Wednesday, January 28, 2015

Antispam Report, email message headers break down.



Grab the headers
Find the entry: X-Forefront-Antispam-Report
X-Original-X-Forefront-Antispam-Report: CIP:96.43.148.64;CTRY:US;IPV:NLI;SRV:BULK;EFV:NLI;SFV:SPM;SFS:(6009001)(438002)(659001)(609006)(48214007)(377454003)(189002)(199003)(164054003)(349900001)(252514010)(349010);DIR:INB;SFP:;SCL:9;SRVR:BY2PR04MB742;H:smtp01-was.mta.salesforce.com;FPR:;SPF:Pass;MLV:ovrnspm;PTR:smtp01-was.mta.salesforce.com;MX:1;A:1;

·         CIP:[IP Address] is the Connecting IP address. The IP address can be checked at MXToolbox to see if its on any blacklists. [Example is CIP:96.43.148.64]
·         CTRY is the country from which the message connect to the service. This is determined by the Connecting IP address (CIP). [Example is CTRY:US]
·         LANG is the language the message was written. [No Example]
·         IPV specifies if the message was on a Client Access List (CAL) or not listed (NLI) [Example is IPV:NLI so it was not on a CAL]
·         SRV:BULK means the message was identified as bulk email. If the Block all bulk email messages advanced spam filtering option is enabled, it will be marked as spam. If it is not enabled, it will only be marked as spam if the rest of the filtering rules determine that the message is spam. [Example shows SRV:BULK]
·         SFV:SPM means the message was marked as spam by the content filter. [Example shows SFV:SPM]
·         SCL:# is the Spam Confidence Level (-1 to 9). [Example is SCL:9]
o   -1: the message was on a safe list (rule or ACL)
o   0 or 1: The message scanned resulted with a “Safe” level
o   5 or 6: The message scanned resulted with a “Spam” level
o   9: The message scanned resulted with a “High Confidence Spam” level
·         H:[helostring] Is the HELO or EHLO string of the connecting mail server. [Example is H:smtp01-was.mta.salesforce.com]
·         SPF:[result] is the result of the SPF check. Pass means the sender was specified in the SPF record for the sender
·         PTR:[ReverseDNS] is the PTR record of the sending IP address (reverse DNS address). [Exampled is PTR:smtp01-was.mta.salesforce.com]
Search for the entry: X-CustomSpam
If this is present, then the message matched an advanced spam filtering (ASF) option. For example, X-CustomSpam: Image links to remote sites denotes that the Image links to remote sites ASF option was matched.
Find the Entry: X-Microsoft-Antispam
This entry is for coming features for Exchange Online Protection
·         BCL: This shows the Bulk Complaint Level (BCL) of the message.
·         PCL: This shows the Phishing Confidence Level (PCL) of the message, which indicates whether it’s a phishing message. The PCL value can range from 1 through 8. A PCL rating from 1 through 3 returns a status of Neutral. This means that the message's content isn't likely to be phishing. A PCL rating from 4 through 8 returns a status of Suspicious. This means that the message is likely to be phishing. This status can be returned as one of the following values:

Notes…

X-Original-X-Forefront-Antispam-Report:
CIP:96.43.148.64;
CTRY:US;
IPV:NLI;
SRV:BULK;
EFV:NLI;      ???
SFV:SPM;
SFS:(6009001)(438002)(659001)(609006)(48214007)(377454003)(189002)(199003)(164054003)(349900001)(252514010)(349010);
DIR:INB;
SFP:;
SCL:9;
SRVR:BY2PR04MB742;
H:smtp01-was.mta.salesforce.com;
FPR:;
SPF:Pass;
MLV:ovrnspm;
PTR:smtp01-was.mta.salesforce.com;
MX:1;

A:1;

Multi-WAN with ATT IPDSl and PFsense.

So in the move I lost my ultra fast Charter 60mb cable I went on the prowl.  Since the new house is in a more rural setting I was forced to go with ATT IPDSL.  Luckily though I was able to sign up with ATT Business so I can get more than just 1 3mb pipe.  In the end I wound up with 3 x 3mb DSL lines, I can add a last one making 4 if the need ever arises.

Anyway since I wanted to stick with using PF as a firewall I added a second PCI gigabit nic, and created 3 WAN interfaces.

Now many people have had issue with this in the past, especially when using the Motorola NVG510 DSL modems.  These models do not have a true bridge mode.. only what Moto calls an 'IP Passthrough' which in theory should be Bridge mode and apparently sometimes, for some folks it does not work correctly.

So anyway I setup IP Passthrough mode on all three of my modems, picking DHCPS-Fixed and I specified the MAC address of teh nic that particular modem was uplinked to.  While inside I also disabled WIFI since I provide my own with an 802.11N wifi ap with a MUCH better range than these crappers. I also disabled all other Firewall features.. since PF will do a much better job anyway I don;t want my traffic being looked at twice.

Then within PF I configured all three interfaces was WAN, WAN1 and WAN2.. then I gave each a unique public DNS server as a Monitor IP.  If the interface loses any pings to that host it will consider the link down.  Two of my WAN interfaces use Google's public DNS ip's.. because it'll be a cold day in hell when those ever go down. Then after that I rebooted each modem.. once up the modems are supposed to give the PF interface a 192.168 address for approx 3 minutes.. then it should pass it's own external IP to PF.  Now what happened in my case was that my Primary WAN circuit did that.  The last two did not.. PF kept using a 192.168 address but the were passing data correctly so I didn't argue about it.

Anyway once PF could see all three gateways (or Monitor IP's) up I then created a Gateway group named 'LoadBalance', then created a firewall superseding the existing LAN Net out rules specifying the gateway group.

That's basically it, I also posted about it on the PF Forums as well
https://forum.pfsense.org/index.php?topic=87639.0


Long time, no post.

I know it's been quite a while since my last post.  We had X-mas, then time off from work.. then we decided to move into a new rent house.  It's in MUCH better shape, much cleaner than the previous one and while I still have a usable basement I now have access to half of a real barn.
Kids rooms are a little smaller, our room is a little smaller but we gained a second full bathroom so it's a good trade off.