Blocked email with LOCATION SCREENING | MDaemon Technologies, Ltd.

Blocked email with LOCATION SCREENING


  • Hi, 

    I have a problem with email blocking when the flag is disabled:
    LOCATION SCREENING->ONLY BLOCKAUTHENTICATION ATTEMPTS
    If that flag is enabled, all email from selected countries is blocked. I need to exclude some addresses from gmail, outlook... but if I enable the flag I can only see the ip of the sender and not the domain, without understanding if the email is spam and understanding where it comes from. How can I do to exclude domains that are not spam? Gmail is already in the whitelist and the flag on Exclude connections from whitelist ip addresses is enabledCurrent setting



  • What version of SecurityGateway are you using?

    What does the inbound log show is happening?  Can you post an inbound SMTP session that shows us what is happening?


  • Hi Arron , the version is 9.03.

    below the logs of an example of an email with the flag enabled and then disabled

    When the flag is disable (onlyblock authentication attemps...) I see this log

     

    Mon 2023-07-31 12:10:05: Accettazione della connessione SMTP da [209.85.210.48 : 52699] sulla porta 25

    Mon 2023-07-31 12:10:05: ** Errore di ricerca del server di posta del dominio.

    Mon 2023-07-31 12:10:05: Ricerca PTR in corso (48.210.85.209.IN-ADDR.ARPA)

    Mon 2023-07-31 12:10:05: * D=48.210.85.209.IN-ADDR.ARPA TTL=(347) PTR=[mail-ot1-f48.google.com]

    Mon 2023-07-31 12:10:05: * Raccolta record A...

    Mon 2023-07-31 12:10:05: * D=mail-ot1-f48.google.com TTL=(60) A=[209.85.210.48]

    Mon 2023-07-31 12:10:05: ========== Elaborazione di IP script.

    Mon 2023-07-31 12:10:05: -- Esecuzione di: PTR DNS lookup --

    Mon 2023-07-31 12:10:05: -- Fine: PTR DNS lookup (0.000000 secondi) --

    Mon 2023-07-31 12:10:05: -- Esecuzione di: Location Screening --

    Mon 2023-07-31 12:10:05: Paese di connessione rilevato:

    Mon 2023-07-31 12:10:05: Codice paese di connessione rilevato: US

    Mon 2023-07-31 12:10:05: ** Errore 530 Access denied due to the location screening policy.

    Mon 2023-07-31 12:10:05: -- Fine: Location Screening (0.003277 secondi) --

    Mon 2023-07-31 12:10:05: ========== Fine IP script.

    Mon 2023-07-31 12:10:05: --> 530 Access denied due to the location screening policy.

    Mon 2023-07-31 12:10:05: Sessione SMTP terminata (byte in/out: 0/57)

    Mon 2023-07-31 12:10:05: ----------

     

    In the dashboard I see this log:

    Email rejected

     

    When the flag in is enable I see this log and the email is unblocked:

    Mon 2023-07-31 14:21:48: Accettazione della connessione SMTP da [209.85.218.41 : 56525] sulla porta 25

    Mon 2023-07-31 14:21:48: ** Errore di ricerca del server di posta del dominio.

    Mon 2023-07-31 14:21:48: Ricerca PTR in corso (41.218.85.209.IN-ADDR.ARPA)

    Mon 2023-07-31 14:21:48: * D=41.218.85.209.IN-ADDR.ARPA TTL=(26) PTR=[mail-ej1-f41.google.com]

    Mon 2023-07-31 14:21:48: * Raccolta record A...

    Mon 2023-07-31 14:21:48: * D=mail-ej1-f41.google.com TTL=(46) A=[209.85.218.41]

    Mon 2023-07-31 14:21:48: ========== Elaborazione di IP script.

    Mon 2023-07-31 14:21:48: -- Esecuzione di: PTR DNS lookup --

    Mon 2023-07-31 14:21:48: -- Fine: PTR DNS lookup (0.000000 secondi) --

    Mon 2023-07-31 14:21:48: -- Esecuzione di: Location Screening --

    Mon 2023-07-31 14:21:48: Paese di connessione rilevato:

    Mon 2023-07-31 14:21:48: Codice paese di connessione rilevato: US

    Mon 2023-07-31 14:21:48: ** Agg. intest: X-SGOrigin-Country

    Mon 2023-07-31 14:21:48: -- Fine: Location Screening (0.000000 secondi) --

    Mon 2023-07-31 14:21:48: -- Esecuzione di: Blacklist --

    Mon 2023-07-31 14:21:48: -- Fine: Blacklist (0.000000 secondi) --

    Mon 2023-07-31 14:21:48: ========== Fine IP script.

    Mon 2023-07-31 14:21:48: --> 220 in.A****.it ESMTP SecurityGateway 9.0.3; Mon, 31 Jul 2023 14:21:48 +0200

    Mon 2023-07-31 14:21:48: <-- EHLO mail-ej1-f41.google.com

    Mon 2023-07-31 14:21:48: Ricerca IP ignorata per corrispondenza HELO con ricerca PTR.

    Mon 2023-07-31 14:21:48: ========== Elaborazione di HELO script.

    Mon 2023-07-31 14:21:48: -- Esecuzione di: Blacklist --

    Mon 2023-07-31 14:21:48: -- Fine: Blacklist (0.000000 secondi) --

    Mon 2023-07-31 14:21:48: -- Esecuzione di: HELO DNS lookup --

    Mon 2023-07-31 14:21:48: -- Fine: HELO DNS lookup (0.000000 secondi) --

    Mon 2023-07-31 14:21:48: ========== Fine HELO script.

    Mon 2023-07-31 14:21:48: --> 250-in.A****.it Hello mail-ej1-f41.google.com, pleased to meet you

    Mon 2023-07-31 14:21:48: --> 250-8BITMIME

    Mon 2023-07-31 14:21:48: --> 250-AUTH LOGIN CRAM-MD5 PLAIN

    Mon 2023-07-31 14:21:48: --> 250-STARTTLS

    Mon 2023-07-31 14:21:48: --> 250 SIZE 0

    Mon 2023-07-31 14:21:48: <-- STARTTLS

    Mon 2023-07-31 14:21:48: --> 220 Begin TLS negotiation

    Mon 2023-07-31 14:21:48: Negoziazione SSL riuscita (TLS 1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

    Mon 2023-07-31 14:21:48: <-- EHLO mail-ej1-f41.google.com

    Mon 2023-07-31 14:21:48: Ricerca IP ignorata per corrispondenza HELO con ricerca PTR.

    Mon 2023-07-31 14:21:48: ========== Elaborazione di HELO script.

    Email delivered

    how can i unblock good e-mails from bad ones if i only see the ip?

     

    thank@Arron 

     


  • I'm sorry, I think I misunderstood.  I thought you were saying that location screening wasn't working correctly.  Now it sounds to me like you want to delay the location screening processing until later in the SMTP processing.  Is that correct?

    To be as effecient as possible, security features in SecurityGateway occur as early in the SMTP process as possible. This means that if you have Location Screening configured to block connections from a country, the block will occur very early in the SMTP process as all that is needed is the IP. 

    If you want location screening to occur later in the SMTP process you will need to use a customized SIEVE script.  To do this configure location screening exactly how you would like it to be.  Then go to Security / SIEVE Scripts, find and double click the location screening sieve script which should be near the very top of the list.  Copy the entire script text. Then click Close.

    Now we need to create a custom sieve script for location screening for you.

    Click the new button.

    Give the script a name

    For the mail event, select the desired mail event.  I would choose the AUTH or MAIL events. DATA is the last mail event that can be selected.   Remember all SMTP sessions, even those that will be blocked by location screening will be allowed to continue to whatever point you configure.

    Paste the script text from the Location screening rule into the script text for your custom rule.  Then click Save and Close

    The custom script will be added at the bottom of the section you choose.  You can further customize the order of processing using the up and down arrows.  

    Once you have your custom location screening rule in place you'll want to go back to Security / Anti-Abuse / Location Screening and uncheck the box for Enable Location Screening.


  • Hi Arron w thanks for your support.
    When we enabled Location Screnning we blocked malicious IPs and even those ok, I tried to do as you described but all IPs are blocked. I will try to explain our need better.

    We have a security policy that after several incorrect attempts to authenticate to the domain, the account is locked. The antispam uses the same credentials for each user, of the domain. The problem is that if from the outside a 'hacker' tries to send an email with the credentials of a corporate user, after several attempts he is blocked by our domain server. Can I block 'fake' users who do this?
    In the example below, several e-mails are sent from our 'fake' accounts and after several attempts the system blocks them and the user cannot access the company folders.

    Thu 2023-08-03 07:19:55: Accettazione della connessione SMTP da [1.207.250.77 : 38078] sulla porta 25

    Thu 2023-08-03 07:19:55: ** Errore di ricerca del server di posta del dominio.

    Thu 2023-08-03 07:19:55: Ricerca PTR in corso (77.250.207.1.IN-ADDR.ARPA)

    Thu 2023-08-03 07:19:56: * Record PTR non trovati.

    Thu 2023-08-03 07:19:56: ========== Elaborazione di IP script.

    Thu 2023-08-03 07:19:56: -- Esecuzione di: PTR DNS lookup --

    Thu 2023-08-03 07:19:56: -- Fine: PTR DNS lookup (0.000000 secondi) --

    Thu 2023-08-03 07:19:56: -- Esecuzione di: Location Screening --

    Thu 2023-08-03 07:19:56: Paese di connessione rilevato:

    Thu 2023-08-03 07:19:56: Codice paese di connessione rilevato: CN

    Thu 2023-08-03 07:19:56: ** Agg. intest: X-SGOrigin-Country

    Thu 2023-08-03 07:19:56: -- Fine: Location Screening (0.000000 secondi) --

    Thu 2023-08-03 07:19:56: -- Esecuzione di: Blacklist --

    Thu 2023-08-03 07:19:56: -- Fine: Blacklist (0.000000 secondi) --

    Thu 2023-08-03 07:19:56: ========== Fine IP script.

    Thu 2023-08-03 07:19:56: --> 220 in.aesys.it ESMTP SecurityGateway 9.0.3; Thu, 03 Aug 2023 07:19:56 +0200

    Thu 2023-08-03 07:19:59: <-- EHLO [1.207.250.77]

    Thu 2023-08-03 07:19:59: ========== Elaborazione di HELO script.

    Thu 2023-08-03 07:19:59: -- Esecuzione di: Blacklist --

    Thu 2023-08-03 07:19:59: -- Fine: Blacklist (0.000000 secondi) --

    Thu 2023-08-03 07:19:59: -- Esecuzione di: HELO DNS lookup --

    Thu 2023-08-03 07:19:59: -- Fine: HELO DNS lookup (0.000000 secondi) --

    Thu 2023-08-03 07:19:59: ========== Fine HELO script.

    Thu 2023-08-03 07:19:59: --> 250-in.aesys.it Hello 1.207.250.77 (may be forged), pleased to meet you

    Thu 2023-08-03 07:19:59: --> 250-8BITMIME

    Thu 2023-08-03 07:19:59: --> 250-AUTH LOGIN CRAM-MD5 PLAIN

    Thu 2023-08-03 07:19:59: --> 250-STARTTLS

    Thu 2023-08-03 07:19:59: --> 250 SIZE 0

    Thu 2023-08-03 07:20:01: <-- AUTH LOGIN

    Thu 2023-08-03 07:20:01: --> 334 VXNlcm5hbWU6

    Thu 2023-08-03 07:20:05: <-- YWVzeXNuZXdzQGFlc3lzLml0

    Thu 2023-08-03 07:20:05: --> 334 UGFzc3dvcmQ6

    Thu 2023-08-03 07:20:07: <-- ******

    Thu 2023-08-03 07:20:07: Paese di connessione rilevato:

    Thu 2023-08-03 07:20:07: Codice paese di connessione rilevato: CN

    Thu 2023-08-03 07:20:07: Autenticazione: Screening posizione ha bloccato il tentativo di autenticazione da

    Thu 2023-08-03 07:20:07: ** Tentativo di autenticazione di a*****s@a****.*** non riuscito

    Thu 2023-08-03 07:20:07: ========== Elaborazione di AUTH script.

    Thu 2023-08-03 07:20:07: -- Esecuzione di: Secure and authenticated port rules --

    Thu 2023-08-03 07:20:07: -- Fine: Secure and authenticated port rules (0.000000 secondi) --

    Thu 2023-08-03 07:20:07: -- Esecuzione di: Dynamic Screening --

    Thu 2023-08-03 07:20:07: * Attivazione del vaglio dinamico.

    Thu 2023-08-03 07:20:07: -- Fine: Dynamic Screening (0.000000 secondi) --

    Thu 2023-08-03 07:20:07: ========== Fine AUTH script.

    Thu 2023-08-03 07:20:07: --> 535 Authentication failed

    Thu 2023-08-03 07:20:10: Sessione SMTP terminata (byte in/out: 77/285)

    Thu 2023-08-03 07:20:10: ----------


  • Are there any cases where valid local users will be connecting to SecurityGateway from the internet to send mail from their local account into SecurityGateway?  If your users either do not send mail directly to SecurityGateway or are always on the local network when they attempt to send mail, then you "should" be able to enable location screening using the option for "SMTP Port blocks AUTH only".  

    With this enabled, when a connection comes in on the SMTP port from any country or region that has location screening enabled, they will not be presented with the option to authenticate.  If they do attempt to authenticate, even though the option is not presented the authentication will fail regardless of the credentials.  

    This configuration should allow any external domain to send mail to your SG server.  It is only stopping senders from trying to authenticate.

    It appears based on our discussion that you've tried this configuration but its not doing what you need.  When your SG server is configured like this, what is happening that isn't working they way you need it to?

     


  • I may have to found the problem. In attachement  you see the problem is present ( internal account is blocked) when location  screening dosn't work. The problem is present in some emails . Why?

    Wed 2023-08-02 16:18:39: Accettazione della connessione SMTP da [80.72.24.105 : 32868] sulla porta 25

    Wed 2023-08-02 16:18:39: ** Errore di ricerca del server di posta del dominio.

    Wed 2023-08-02 16:18:39: Ricerca PTR in corso (105.24.72.80.IN-ADDR.ARPA)

    Wed 2023-08-02 16:18:40: * Record PTR non trovati.

    Wed 2023-08-02 16:18:40: ========== Elaborazione di IP script.

    Wed 2023-08-02 16:18:40: -- Esecuzione di: PTR DNS lookup --

    Wed 2023-08-02 16:18:40: -- Fine: PTR DNS lookup (0.000000 secondi) --

    Wed 2023-08-02 16:18:40: -- Esecuzione di: Blacklist --

    Wed 2023-08-02 16:18:40: -- Fine: Blacklist (0.000000 secondi) --

    Wed 2023-08-02 16:18:40: ========== Fine IP script.

    Wed 2023-08-02 16:18:40: --> 220 in.a****s.it ESMTP SecurityGateway 9.0.3; Wed, 02 Aug 2023 16:18:40 +0200

    Wed 2023-08-02 16:18:41: <-- EHLO [80.72.24.105]

    Wed 2023-08-02 16:18:41: ========== Elaborazione di HELO script.

    Wed 2023-08-02 16:18:41: -- Esecuzione di: Blacklist --

    Wed 2023-08-02 16:18:41: -- Fine: Blacklist (0.000000 secondi) --

    Wed 2023-08-02 16:18:41: -- Esecuzione di: HELO DNS lookup --

    Wed 2023-08-02 16:18:41: -- Fine: HELO DNS lookup (0.000000 secondi) --

    Wed 2023-08-02 16:18:41: ========== Fine HELO script.

    Wed 2023-08-02 16:18:41: --> 250-in.a***s.it Hello 80.72.24.105 (may be forged), pleased to meet you

    Wed 2023-08-02 16:18:41: --> 250-8BITMIME

    Wed 2023-08-02 16:18:41: --> 250-AUTH LOGIN CRAM-MD5 PLAIN

    Wed 2023-08-02 16:18:41: --> 250-STARTTLS

    Wed 2023-08-02 16:18:41: --> 250 SIZE 0

    Wed 2023-08-02 16:18:41: <-- AUTH LOGIN

    Wed 2023-08-02 16:18:41: --> 334 VXNlcm5hbWU6

    Wed 2023-08-02 16:18:43: <-- cm9zc2Fuby5zY29sYUBhZXN5cy5pdA==

    Wed 2023-08-02 16:18:43: --> 334 UGFzc3dvcmQ6

    Wed 2023-08-02 16:18:47: <-- ******

    then the log continues with the processing of the AUTH script by failing to authenticate the user and blocking the internal user in the domain. Finally it returns this:

    Thu 2023-08-03 20:26:51: ========== Elaborazione di AUTH script.

    Thu 2023-08-03 20:26:51: -- Esecuzione di: Secure and authenticated port rules --

    Thu 2023-08-03 20:26:51: -- Fine: Secure and authenticated port rules (0.000000 secondi) --

    Thu 2023-08-03 20:26:51: -- Esecuzione di: Dynamic Screening --

    Thu 2023-08-03 20:26:51: * Attivazione del vaglio dinamico.

    Thu 2023-08-03 20:26:51: -- Fine: Dynamic Screening (0.000000 secondi) --

    Thu 2023-08-03 20:26:51: ========== Fine AUTH script.

    Thu 2023-08-03 20:26:51: --> 535 Authentication failed

    Thu 2023-08-03 20:26:52: Sessione SMTP terminata (byte in/out: 87/287)

    Thu 2023-08-03 20:26:52: ----------

     

     

    Thank


  • Was location screening enabled when this inbound session occurred?

    If location screening was enabled, please send me a copy of the SecurityGateway logs for they day along with all the configurations in an XML file.  You can obtain the XML file by going to Setup / Users | System | View Configuration, click the button for Download XML file.  Please send the information in a private email to arron.caruth @ mdaemon.com.

    Do you have users that connect from external IP addresses and need to authenticate?

    If location screening was not enabled, please enable it and check the box for SMTP Auth blocks port only.


  • @Andrea if you encounter messages where Location Screening is not performed when the option is enabled I would like to fix it ASAP.  The session transcript for the message will contain "Executing: Location Screening" if location screening is performed.


  • Hi Matthew /Arron ,  in my securituy gateway is always enable the "location screening".

    These days, the problem seems to have subsided and the 'spam' e-mails do not arrive. Could it be that after the tests I did with Arron the system had to 'settle down'?Let's see in the next few days
    Thank you


Please login to reply this topic!