On 23.12.22 21:24, Joey J wrote:
This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01:
client=Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01:
message-id=<mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com>
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01: from=<sen...@customer.com>,
size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1
commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail
message-id=<mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com>#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA score=3/5
time=4.186 bayes=0.00 autolearn=no autolearn_force=no
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
sender address is sen...@customer.com and SPF passed (SPF_PASS), so:
welcomelist_auth sen...@customer.com
or
welcomelist_from_spf sen...@customer.com
should both allow this sender.
I assume the sen...@customer.com is also in the From: address.
welcomelist_from_dkim sen...@customer.com
will NOT work, because there's no valid DKIM signature.
On 21.12.22 15:48, Joey J wrote:
>Thank you for pointing me in the better direction.
>Since not many people are typing these types of email , I could do the one
>off rule and it would be manageable.
>But in better seeing the welcomelist_from_spf option, I think this will be
>my first try.
On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:
welcomelist_auth does the same as welcomelist_from_spf and
welcomelist_from_dkim both.
Note that SPF is related to envelope from address and if it's different
from header From:, it won't help you much.
You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the
solution should be.
>On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel <g...@lexort.com> wrote:
>> The other thing that should be done for j...@company.com is that
>> company.com should sign their mail with DKIM, and then you can
>>
>> welcomelist_from_dkim *@company.com
>>
>> I find that many companies I deal with that produce semi-spammy mail
>> (most big companies :-) have DKIM signatures and I can welcomelist on
>> that, without welcomelisting forgeries.
>>
>> You can of course use _rcvd for the IP address. DKIM is just nicer if
>> you can get them to do it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
