hi all,
we are using exchange 2013 and some clients are working from home office. if they are sending mails via outlook anywhere, the mails getting blocked by blacklist filter.
Pkte Regelname Beschreibung
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [79.250.179.233 listed in bl.score.senderscore.com]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [79.250.179.233 listed in zen.spamhaus.org]
-1.9 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1% [score: 0.0000]
1.0 SO_NON_FQDN_HELO HELO is non-FQDN
0.5 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
0.0 HTML_MESSAGE BODY: Nachricht enthält HTML
0.5 _EMB_IMG RAW: Embedded image
0.6 _EXTERNAL_CONTENT RAW: Externaly linked content
0.5 _EXTERNAL_IMG RAW: Linked image
-0.5 SO_FROM_RP From a valid local domain
1.4 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 SO_IMAGE Large or eXtraLarge embedded image
1.0 SO_FROM_HJPC From possible exploited computer
0.5 SO_WEAK_HOST Unreliable host (no TLS, SPF, DKIM, RDNS), but external
content
local ip of exchange server is on trusted network.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The same with me. Same setup, but clients are delivering mail via SMTP Client Connector (Port 587) directly to my Exchange 2013 server. Outgoing mail will sometimes be classified as spam:
0.2 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 WITH_TLS_PFS Spam bots don't usually use TLS encryption
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [77.9.11.97 listed in zen.spamhaus.org]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [77.9.11.97 listed in bb.barracudacentral.org]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [77.9.11.97 listed in bl.score.senderscore.com]
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [77.9.11.97 listed in dnsbl.sorbs.net]
-0.7 SO_FROM_RP From a valid local domain
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.5 SO_FROM_HJPC From possible exploited computer
Last edit: Edmund Sackbauer 2014-07-22
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thats not my preferred method. All users use the same password, so if this gets widespread by error/hack and needs to be changed, I have to inform all users and everyone needs to change it in all their clients.
I prefer LDAP authentication, so only one user needs to be password resetted.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The user and password are intended to be used by your email server sending emails to Scrollout. Has nothing to do with any of your users nor hacking probability.
Last edit: Marius Gologan 2014-07-22
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, sorry, I tested that but found out that I have to create a connector in Exchange for each domain I am hosting. A lot of work ;)
I tested it with one domain, however it seems Scrollout does not listen to port 587 by default? netstat -a showed no port open.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I updated to todays version, now I get every minute in the log files:
postfix/master[2441]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
postfix/smtpd[6619]: fatal: invalid "-o smtpd_sasl_authenticated_header" option value: missing '=' after attribute name
postfix/master[2441]: warning: process /usr/lib/postfix/smtpd pid 4821 exit status 1
I have not changed the configuration in the meantime.
About the original problem I have still to watch out for.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I do not think so. I reverted to the snapshot taken before the update (version 2014-07-15), and the errors to not occur.
Could it be that updated debian packages introduced this error?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Scrollout should not check the originatig IP adress of a mail, if it is delivered via a trusted mail server. Lot of my clients still use IMAP/SMTP, so they will always send their mails from blacklisted dynamic IPs.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the problem is back..
hostname filter is on 7, but the mail was blocked by scrollout:
Pkte Regelname Beschreibung
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [X.X.X.X listed in bl.score.senderscore.com]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [X.X.X.X listed in zen.spamhaus.org]
0.5 SO_NON_FQDN_HELO HELO is non-FQDN
0.2 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
0.0 HTML_IMAGE_RATIO_08 BODY: Verhältnis Bilderfläche zu Text ist klein
0.0 HTML_MESSAGE BODY: Nachricht enthält HTML
-0.0 BAYES_20 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 5-20% [score: 0.1463]
0.1 _EMB_IMG RAW: Embedded image
0.1 _LARGE_EMB_IMG RAW: Large image
-0.7 SO_FROM_RP From a valid local domain
1.4 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 SO_IMAGE Large or eXtraLarge embedded image
0.5 SO_FROM_HJPC Source similiar to a home computer
how can i stop scanning internal mails?
Last edit: Anonymous 2014-08-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
hi all,
we are using exchange 2013 and some clients are working from home office. if they are sending mails via outlook anywhere, the mails getting blocked by blacklist filter.
Pkte Regelname Beschreibung
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[79.250.179.233 listed in bl.score.senderscore.com]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[79.250.179.233 listed in zen.spamhaus.org]
-1.9 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1%
[score: 0.0000]
1.0 SO_NON_FQDN_HELO HELO is non-FQDN
0.5 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
0.0 HTML_MESSAGE BODY: Nachricht enthält HTML
0.5 _EMB_IMG RAW: Embedded image
0.6 _EXTERNAL_CONTENT RAW: Externaly linked content
0.5 _EXTERNAL_IMG RAW: Linked image
-0.5 SO_FROM_RP From a valid local domain
1.4 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 SO_IMAGE Large or eXtraLarge embedded image
1.0 SO_FROM_HJPC From possible exploited computer
0.5 SO_WEAK_HOST Unreliable host (no TLS, SPF, DKIM, RDNS), but external
content
local ip of exchange server is on trusted network.
The same with me. Same setup, but clients are delivering mail via SMTP Client Connector (Port 587) directly to my Exchange 2013 server. Outgoing mail will sometimes be classified as spam:
Content analysis details: (7.5 points, 5.5 required)
pts rule name description
0.2 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 WITH_TLS_PFS Spam bots don't usually use TLS encryption
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[77.9.11.97 listed in zen.spamhaus.org]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[77.9.11.97 listed in bb.barracudacentral.org]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[77.9.11.97 listed in bl.score.senderscore.com]
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[77.9.11.97 listed in dnsbl.sorbs.net]
-0.7 SO_FROM_RP From a valid local domain
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.5 SO_FROM_HJPC From possible exploited computer
Last edit: Edmund Sackbauer 2014-07-22
Please set Hostname filter to 7 (in GUI > Secure)
I had it already set to 7
Last edit: Edmund Sackbauer 2014-07-22
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
Try the release I posted today.
Before any update, a snapshot should be taken.
Marius.
You can also redirect your traffic to port 587, instead of 25.
But that one requires authentication provided in Route > Inbound.
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
Thats not my preferred method. All users use the same password, so if this gets widespread by error/hack and needs to be changed, I have to inform all users and everyone needs to change it in all their clients.
I prefer LDAP authentication, so only one user needs to be password resetted.
The user and password are intended to be used by your email server sending emails to Scrollout. Has nothing to do with any of your users nor hacking probability.
Last edit: Marius Gologan 2014-07-22
Yes, sorry, I tested that but found out that I have to create a connector in Exchange for each domain I am hosting. A lot of work ;)
I tested it with one domain, however it seems Scrollout does not listen to port 587 by default? netstat -a showed no port open.
It is listening on port 587:
netstat -natp | grep 587
I updated to todays version, now I get every minute in the log files:
postfix/master[2441]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
postfix/smtpd[6619]: fatal: invalid "-o smtpd_sasl_authenticated_header" option value: missing '=' after attribute name
postfix/master[2441]: warning: process /usr/lib/postfix/smtpd pid 4821 exit status 1
I have not changed the configuration in the meantime.
About the original problem I have still to watch out for.
"-o smtpd_sasl_authenticated_header" is not part of Scrollout configuration and never was. So far, I think you are operating a different machine.
I do not think so. I reverted to the snapshot taken before the update (version 2014-07-15), and the errors to not occur.
Could it be that updated debian packages introduced this error?
You are right, there is that option in master for some levels.
I uploaded a new release.
This is actually still the same behaviour as I already posted:
https://sourceforge.net/p/scrollout/discussion/1102835/thread/59c9d26b/
I have set the levels according to your recommendation.
Scrollout should not check the originatig IP adress of a mail, if it is delivered via a trusted mail server. Lot of my clients still use IMAP/SMTP, so they will always send their mails from blacklisted dynamic IPs.
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
the problem is back..
hostname filter is on 7, but the mail was blocked by scrollout:
Pkte Regelname Beschreibung
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[X.X.X.X listed in bl.score.senderscore.com]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[X.X.X.X listed in zen.spamhaus.org]
0.5 SO_NON_FQDN_HELO HELO is non-FQDN
0.2 SO_RDNS_UNKNOWN Unspecified hostname
-0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
-0.1 SO_LOCAL_FROM From is a local domain
0.0 HTML_IMAGE_RATIO_08 BODY: Verhältnis Bilderfläche zu Text ist klein
0.0 HTML_MESSAGE BODY: Nachricht enthält HTML
-0.0 BAYES_20 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 5-20%
[score: 0.1463]
0.1 _EMB_IMG RAW: Embedded image
0.1 _LARGE_EMB_IMG RAW: Large image
-0.7 SO_FROM_RP From a valid local domain
1.4 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 SO_IMAGE Large or eXtraLarge embedded image
0.5 SO_FROM_HJPC Source similiar to a home computer
how can i stop scanning internal mails?
Last edit: Anonymous 2014-08-20
Are you delivering the messages from your email server to scrollout to port 587?
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
no, to port 25
if i use port 587 and auth. the mails getting rejected "access denied"
Last edit: Anonymous 2014-08-20
View and moderate all "Get Help" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
now it works, i had to restart exchange transport service