of the japanese mail server (client) would be included.

kevind Replied

10/26/2017 at 6:47 PM

Lasse, agreed. Your example above does not fit the spoofing vulnerability.

But it does fit the overall theme of this thread. By adding apple.com as a trusted sender, it skips greylisting, but it allows fake messages into your server.

If there was a way to validate trusted senders using SPF, it would be better. Certainly the message above would be rejected as it fails SPF.

My suggestion until this is fixed is to remove 'apple.com' from trusted senders and enter IP addresses to bypass greylisting, You could get the IP addresses from the apple.com SPF record.

Matthew Leyda Replied

10/26/2017 at 8:20 PM

Lasse,
Try using SmarterMail Whitelist from SPF (free) tool provided by mightyblue.com

You can get it here http://www.mightyblue.com/products.php?pid=5

Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP

echoDreamz Replied

10/26/2017 at 9:22 PM

We had a client that received email from a spoofed domain. Was a trusted sender as well. However, the RDNS check should have stopped them, the server had RDNS setup, but was not forward confirmed. PLEASE ST FIX THIS!!!! And of course, the domain has no SPF (we've worked with them to fix this now).

The only reason the customer called BS on the email was because the email had the business name spelled wrong in the signature. Which made their accounts payable department forward to the IT department for verification, then the customer directly for verification they sent the email, then ultimately us to see where it came from.

The link on the company name was also linked to a spoofed site as well, they did a really good job on it, would Cyren or other URIBL checks caught it? Who knows, since it was a trusted sender these checks were not executed.

Ultimately though, if the RDNS check was better, this email would have been kicked back and the customer never would have noticed. The customer rightly is worried about when they receive invoices and requests to pay for materials etc. are they real? Do they have to contact everyone each time to verify?

echoDreamz Replied

10/26/2017 at 9:25 PM

The issue with this is that it requires you to restart SM, we cannot do that. Our SM service takes ~25 - 35 minutes to fully start.

I will see if we can release our utility, ours uses the SM API directly so that the service does not have to be rebooted.

Richard Frank Replied

10/27/2017 at 5:15 AM

what was wrong with the rdns check?

kevind Replied

10/27/2017 at 6:38 AM

Have the customer remove all domains from trusted senders. It's not safe to use this feature in SM as it's currently implemented.

Gabriele Maoret Replied

10/27/2017 at 6:43 AM

+1 for me

echoDreamz Replied

10/27/2017 at 9:13 AM

Richard - What is not wrong with it? It flags emails with good RDNS saying there is none, if doesnt flag emails that have no RDNS. It also does not do any forward checks to make sure that the IP address and the RDNS fully complete the circle.

For example, we had emails coming from 173-63-63-72.chicagohost (dont hold me to the hostname, it was something like this). Was not even a completely resolvable host, and SM said it was fine.

kevind Replied

10/27/2017 at 9:32 AM

Richard - the check that Christopher is referring to is called FCrDNS and SM doesn't have it.

It would be a nice addition to SM's spam checking. You can read more about it and vote for it here:
https://portal.smartertools.com/community/a88965/reverse-dns-check-improvements.aspx

echoDreamz Replied

10/28/2017 at 9:21 AM

Well this happened to me today. SmarterMail did SMTP level checks against...

Return-Path: <www-data@jrsacesso211ria01.cloudapp.net>

However delivery checks were done against the "From" header, which they spoofed and used my corporate email address.

X-SmarterMail-Spam: Commtouch 30 [value: Confirmed], DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)

So they were able to get through the SMTP checks (because SPF would have failed this email) by using the return path, but then used the from address of my email directly which passed the trusted senders because my email is a contact.

Though this further questions, I've seen some emails that are trusted senders with no spam checks executed, however this email had spam checks executed, then shows as a trusted sender... I thought the point of the trusted senders was to have no checks executed period.

Matt Petty Replied

12/7/2017 at 10:15 AM

Employee Post

Our new SMTP/Spam changes in version 16 should prevent this from occurring now.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Matthew Leyda Replied

12/7/2017 at 10:28 AM

Are V15 users being hung out to dry again?

Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP

Tim Uzzanti Replied

12/7/2017 at 10:37 AM

Employee Post

v16 is our current version and gets all new functionality, features and bug fixes.

v15 gets bug fixes.

Its how every software company works.

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

echoDreamz Replied

12/7/2017 at 12:19 PM

Matt, my comment above was using SM 16. So unless something has changed since October 28th...

Employee Replied

12/7/2017 at 12:40 PM

Employee Post

@echoDreamz there were changes to the SMTP and spam in the 30 November release. Those are the changes that Matt Petty is referring.

echoDreamz Replied

12/7/2017 at 1:04 PM

Robert - Thank you sir :)

ScottF Replied

7/3/2018 at 7:41 AM

This vulnerability was not fixed in 15.x. We received a few thousand messages over the weekend that contained a spoofed trusted sender. The messages failed SPF and DKIM but scored zero because the spoofed address was a trusted sender.

I confirmed that SM 16.3.6754 validates trusted senders in the Return-Path mail headers with SPF and scores the messages correctly. Hopefully, this security hole can also be fixed in 15.x. Thanks.

kevind Replied

7/3/2018 at 8:56 AM

Yes, please!

kevind Replied

9/24/2018 at 1:33 PM

With v17 about to be released, requesting that this bug be fixed before v15 goes off life support. Thanks!

Using v15 and saw hundreds of messages delivered to Inboxes over the weekend because the spammer spoofed @pinterest.com in the Reply To. Here's the header -- no SPF, DKIM or anything to verify that the message actually came from Pinterest and should be trusted.

Return-Path: <return@caspi.meaffireh.com>
Received: from caspi.meaffireh.com (caspi.meaffireh.com [31.210.102.115]) by xxxxxxx with SMTP;
   Fri, 21 Sep 2018 07:29:46 -0400
X-MSFBL: kMNURlWkMuAtkskRsUGMr7fl7Wmn1krkvMMyukNqTSo=|eyJzdWJhY2NvdW50X2l kIjoiMCIsInIiOiJ6b3VoYWlyLmJlbmhhcm91bkBnbWFpbC5jb20iLCJjdXN0b21 lcl9pZCI6IjEiLCJ0ZW5hbnRfaWQiOiJwaW50ZXJlc3QiLCJtZXNzYWdlX2lkIjo iMDAwMzVhZDY5ZjViZTk1ZWZlZWYifQ==
To: zoro <dafoos2@gmail.com>
Message-ID: <EF.FE.24297.A56DF9B5@c.mta4vrest.cc.prd.sparkpost>
Date: Sat, 22 Sep 2018 16:29:14 +0000
Content-Type: multipart/alternative; boundary="_----6+AV7v+LlaB+brIrUbw4Dw===_5E/FE-24297-A56DF9B5"
MIME-Version: 1.0
Reply-To: pinbot@reply.pinterest.com
From: =?UTF-8?B?SG9tZVdhcnJhbnR5IA==?= <mustreads@huffpost.com>
Subject: =?UTF-8?B?Q29uZ3JhdHMhIFlvdSd2ZSBTY29yZWQgYSBHcmVhdCBEZWFsIFRoaXMgRmFsbCEgIA==?=
Feedback-ID: HOMEFEED_NEW_PINS:explore:pinterest
List-Unsubscribe: <mailto:unsubscribe@post.pinterest.com?subject=unsubscribe:rT_v2cRshUW1wiWy7-g2qIeL3WvF_M5suPbusHwFMvs~|eyAicmNwdF90byI6ICJ6b3VoYWlyLmJlbmhhcm91bkBnbWFpbC5jb20iLCAidGVuYW50X2lkIjogInBpbnRlcmVzdCIsICJjdXN0b21lcl9pZCI6ICIxIiwgInN1YmFjY291bnRfaWQiOiAiMCIsICJtZXNzYWdlX2lkIjogIjAwMDM1YWQ2OWY1YmU5NWVmZWVmIiB9>
List-Id: <pinterest-1-0>
X-CTCH-RefId: str=0001.0A020202.5BA4D633.003E,ss=4,re=0.000,recu=0.000,reip=0.000,pt=R_631894,cl=4,cld=1,fgs=8
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)

Linda Pagillo Replied

9/25/2018 at 2:32 PM

Hi Kevin. I wanted to chime in and let you know that Declude is not a resource hog if it is configured correctly. If you want to give it a try, I will be happy to provide you with a good configuration for your environment. Btw, Declude is free and you can download a copy from our website at http://mailsbestfriend.com/downloads Please let me know if you have any questions about it. Thanks.

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

kevind Replied

9/26/2018 at 6:29 AM

Linda, thanks for clarification. Sounds interesting...

How would you classify/describe Declude? Can it replace Cyren (CommTouch), SpamAssassin, or ClamAV? Can it fix the trusted senders problem in v15 as described above?

TIA, Kevin

Linda Pagillo Replied

9/26/2018 at 7:06 AM

My pleasure Kevin. Declude is an antispam program. You should not replace Cyren or ClamAV with it. Declude does not perform virus scanning unless you use a 3rd party command line virus scanner with it. It can replace SpamAssassin or it can also be used with it running. My suggestion would be to keep everything you have and if you are still having spam issues, add Declude and Message Sniffer to the mix. With the multiple layers of protection, you should be in great shape. As for fixing the trusted sender's problem, no, Declude will not solve this. The resolution to that issue would be exactly what you suggested.. SmarterTools needs to add the ability to use SPF and DKIM for the trusted senders list. I hope this helps. Thanks!

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Back to Community Threads

Please leave this box unchecked