2
Headers fields BUG in Trusted Domains in all Smartermail versions
Problem reported by CLEBER SAAD - 8/7/2020 at 11:15 AM
Submitted
Hello,

I have in my webmail the domain @gmail.com in trusted domains, because some IP's from gmail.com it's in RBL.

But, I was received this e-mail that it's considered Spam, BUT, the reply-to header has the gmail.com domain and Smartermail consider they as trust. 

The header of the message:

Return-Path: <maxtp@bic.ky>
Received: from <mymx> (UnknownHost [192.168.201.220]) by VMSDC1INTMAI03 with SMTP;
   Thu, 6 Aug 2020 13:40:34 -0300
Received: from <mymx> (localhost.localdomain [127.0.0.1])
    by <mymx> (Proxmox) with ESMTP id 675E642F74
    for <myemail>; Thu,  6 Aug 2020 13:40:33 -0300 (-03)
Received-SPF: softfail (bic.ky: Sender is not authorized by default to use 'maxtp@bic.ky' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=<mymx>; identity=mailfrom; envelope-from="maxtp@bic.ky"; helo=biccvl-pweb001.bic.ky; client-ip=209.27.61.166
Received: from biccvl-pweb001.bic.ky (unknown [209.27.61.166])
    by <mymx> (Proxmox) with SMTP id 9A7C741396
    for <myemail>; Thu,  6 Aug 2020 13:40:14 -0300 (-03)
Received: from [103.99.1.172] (unknown [103.99.1.172])
    by biccvl-pweb001.bic.ky (Postfix) with ESMTPA id BDA331629F9A;
    Wed,  5 Aug 2020 22:12:54 -0500 (EST)
Content-Type: multipart/alternative; boundary="===============0329809715=="
MIME-Version: 1.0
Subject: RE:
To: Recipients <maxtp@bic.ky>
From: maxtp@bic.ky
Date: Wed, 05 Aug 2020 20:12:37 -0700
Reply-To: maviswanczykinc@gmail.com
X-SPAM-LEVEL: Spam detection results:  32
    ADVANCE_FEE_3_NEW_MONEY      1 Advance Fee fraud and lots of money
    BAYES_50                    4 Bayes spam probability is 40 to 60%
    FREEMAIL_FORGED_REPLYTO  2.095 Freemail in Reply-To, but not From
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    LOTS_OF_MONEY           0.001 Huge... sums of money
    MIME_QP_LONG_LINE       0.001 Quoted-printable line longer than 76 chars
    MISSING_MID             0.497 Missing Message-Id: header
    RCVD_IN_BCUDA_RBL           1 Received via a relay listed by Barracuda BRBL
    RCVD_IN_BCUDA_RELAY         5 BCUDA: relay ip is convicted spammer
    RCVD_IN_BL_SPAMCOP_NET  1.347 Received via a relay in bl.spamcop.net
    RCVD_IN_MSPIKE_BL       0.001 Mailspike blacklisted
    RCVD_IN_MSPIKE_L5       0.001 Very bad reputation (-5)
    RCVD_IN_PSBL              2.7 Received via a relay in PSBL
    RCVD_IN_RP_RNBL          1.31 Relay in RNBL, https://senderscore.org/blacklistlookup/
    RCVD_IN_SBL             0.141 Received via a relay in Spamhaus SBL
    RCVD_IN_SORBS_WEB         1.5 SORBS: sender is an abusable web server
    RCVD_IN_SPFBL_REP           5 SPFBL: Bad rep
    RCVD_IN_lashback_SPAM       5 lashback: sender is listed sending spam
    RDNS_NONE               0.793 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_SOFTFAIL            0.665 SPF: sender does not match SPF record (softfail)
X-SmarterMail-SmartHostSpamWeight: 32
X-Spam-Flag: 5
Message-Id: <20200806164033.675E642F74@<mymx>>
X-Rcpt-To: <myemail>
X-SmarterMail-Spam: Custom Rules [SPAM 5: 100]
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)


6 Replies

Reply to Thread
0
Douglas Foster Replied
The other post had nothing to do with this problem, since that post was about internal-only messages not being checked in the same manner as incoming messages.

The heading on this post is also confusing.   The real issue appears to be these lines:
X-SmarterMail-SmartHostSpamWeight: 32
X-Spam-Flag: 5
X-SmarterMail-Spam: Custom Rules [SPAM 5: 100]
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain) 
If the final message sets the weight to zero, why was the message blocked by the spamweight?
Of course, I have no idea.  Have you opened a ticket with Sophos Support?   They are no longer in Beta testing, so this is not the optimal forum for bug reports.
0
Douglas Foster Replied
Your post raises some larger issues.

It is hard for me to imagine why you want to receive messages from this source.    It is not even authorized as a mail sender for its own domain, much less anyone else's domain.   There are red flags all over the spam report that you included.  But if you want to receive its mail, you should whitelist based on the IP address or DNS name.   (I don't think SM can filter on DNS name, so this would need to be implemented using Declude or another product.)

Source whitelisting is only safe if the source identity can be verified.   As things stand, you are asking for SM to accept any mail that pretends to be from gmail.com, including everyone who can spoof gmail.com.    Then you have made it worse by posting that configuration information on a somewhat public forum.   It may be best for this entire exchange to be deleted (which I believe the originator can do.)

What should occur is that SM should only apply a domain whitelist rule if the domain identity can be verified via SPF or DKIM.   Whether SM behaves that way or not is something I do not know.    I do my identity-based filtering in Declude because I have been able to build rules which ensure that whitelisting is only applied to confirmed identities.

I have never before heard of blacklisting or whitelisting based on the reply-to address alone.  I am surprised that you found evidence that SM might be able to do so.  If SM intends to provide that capability, it should still require a valid SPF or DKIM result which matches the reply-to domain. 
0
Ron Raley Replied
I don't necessarily think this should be a bug.  A trusted sender (e-mail address or domain) is simply asking SmarterMail to scan the header for specific text.

Reply-To is actually supposed to be the responsive human behind a computer.  So technically, the "source" of the e-mail is BOTH From and Reply-To.

Thanks,
Ron
0
CLEBER SAAD Replied
I understand that the problem may be one of understanding. If in the configuration of Smartermail the feature called "Trusted Senders", which fields does Smartermail use to do this validation?

In my opinion, the correct identification of a sender should be used 2 fields: Return-Path and From. In this case, our antispam did the correct analysis and correctly punctuated the message as spam to be directed to the Junk Email (as you can check through the mark below (we have a filter there in Custom Rules that takes this action):

"X-SmarterMail-SmartHostSpamWeight: 32
X-Spam-Flag: 5
X-SmarterMail-Spam: Custom Rules [SPAM 5: 100] "

However, as in my account I have the gmail.com domain in "Trusted Senders", Smartermail I understand that it is a reliable sender only through the Reply-To header.

In my view, this is considered a BUG, unless there is something in the Smartermail documentation that says that validation of "trusted senders" is done by any header text.

In time, I'm copying here to have a better discussion and understanding, as we have been customers for many years and we love Smartermail, but we identified this situation precisely because gmail.com is in several RBL's and not only us, but some customers also include emails from gmail.com senders to trusted senders.

Thank you
0
Douglas Foster Replied
To my mind, threat assessment involves several phases:    
  1. Determine identity (including assessment of the truthfulness of identity assertions)
  2. Assign reputation based on the identity.   
  3. Block blacklisted senders without evaluating content.
  4. Evaluate content.  Whitelisted senders will bypass some or all content checks.

For  your purposes, gmail.com does not seem to be the appropriate criterion for assessing identity, because the source of this email was not gmail.com.   Anybody can assert any return path, and my reading says that spammers often use a false return-path.   You want mail from this source in partictular, but you do not necessarily want messages from other senders that falsely assert gmail.com in the return path.

Once you configure a rule to whitelist your desired traffic, you need to decide whether to bypass all checks or only some checks.    Are you confident that this source will never send malicious content?   If not, you probably want keep some content filtering enabled.

Overall, the SM features for spam filtering are rudimentary.   Their strength is mail processing, not spam filtering, so the limited spam features should be no great surprise.   This is the reason that I use SM configured as an incoming gateway with Declude as the spam filter.   The price is the same (free, at least until Declude Reboot is released), but the flexibility is much greater.   I also use two commercial spam filters, configured in series, to catch things that Declude does not.
1
Employee Replied
Employee Post
@Cleber Saad, SmarterMail looks at three fields for sender checks:
  1. Return Path
  2. From
  3. Reply To

Reply to Thread