Block MX sender | MDaemon Technologies, Ltd.

Block MX sender


  • Hi all.

    Is there a way that a can block the sender trought the MX?
    There are many SPAM domains that use the same MX sender.
    Ex: the domains certosegurobr.com.br, hiperplanosbr.com.br and informativoconvenio.com.br use the same MX: webomega.com.br

    Thanks a lot.



  • Can you explain in more detail how you'd like this to work?  Are you just wanting to block messages that use webomega.com.br as the EHLO value?  Or are you wanting SG to do a looking on the connecting IP to see if its allowed to send mail as webomega.com.br?

    There is a host block list that can be used to block messages from specific hosts.  Have you added webomega.com.br to it?

    https://help.mdaemon.com/SecurityGateway/en/blacklists_hosts.html

    You could also lookup the SPF record for webomega.com.br and add all the IPs that are allowed to send mail as webomega.com.br.  You can use a tool such as https://www.spf-record.com/ to get a list of IP addresses.

     


  • Hello @Arron 

    We are receiving several emails sent from different domains, such as the ones I mentioned previously, but there are more than 40 domains that I have investigated so far, and it is very difficult to block them one by one.

    If I use the mxtoolbox.com tool and consult the SPF Record Lookup, I see that mx webomega.com.br is configured in all of them. That's why I would like to know if there is a way/rule to block receipt by the sender's MX.

    I don't know if my explanation was any clearer.

    Thanks


  • Technically, you could write a powershell script to do an SPF record lookup on the sending domain and route a message to the quarantine if webomega.com.br is listed.  But I'm not sure that is a good idea, it could quarantine a lot of messages that you don't expect it to. 

    Can you provide a copy of inbound SMTP session transcripts for the messages causing issues along with the actual messages, including all the headers for the messages?


  • Hi Arron.

    This is an exemple from a log on SG.
    You can see that the sender domain is @conveniomordomo.com.br, but the "MAIL FROM" and MX domain is @webomega.com.br.

    If you need more details or logs, i can send.

    Sat 2024-01-06 22:35:02: Accepting SMTP connection from [134.119.222.182 : 36530] on port 25
    Sat 2024-01-06 22:35:02: Sender is not a local domain mail server
    Sat 2024-01-06 22:35:02: Performing PTR lookup (182.222.119.134.IN-ADDR.ARPA)
    Sat 2024-01-06 22:35:02: * D=182.222.119.134.IN-ADDR.ARPA TTL=(319) PTR=[celleail1.conveniomordomo.com.br]
    Sat 2024-01-06 22:35:02: * Gathering A records...
    Sat 2024-01-06 22:35:02: * D=celleail1.conveniomordomo.com.br TTL=(60) A=[134.119.222.182]
    Sat 2024-01-06 22:35:02: ========== Processing IP scripts
    Sat 2024-01-06 22:35:02: -- Executing: Blocklist --
    Sat 2024-01-06 22:35:02: -- End: Blocklist (0.000007 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: Location Screening --
    Sat 2024-01-06 22:35:02: Country of connection detected as:
    Sat 2024-01-06 22:35:02: Country code of connection detected as:
    Sat 2024-01-06 22:35:02: -- End: Location Screening (0.000342 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: PTR DNS lookup --
    Sat 2024-01-06 22:35:02: -- End: PTR DNS lookup (0.000002 seconds) --
    Sat 2024-01-06 22:35:02: ========== End IP scripts
    Sat 2024-01-06 22:35:02: --> 220 ramarim.com.br ESMTP SecurityGateway 9.5.2; Sat, 06 Jan 2024 22:35:02 -0300
    Sat 2024-01-06 22:35:02: <-- EHLO celleail2.conveniomordomo.com.br
    Sat 2024-01-06 22:35:02: Performing IP lookup (celleail2.conveniomordomo.com.br)
    Sat 2024-01-06 22:35:02: * D=celleail2.conveniomordomo.com.br TTL=(21) A=[134.119.222.183]
    Sat 2024-01-06 22:35:02: ========== Processing HELO scripts
    Sat 2024-01-06 22:35:02: -- Executing: Blocklist --
    Sat 2024-01-06 22:35:02: -- End: Blocklist (0.000007 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: HELO DNS lookup --
    Sat 2024-01-06 22:35:02: -- End: HELO DNS lookup (0.000004 seconds) --
    Sat 2024-01-06 22:35:02: ========== End HELO scripts
    Sat 2024-01-06 22:35:02: --> 250-ramarim.com.br Hello celleail1.conveniomordomo.com.br (may be forged), pleased to meet you
    Sat 2024-01-06 22:35:02: --> 250-8BITMIME
    Sat 2024-01-06 22:35:02: --> 250-AUTH LOGIN PLAIN
    Sat 2024-01-06 22:35:02: --> 250 SIZE 0
    Sat 2024-01-06 22:35:02: <-- MAIL FROM:<mudeoplanoagora@webomega.com.br> BODY=8BITMIME
    Sat 2024-01-06 22:35:02: User <mudeoplanoagora@webomega.com.br> is not local
    Sat 2024-01-06 22:35:02: ========== Processing AUTH scripts
    Sat 2024-01-06 22:35:02: -- Executing: Secure and authenticated port rules --
    Sat 2024-01-06 22:35:02: -- End: Secure and authenticated port rules (0.000006 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: Dynamic Screening --
    Sat 2024-01-06 22:35:02: * Enabling Dynamic Screening
    Sat 2024-01-06 22:35:02: -- End: Dynamic Screening (0.000010 seconds) --
    Sat 2024-01-06 22:35:02: ========== End AUTH scripts
    Sat 2024-01-06 22:35:02: ========== Processing MAIL scripts
    Sat 2024-01-06 22:35:02: -- Executing: Invalid Sender --
    Sat 2024-01-06 22:35:02: -- End: Invalid Sender (0.000003 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: MAIL DNS Lookup --
    Sat 2024-01-06 22:35:02: Performing MAIL lookup (webomega.com.br)
    Sat 2024-01-06 22:35:02: * D=webomega.com.br TTL=(11) A=[134.119.180.103]
    Sat 2024-01-06 22:35:02: * P=000 D=webomega.com.br TTL=(4) MX=[webomega.com.br]
    Sat 2024-01-06 22:35:02: * D=webomega.com.br TTL=(4) A=[134.119.180.103]
    Sat 2024-01-06 22:35:02: -- End: MAIL DNS Lookup (0.000192 seconds) --
    Sat 2024-01-06 22:35:02: -- Executing: SMTP Authentication Required --
    Sat 2024-01-06 22:35:02: -- End: SMTP Authentication Required (0.000004 seconds) --
    Sat 2024-01-06 22:35:02: ========== End MAIL scripts
    Sat 2024-01-06 22:35:02: --> 250 <mudeoplanoagora@webomega.com.br>, Sender ok
    Sat 2024-01-06 22:35:03: <-- RCPT TO:<>
    Sat 2024-01-06 22:35:03: Found user: <>
    Sat 2024-01-06 22:35:03: ========== Processing RCPT scripts for recipient: joelma@ramarim.com.br
    Sat 2024-01-06 22:35:03: -- Executing: Blocklist --
    Sat 2024-01-06 22:35:03: -- End: Blocklist (0.000770 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Tarpitting --
    Sat 2024-01-06 22:35:03: * Enabling Tarpitting
    Sat 2024-01-06 22:35:03: -- End: Tarpitting (0.000263 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Relaying Denied --
    Sat 2024-01-06 22:35:03: -- End: Relaying Denied (0.000004 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Invalid Recipient --
    Sat 2024-01-06 22:35:03: -- End: Invalid Recipient (0.000002 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Validate Local Sender --
    Sat 2024-01-06 22:35:03: -- End: Validate Local Sender (0.000001 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: DNS Blocklists (Client IP) --
    Sat 2024-01-06 22:35:03: * Spamhaus SBL - Passed - IP address not found
    Sat 2024-01-06 22:35:03: * Spamhaus CSS - Passed - IP address not found
    Sat 2024-01-06 22:35:03: * Spamhaus DROP - Passed - IP address not found
    Sat 2024-01-06 22:35:03: * Spamhaus XBL - Passed - IP address not found
    Sat 2024-01-06 22:35:03: * Spamhaus PBL - Passed - IP address not found
    Sat 2024-01-06 22:35:03: * SpamCop - Passed - IP address not found
    Sat 2024-01-06 22:35:03: -- End: DNS Blocklists (Client IP) (0.176049 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: SPF --
    Sat 2024-01-06 22:35:03: Performing SPF lookup (webomega.com.br / 134.119.222.182)
    Sat 2024-01-06 22:35:03: * Policy: v=spf1 ip4:134.119.180.103 +a +mx +ip4:87.119.223.192/26 +ip4:151.106.58.64/26 +ip4:134.119.222.128/26 +ip4:185.136.164.192/26 +ip4:77.47.142.162/26 +ip4:92.204.175.0/26 +ip4:134.119.215.64/26 +ip4:151.106.24.64/26 +include:myserverweb.com.br -all
    Sat 2024-01-06 22:35:03: * Evaluating ip4:134.119.180.103: no match
    Sat 2024-01-06 22:35:03: * D=webomega.com.br TTL=(11) A=[134.119.180.103]
    Sat 2024-01-06 22:35:03: * Evaluating +a: no match
    Sat 2024-01-06 22:35:03: * P=000 D=webomega.com.br TTL=(4) MX=[webomega.com.br]
    Sat 2024-01-06 22:35:03: * D=webomega.com.br TTL=(11) A=[134.119.180.103]
    Sat 2024-01-06 22:35:03: * Evaluating +mx: no match
    Sat 2024-01-06 22:35:03: * Evaluating +ip4:87.119.223.192/26: no match
    Sat 2024-01-06 22:35:03: * Evaluating +ip4:151.106.58.64/26: no match
    Sat 2024-01-06 22:35:03: * Evaluating +ip4:134.119.222.128/26: match
    Sat 2024-01-06 22:35:03: * Result: pass
    Sat 2024-01-06 22:35:03: -- End: SPF (0.000637 seconds) --
    Sat 2024-01-06 22:35:03: ========== End RCPT scripts
    Sat 2024-01-06 22:35:03: -- Executing: Blocklist --
    Sat 2024-01-06 22:35:03: -- End: Blocklist (0.000479 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Anti-Virus --
    Sat 2024-01-06 22:35:03: Passing message through anti-virus (Size: 12146)...
    Sat 2024-01-06 22:35:03: * Scanning message using: ClamAV for SecurityGateway
    Sat 2024-01-06 22:35:03: * Message is clean (no viruses found)
    Sat 2024-01-06 22:35:03: * Scanning message using: Ikarus Anti-Virus for SecurityGateway
    Sat 2024-01-06 22:35:03: * Message is clean (no viruses found)
    Sat 2024-01-06 22:35:03: -- End: Anti-Virus (0.065187 seconds) --
    Sat 2024-01-06 22:35:03: -- Executing: Outbreak Protection (Anti-Virus) --
    Sat 2024-01-06 22:35:03: Passing message through Outbreak Protection (Size: 12146)...
    Sat 2024-01-06 22:35:04: * Reference-ID: str=0001.0A742F17.659A0112.0011,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    Sat 2024-01-06 22:35:04: * Spam threat level: Spam (bulk)
    Sat 2024-01-06 22:35:04: * Virus threat level: Clean
    Sat 2024-01-06 22:35:04: -- End: Outbreak Protection (Anti-Virus) (0.326500 seconds) --
    Sat 2024-01-06 22:35:04: -- Executing: Outbreak Protection (Spam) --
    Sat 2024-01-06 22:35:04: ** Adding 3.00 to message score
    Sat 2024-01-06 22:35:04: -- End: Outbreak Protection (Spam) (0.000507 seconds) --
    Sat 2024-01-06 22:35:04: -- Executing: DKIM --
    Sat 2024-01-06 22:35:04: Performing DKIM lookup
    Sat 2024-01-06 22:35:05: * Signature (1): v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=conveniomordomo.com.br; ect:From:To:MIME-Version:Content-Type; B11AFDhQTRaL/7GciJsP/YTo=; nZulOc2xtoELAkoi6moXlo0/m5A9rbDBp/G2buLfxd4WB6bvveetVwFs xoT/tUgHEpqviIC90eika7tiFiiHdHvx9P9RgTK9VwYpaSYQzyG8aUeYVU2Tlq88TAmu99mX6he0 5aHYm/5jdwSB7y0WE+IMowi+yqgyRduIOAt0BA0OZlmJizus4rPAZrDkd2WXnwBm23jsRuy71el/ qrnOMQXvu8ScFp3a5tHLxAYk4ZRcWkcDk8COc/s2s3oFgGtv8Hdts9KqvkkjqI0yfho4vpvO061S DyBlmvdIr2TPfoSOtPwKvTMRxqWBFuBKsurD/Q==; <some tags are not logged>
    Sat 2024-01-06 22:35:05: * Verification result: [0] good signature
    Sat 2024-01-06 22:35:05: * Signature (2): v=1; a=rsa-sha256; b11AFDhQTRaL/7GciJsP/YTo=; d=conveniomordomo.com.br; h=Message-ID: Date: Subject: From: Reply-To: To: MIME-Version: Content-Type: List-Unsubscribe-Post: List-Unsubscribe: List-Id: Feedback-ID; i=@conveniomordomo.com.br; s=mailer; c=relaxed/relaxed; t=1704591632; kdPjmrBaXaaOQTY4bh+7wXtq51Q71lkF2gmi2HVu/KcSJyVuQFrVw iqv1ehfHw00Ly7yS8ZYIE07WoSHObbaFcIUbEJzFdE/Z/NThxanuEuUjBWvjHjuC2bqJpM3nq Ji6UqQAIENP7ckKWPOuINHAcnjrO1D6Wd2HyFcVV9AXgWPofiTQOKfKDnM5f6UW1p+mVUpcq+ YG1wbacfwhOohT6tpOiEU7xAvTW+3qHcLLYCVepiiOHv60FB1snn69rVpMW8UkQdboI/OrZZH qQM5+f/hiyyyvTedO8VNUHTykISK4yLp6XJ3LOy80FWMPvNP3Q==; <some tags are not logged>
    Sat 2024-01-06 22:35:05: * Verification result: [-3] DKIM_SIGNATURE_BAD
    Sat 2024-01-06 22:35:05: * Result: pass
    Sat 2024-01-06 22:35:05: -- End: DKIM (1.083785 seconds) --
    Sat 2024-01-06 22:35:05: -- Executing: DMARC --
    Sat 2024-01-06 22:35:05: Performing DMARC processing
    Sat 2024-01-06 22:35:05: * MessageID: <33e99252c4d17e96914da8ef5faebdd454e38e9f@webomega.com.br>
    Sat 2024-01-06 22:35:05: * Author domain: conveniomordomo.com.br
    Sat 2024-01-06 22:35:05: * Organizational domain: conveniomordomo.com.br
    Sat 2024-01-06 22:35:05: Performing DMARC lookup
    Sat 2024-01-06 22:35:05: * Query domain: _dmarc.conveniomordomo.com.br
    Sat 2024-01-06 22:35:05: * Policy record: v=DMARC1; p=none; pct=100; aspf=r; adkim=s
    Sat 2024-01-06 22:35:05: * Checking authentication mechanisms for DMARC alignment
    Sat 2024-01-06 22:35:05: * SPF: domain "webomega.com.br" passed SPF check; but domain is not DMARC aligned
    Sat 2024-01-06 22:35:05: * DKIM: domain "conveniomordomo.com.br" (from d= of signature #1) verified; and domain is DMARC aligned
    Sat 2024-01-06 22:35:05: -- End: DMARC (0.138382 seconds) --
    Sat 2024-01-06 22:35:05: -- Executing: URI Blocklists (URIBL) --
    Sat 2024-01-06 22:35:05: -- End: URI Blocklists (URIBL) (0.624647 seconds) --
    Sat 2024-01-06 22:35:05: -- Executing: SpamAssassin --
    Sat 2024-01-06 22:35:05: Passing message through SpamAssassin...
    Sat 2024-01-06 22:35:06: * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
    Sat 2024-01-06 22:35:06: * background
    Sat 2024-01-06 22:35:06: * 0.0 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image area
    Sat 2024-01-06 22:35:06: * 0.0 HTML_MESSAGE BODY: HTML included in message
    Sat 2024-01-06 22:35:06: * -0.0 T_SCC_BODY_TEXT_LINE No description available.
    Sat 2024-01-06 22:35:06: -- End: SpamAssassin (0.133827 seconds) --
    Sat 2024-01-06 22:35:06: -- Executing: Attachment Filtering --
    Sat 2024-01-06 22:35:06: -- End: Attachment Filtering (0.000031 seconds) --
    Sat 2024-01-06 22:35:06: -- Executing: Assunto TITULO EM ABERTO --
    Sat 2024-01-06 22:35:06: -- End: Assunto TITULO EM ABERTO (0.000010 seconds) --
    Sat 2024-01-06 22:35:06: -- Executing: Assunto Bradesco, Unimed --
    Sat 2024-01-06 22:35:06: -- End: Assunto Bradesco, Unimed (0.000026 seconds) --
    Sat 2024-01-06 22:35:06: -- Executing: Message Score --
    Sat 2024-01-06 22:35:06: -- End: Message Score (0.000008 seconds) --
    Sat 2024-01-06 22:35:06: * Final Score: 3.00
    Sat 2024-01-06 22:35:06: ========== End DATA scripts

    Thanks


  • You should be able to block these messages with the current options.  Just add *@webomega.com.br to the address block list in SecurityGateway.  You can do this by going to Security / Block lists / Addresses / New.

    You could also create a content filter rule under Security / Filtering /New, add a rule something like the following:

    If the SENDER ADDRESS contains '@webomega.combr'
    ...then reject the message.


  • Perfect Arron.

    I did the rules and im monitoring the  queues.

    Thanks a lot.


Please login to reply this topic!