Hello All, This is the best I can grab header wise, Names/IP's have changed here to protect privacy. Know the following: The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the mail to the gateway, and the gateway blocked it as shown. Yes, legit going to paypal.
Based on your response, will assist in making the best choice. Thanks everyone! Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from Sender.MailServer.com[1.2.3.4] Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client= Sender.MailServer.com[1.2.3.4] Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=< mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com > Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01: from=<sen...@customer.com>, size=673334, nrcpt=1 (queue active) Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7 Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail message-id=< mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com >#012 Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus detected: Heuristics.Phishing.Email.SpoofedDomain (clamav) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify <sen...@customer.com> (rule: Block outgoing Spam, 342C580C8D) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block mail to <recipi...@paypal.com> (rule: Block outgoing Spam) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: processing time: 5.04 seconds (4.186, 0.664, 0) Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=< recipi...@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2, delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (A760963A1044E2E16D)) Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed ________________________________ On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 21.12.22 15:48, Joey J wrote: > >Thank you for pointing me in the better direction. > >Since not many people are typing these types of email , I could do the one > >off rule and it would be manageable. > >But in better seeing the welcomelist_from_spf option, I think this will be > >my first try. > > welcomelist_auth does the same as welcomelist_from_spf and > welcomelist_from_dkim > both. > > Note that SPF is related to envelope from address and if it's different > from > header From:, it won't help you much. > > You haven't provided example of mail (headers) we are talking about. > Without it, we can only guess what your problem really is and what the > solution should be. > > > >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel <g...@lexort.com> wrote: > >> The other thing that should be done for j...@company.com is that > >> company.com should sign their mail with DKIM, and then you can > >> > >> welcomelist_from_dkim *@company.com > >> > >> I find that many companies I deal with that produce semi-spammy mail > >> (most big companies :-) have DKIM signatures and I can welcomelist on > >> that, without welcomelisting forgeries. > >> > >> You can of course use _rcvd for the IP address. DKIM is just nicer if > >> you can get them to do it. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 2B|!2B, that's a question! > -- Thanks! Joey
