Email spoofed address filtering

I have followed an article on Axigen’s forum to filter forged headers. ( https://www.axigen.com/kb/show/245 )
I enabled it and all seamed OK until an auto reply/out of office was sent then it followed the rule and prepended the subject with “This might be SPAM”

I understand why this might happen, i’m guessing its because it is sent by the system and not an authenticated user?
I have been using Axigen for about 5 years and this spoofing just became an issue.

The local domain accounts get the out of office prepened with the SPAM message, from outside accounts i tested the auto reply message goes straight to the spam folder but does NOT have the subject prepend message. the reply doesn’t go to the inbox so they don’t see the out of office message. is there a rule or setting i missed along the way. I have triple checked the KB article. i have had to disable the rule till i find a solution, and of course we had some spam with return addresses not matching the “From header”

Hi,

it would be great to see the source of both OO messages:
The one that was rejected / marked as spam and the one that was allowed through.
Especially interesting would be those OO messages that got send to the external account.

After disabling the rules, did the OO message go through to the external recipient, w/o being marked as spam? :thinking:

Cheers
Jeroen

This email server has three domains all for the same company just different departments. I believe the auto-reply’s are being sent from the Primary domain postmaster account or something like that , not from the actual email account.

I could not find anything in the log for the internal response, i could test it again when traffic is light in the AM.

This original sources message from the gmail account i used for testing outside accounts gives the best explanation.
it sees the email being sent on behave of the user from the Postmaster account from the main Domain instead of the originating domain and fails SPF. there are SPF and Dmarc setup for all the domains.

Gmail log.

Received: from mail.globepm-ca (static-207-54-xxx.x.ptr.teragonet-net [207.54.xxx.x])
by mx.google -com with ESMTP id f128si12509104pgc.55.2019.07.23.13.34.49
for <gpm****@gmail -com>;
Tue, 23 Jul 2019 13:34:49 -0700 (PDT)
Received-SPF: neutral (google-com: 207.54.102.1 is neither permitted nor denied by best guess record for domain of postmaster@mail.globepm-ca) client-ip=207.54.102.1;
Authentication-Results: mx.google-com;
spf=neutral (google-com: 207.54.102.1 is neither permitted nor denied by best guess record for domain of postmaster@mail.globepm-ca) smtp.helo=mail.globepm-ca;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=globepm-net
To: gpm****@gmail-com
From: <postmaster@globepm -net>
Subject: out of office
I have had to edit the response so it doesn’t look like links so any ,ca or .net .com the . has been removes so it doesn’t look like a link

Thank you in advance for any assistance.

Thanks so far. Yes, it is funny, that the OoO messages are being sent from the postmaster account, instead of from the user account. I thought it would be the user account sending it :thinking:

The SPF info is seen as neutral - so I doubt that that will be an issue. Of course it would be better to have proper SPF set for these domains.

Speaking of which: Did you create 2 separate domains, or did you just use one and 2 aliases?

So, you server reports as server from the .ca TLD, but the sending postmaster-account is using the .net TLD?
Google seems to be relaxed about that, but I am not sure if your Axigen server or any mail clients handle this, when SPF, DKIM etc are not set correctly. You might want to verify explicit settings for the .net TLD?

I have three separate domains no aliases and i do have proper SPF & Dmarc records for all domains.
I am going to update the SPF to include the primary domain as a sender that should fix it.

I had some time this morning so i did some more testing, i did have a typo in the Add Acceptance / Routing rule i typed in mail.domain name instead of just domain name. that’s why google saw it as coming from mail.globepm-ca instead of globepm-ca
an auto reply seams to work fine from the Primary Domain but from the other two domains the out of office goes to Spam because it is being sent from postmaster of the primary domain. So it being sent on behalf of. and the local email server marks the auto reply’s with the prep-ended subject of “looks like Spam”
If this was a single domain i wouldn’t have the issue .

ARC-Authentication-Results: i=1; mx.google-com;
spf=pass (google-com: domain of postmaster@globepm-ca designates 207.54.102.1 as permitted sender) smtp.helo=globepm-ca
Return-Path: <>
Received: from globepm-ca (static-207-54-102-1.ptr.terago-net. [207.54.102.1])
by mx.google-com with ESMTP id 60si18216492plf.398.2019.07.26.06.05.03
for gpm****@gmail-com;
Fri, 26 Jul 2019 06:05:03 -0700 (PDT)
Received-SPF: pass (google-com: domain of postmaster@globepm-ca designates 207.54.102.1 as permitted sender) client-ip=207.54.102.1;
Authentication-Results: mx.google-com;
spf=pass (google-com: domain of postmaster@globepm-ca designates 207.54.102.1 as permitted sender) smtp.helo=globepm-ca
To: gpm****@gmail-com
From: postmaster@globecm-ca
Subject: test auto reply

I had to move on to a different project for awhile but this problem still exists
I believe it is because i have multiple domains and not sure how to set up the third rule, does the server look thru all the rules before rejecting?
I tried this setup again and the Primary domain is fine but the second and third domain had all the email rejected!
WebAdmin → Security & Filtering → Incoming Message Rules → Add message rule:

  • in the Conditions area, select:
    1. For incoming messages that match: ALL of the conditions below
    2. Custom - “Return-Path” - Does not contain - type the name of your domain
    3. From - Contains - type the name of your domain
  • in the Actions area, select: Change Subject - prepend - type a string which will tag the subject of the message, for example: [spam]
  • save configuration
    I created a separate rule for each domain as i cant have a rule that say’s match all with multiple domain in it. I can’t think of any other way to do it.
    Any help is appreciated.

Hello Rick,

Could you double check if the reported behavior is still encountered is you are using the latest X2 patch (10.2.2.90)?

Based on feedback received from other clients (requesting the availability of DKIM signing of OOO messages) we have changed the envelope sender of the autogenerated messages - from null to postmaster+bounces@domain.tld).

Looking forward for your feedback.

Thanks for the feedback and update.
our server is at level 10.3 with no new updates waiting.

I still have the issue for out of office reply’s going to and from local domains on the server. I also get gmail putting the auto reply in to Spam folder. (this one I don’t care too much about.)
I have three domain’s on the sever they are all the same company just different departments.

let say i have two domain’s on the same server
If i send a email to postmaster-email-com form postmaster@email.biz and postmaster-email-com has an out of office reply turned on, then postmaster@email.biz will get the auto reply with the subject prepended with "Possibly Spam. So i guess you could say it is following the rules but the CEO freaks out when he gets a response like this and worries what other people are getting when they receive the out of office.

Gmail moves the message directly to spam if the auto reply is not from the Primary domain because it sends the auto reply from the postmaster account of the primary domain for all the domain’s on the server. I even changed the SPF record to allow the primary domain, and google accepts it?

Google Show original:
ARC-Authentication-Results: i=1; mx.google-com;
spf=pass (google-com: domain of postmaster-globepm -ca(mailto:postmaster-globepm-ca) designates 207.54.102.1 as permitted sender) smtp.helo=globepm-ca

Return-Path: <>

Received: from globepm-ca (static-207-54-102-1. [207.54.102.1])
by mx.google-com with ESMTP id ev22si15125565pjb.23.2020.01.20.07.24.23
for <xxx-gmail-com(mailto:xxx-gmail-com)>;
Mon, 20 Jan 2020 07:24:23 -0800 (PST)
Received-SPF: pass (google-com: domain of postmaster-globepm-ca(mailto:postmaster-globepm-ca) designates 207.54.102.1 as permitted sender) client-ip=207.54.102.1;
Authentication-Results: mx.google-com;
spf=pass (google-com: domain of postmaster-globepm-ca(mailto:postmaster-globepm-ca) designates 207.54.102.1 as permitted sender) smtp.helo=globepm-ca
Th only difference between a gmail message that is accepted as normal and a message that is sent to Spam is the Return path is empty on the one that goes to spam.

My issue after seeing the gmail sending to spam is how many other email services are going to do the same and also a large number of or emails are from gmail.