New firewall, now massive increase in spam. (Received From IP has changed)

General eFa discussion
Post Reply
tpospeshil
Posts: 8
Joined: 05 Mar 2016 00:05

New firewall, now massive increase in spam. (Received From IP has changed)

Post by tpospeshil »

I installed a new SonicWall firewall and didn't think I needed to make any changes to EFA except changing the Default Gateway. My default gateway is 10.5.4.244 (internal)

Now I'm seeing a massive increase in spam, with a lot of "obvious" porn-like or erectile dysfunction spam getting through.

If I go to the EFA web interface and look at recent messages, I see that all messages received since the change-over list my DG (10.5.4.244) in the Received From field. Before the change-over, this field contained the public IP of the sending server. I think this is causing all messages to receive a -1.00 ALL_TRUSTED score.

Any help would be appreciated.
largo
Posts: 22
Joined: 15 Nov 2016 08:49

Re: New firewall, now massive increase in spam. (Received From IP has changed)

Post by largo »

Hi
In The new firewall turn of NAT in the rulle that forward the mail to EFA.
/Largo
tpospeshil
Posts: 8
Joined: 05 Mar 2016 00:05

Re: New firewall, now massive increase in spam. (Received From IP has changed)

Post by tpospeshil »

Thanks for the reply.

If I turn off the NAT, how will outside email servers find my EFA? My MX records have EFA prioritized over my Exchange server. If I turn off NAT, won't email just go straight to Exchange, bypassing EFA?
largo
Posts: 22
Joined: 15 Nov 2016 08:49

Re: New firewall, now massive increase in spam. (Received From IP has changed)

Post by largo »

NAT just translate Your IP from externa to internal ip, You should not tanke away the rulle just dont use NAT.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: New firewall, now massive increase in spam. (Received From IP has changed)

Post by henk »

As you mention you installed a new SonicWall firewal, meaning replacing?

Trusting the wrong network: ALL_TRUSTED score
Just read this in to get some ideas :idea:

Code: Select all

/etc/MailScanner/spamassassin.conf

Code: Select all

# Steve@fsl.com edit Sun Jan 16 12:17:16 CST 2005
# disable the ALL_TRUSTED ruleset that comes with SA 3.x.
# It's generating too many false positives

# If you have problems where ALL_TRUSTED is matching external email,
# including spam, then SpamAssassin has become confused about which hosts are
# a part of your trusted_networks. The most common cause of this is having a
# gateway mail exchanger that has a reserved IP and gets NATed by your
# firewall. Fortunately the problem is easy to fix by manually declaring a
# trusted_networks setting. See man Mail::SpamAssassin::Conf for details.
# Once manually set, SA won't try to guess.
#
# If that does not fix your problem, the other possibility is you have an MTA
# that generates malformed Received: headers. If you've modified your
# Received: header format, please put it back to the standard format.
# SpamAssassin is quite tolerant of deviations from the RFC 2822 format, but
# there are some combinations it can't handle. If the malformed headers are
# being made by some form of network appliance that you can't fix, report a
# bug to your vendor, and as a short-term fix set the score of ALL_TRUSTED to
# 0. However, realize that other problems may occur as a result of the
# mis-parsed headers and the root cause does need fixing.
#
#score ALL_TRUSTED 0
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
tpospeshil
Posts: 8
Joined: 05 Mar 2016 00:05

Re: New firewall, now massive increase in spam. (Received From IP has changed)

Post by tpospeshil »

Thanks for the help, largo and henk, you were both right. For anyone else wondering about the fix...

My old firewall's inside interface was outside my network scope, and was routed by some rules on the switches. I wanted to simplify things with the new firewall, which caused emails coming in from that interface to be from a 'trusted network'. In my /etc/mail/spamassassin/local.cf file I changed the trusted_networks line from
trusted_networks 10.5.4.0/23
to
trusted_networks !10.5.4.244 10.5.4.0/23

the ! excludes the 244 address.

I'll monitor over the next few days, but already my dashboard shows increased spam caught.

Thanks again
Post Reply