Attachment blocking with spoofed addresses and DMARC

Discussion:

(too old to reply)

Quanah Gibson-Mount

2016-04-14 23:27:42 UTC

A customer who has set up DKIM + SPF notes a spammer tactic where they set
the TO and FROM to be the same value. I.e.,:

To: ***@domain.com
From: ***@domain.com

With an attachment type that has been set up to be blocked. Even though
the message clearly fails DMARC and thus will be flagged as Junk in our
setup (SA scores DMARC failure with a large negative score), the user ends
up getting a notification for every one of these emails. Is there any way
to get Amavis to NOT send a notice to the user if the SA score is above the
SPAM threshold?

Thanks,
Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc

Benny Pedersen

2016-04-15 11:59:13 UTC

Permalink

Post by Quanah Gibson-Mount
A customer who has set up DKIM + SPF notes a spammer tactic where they
With an attachment type that has been set up to be blocked. Even
though the message clearly fails DMARC and thus will be flagged as
Junk in our setup (SA scores DMARC failure with a large negative
score), the user ends up getting a notification for every one of these
emails. Is there any way to get Amavis to NOT send a notice to the
user if the SA score is above the SPAM threshold?

why accept dmarc fail ?

i just reject it in opendmarc

but since you use amavisd it could possible be solved by create a new
policybank for dkim fails, and set policy in that back for dkim fails,
its long time since i used amavisd here so dont know much about it

if you want to make it with dmarc then amavisd need dmarc handling with
it does not currently, but dkim is handled in amavisd

A. Schulze

2016-04-15 15:29:05 UTC

Permalink

Post by Benny Pedersen
why accept dmarc fail ?

Quanah did not mention the real domain so it's possible they publish a
policy p=none.
Than no reject will happen in any case.

@Quanah
Maybe there is a setting "mydomains" including "domain.com" and an
other setting "warn_banned_file_sender"
(not checked what the real parameter names are ...)
As the external message claim to be internal that would trigger that
behaviour.

Do your customer use the same amavis instance for submission an inbound MX?
Then "warn_banned_file_sender" should be enabled only on a policy bank
dedicated to submission.

Andreas

Quanah Gibson-Mount

2016-04-15 15:41:32 UTC

Permalink

--On Friday, April 15, 2016 6:29 PM +0200 "A. Schulze"

Post by A. Schulze
Do your customer use the same amavis instance for submission an inbound
MX?
Then "warn_banned_file_sender" should be enabled only on a policy bank
dedicated to submission.

Thanks, that would be exactly it. I'll file an internal bug for tracking
this, thanks!

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc

Quanah Gibson-Mount

2016-04-15 15:45:13 UTC

Permalink

--On Friday, April 15, 2016 9:41 AM -0700 Quanah Gibson-Mount

Post by Quanah Gibson-Mount
--On Friday, April 15, 2016 6:29 PM +0200 "A. Schulze"

Post by A. Schulze
Do your customer use the same amavis instance for submission an inbound
MX?
Then "warn_banned_file_sender" should be enabled only on a policy bank
dedicated to submission.

Thanks, that would be exactly it. I'll file an internal bug for tracking
this, thanks!

Although I think you mean "warnbannedsender". ;) I don't see anything
named warn_banned_file_sender in Amavis.

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc

A. Schulze

2016-04-15 15:55:46 UTC

Permalink

Post by Quanah Gibson-Mount
Although I think you mean "warnbannedsender". ;) I don't see
anything named warn_banned_file_sender in Amavis.

I didn't check the true names but you found the right one ...