We have two PRTG installations, one inside a LAN and using ISP's SMTP server, and another installation on a live server using built in email notification delivery system. Email notifications from both are automatically marked as phishing emails and moved to the junk folder of the email client (Windows Live Mail).
SMTP settings in the PRTG installations are configured as follows:
Sender E-mail: PRTG-servername@companyname.com Sender Name: PRTG Network Monitor @ Server Name HELO Ident: servername.companyname.com
A DNS record is added for servername.companyname.com pointing to server IP address (Type: A)
companyname.com is added to safe sender domains list in the security settings of the email client (works with all other senders, but not with emails originating from PRTG) Additionally, PRTG-servername@companyname.com is also added as safe senders list in the security settings of the email client. Still without change. Emails from PRTG get into junk, marked with big red cross and a warning message as phishing email...
Why?? And what to do about it?
Article Comments
PRTGToolsFamily, as stated in the description, we use both. One server is using the built in mail server on a static public IP, and the other one using ISP's external SMTP relay. Both are recognized as Phishing (not spam!).
Feb, 2015 - Permalink
I can't find anything suspicious in the headers, so I'm guessing it's something in the body.
Example headers from an email sent by external SMTP (real addresses are replaced with dummy values):
Return-path: <sender@email.com> Envelope-to: receiver@email.com Delivery-date: Sun, 08 Feb 2015 19:23:28 +0100 Received: from srv1a.flexfilter.nl ([62.84.244.16]) by srv15833.mail.flexwebhosting.nl with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.76) (envelope-from <sender@email.com>) id 1YKWW0-0007UZ-3R for receiver@email.com; Sun, 08 Feb 2015 19:23:28 +0100 Received: from cpsmtpb-ews05.kpnxchange.com ([213.75.39.8]) by srv1a.flexfilter.nl with esmtp (Exim 4.85) (envelope-from <sender@email.com>) id 1YKWVy-0003qM-0N for receiver@email.com; Sun, 08 Feb 2015 19:23:27 +0100 Received: from cpsps-ews13.kpnxchange.com ([10.94.84.180]) by cpsmtpb-ews05.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Sun, 8 Feb 2015 19:23:25 +0100 Received: from CPSMTPM-cmt107.kpnxchange.com ([195.121.3.23]) by cpsps-ews13.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Sun, 8 Feb 2015 19:23:25 +0100 Received: from alphestts2008.alphest.com ([86.84.83.20]) by CPSMTPM-cmt107.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Sun, 8 Feb 2015 19:23:25 +0100 From: "PRTG Network Monitor @ Server Name" <sender@email.com> Subject: Site www.sitename.com (HTTP) Up (Downtime: 21 m 59 s) (OK) To: receiver@email.com Content-Type: multipart/alternative; charset=utf-8; boundary="pGD=_hZ5vZmPNu8gynWihPBcitIZkAsT6S" MIME-Version: 1.0 Date: Sun, 8 Feb 2015 19:23:31 +0100 Priority: urgent X-Priority: 2 X-Mailer: PRTG Network Monitor 15.1.13.1089 Message-ID: <CPSMTPM-CMT107ez504000eb7fa@CPSMTPM-cmt107.kpnxchange.com> X-OriginalArrivalTime: 08 Feb 2015 18:23:25.0409 (UTC) FILETIME=[53EBB510:01D043CC] X-RcptDomain: alphest.com X-Filter-ID: s0sct1PQhAABKnZB5plbIXwkWjsqg36A6KKAZKgFC8QhLaC/1YCSDU6kxR+iOBNZF+vTqy1/vhkk i2Tulp8Z7sOioHAFBjrs0fB5YXFKkUPxrqk37+nyr8+ABxO1Tdrs0z6bhalFEM/pjPCQA+BAlntg x6OEA3ITh5UAYs+m+56ds3j9wYNvDsLT9ae5HOfcRY5THKqvFwutPXR6X3RDKYBvoC8/P7CO9eLT lKIjoJx6NPzlcg5/6FK/eVDGtQoS3pgJGkBzKj5poie2YmHcQ95GpFZV/5tUbJxb008ZZQ3G+EDf WiHtdXFyFrzb+pxlzfxhfm+usq5XUv6TvOBkzvDeVKfT6RD7amrsrA3pbOe3SGMF43kffO93vLz9 y7qcxRjW7bYh4VlqytzCSD1bRZNdxVEOVFwUhyiv4Sa7YZaYcicajE/V7T5th5LOliQxaor08hqz zu12GE75palEJc9+XssOskYky54LByNa3aIkEGv5K6MaBJgDuZxoyM/ul8Sfnd6N+5I4ewtatxI4 ++mRUj9mjmli+Fx7fx4g91lPnJ4D8GrgGg2EBeYj6SUYQJtI1O2CdZ6bnYVutIcmjhI9+6zgsKVW YF/l0q/igM72OKHH5lr9xXvSM4nM3avg X-Report-Abuse-To: spam@srv3a.flexfilter.nl X-Filter-Fingerprint: IFrWXGses7OKB5S5G8/dJf0q4InAqB4eHoSGt53KDIXJUWjZ8+qhjyB23tbDuyLOYL8Ff78gYsez 4Rl08xudmXi4esCQ0R1MchVjt7wblGlvhFgW0MjUMRkF5sMCDfftTXNFDzN17hnrWeZYOJvLq0Ic WjZ+XcEjj/7Pkld0zkmvziDInX9WdMov2kn2yXjdwv61T+KDYyYtREgszdyFwv8IxCB3p/oCKvxr eyISh3JGb7OS5oVgiO+kDxZrVPLz3MmEGC2PrUKqLq5WmHK+Nw== X-FlexwebhostingB.V.-Class: ham X-FlexwebhostingB.V.-Evidence: SB/global_tokens (0.0017579736137) X-Recommended-Action: accept
Feb, 2015 - Permalink
If both the From field and the To field contain the same domain name (in your example @email.com) and the email comes via flexwebhosting.nl it is definitely phishing!
Feb, 2015 - Permalink
PRTGToolsFamily: I gave your statement a thought and came to conclusion that it is not correct and is most definitely not the cause of the problem. There are a lot of email hosting companies that provide email hosting using custom domains. Even Microsoft and Google provide such, not to forget all the hosting providers and dedicated email service providers. Outsourcing of email this way is very common, especially in the business environments. Also if every email having the same domain in sender and receiver addresses, and coming via 3rd party would be marked as phishing email, then all of our corporate email traffic would be marked as phishing. Because that's exactly what's happening there. But this is not the case.
Additionally it is important to note: Both mentioned above servers have other web applications installed on them, that generate and send out emails the same way as PRTG does, and none of those are marked as phishing.
Feb, 2015 - Permalink
PRTGToolsFamily: Just tested that. Switching to plain text emails makes no difference.
Feb, 2015 - Permalink
Hi, I have narrowed down the problem. The reason of marking emails as phishing lies in the message body. Not email headers, not in the template header/footer, but the content body.
When I replace header and footer templates in PRTG with dummy text, for example "header" and "footer", for both plain text and HTML templates, the email is still marked as phishing. Following, I replaced message body (HTML) with dummy text "content(html)". Still marked as phishing. I looked at the message source, and found that plain text content was still sent, although it was not visible. So I replaced also the plain text template with "content(text)", and the next email went through normally, and was NOT marked as phishing:
Return-path: <sender@email.com> Envelope-to: receiver@email.com Delivery-date: Tue, 10 Feb 2015 16:11:19 +0100 Received: from srv1a.flexfilter.nl ([62.84.244.16]) by srv15833.mail.flexwebhosting.nl with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.76) (envelope-from <sender@email.com>) id 1YLCT8-0000aO-Ua for receiver@email.com; Tue, 10 Feb 2015 16:11:19 +0100 Received: from cpsmtpb-ews01.kpnxchange.com ([213.75.39.4]) by srv1a.flexfilter.nl with esmtp (Exim 4.85) (envelope-from <sender@email.com>) id 1YLCT6-0001hW-O2 for receiver@email.com; Tue, 10 Feb 2015 16:11:18 +0100 Received: from cpsps-ews04.kpnxchange.com ([10.94.84.171]) by cpsmtpb-ews01.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Tue, 10 Feb 2015 16:11:16 +0100 Received: from CPSMTPM-CMT105.kpnxchange.com ([195.121.3.21]) by cpsps-ews04.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Tue, 10 Feb 2015 16:11:16 +0100 Received: from servername.email.com ([86.84.83.20]) by CPSMTPM-CMT105.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Tue, 10 Feb 2015 16:11:15 +0100 From: "PRTG Network Monitor @ Alphest TS-2008" <sender@email.com> Subject: TEST: %device %name %status %down (%message) To: receiver@email.com Content-Type: multipart/alternative; charset=utf-8; boundary="OTTLbkXh9PBK6J5cRo7kKH=_UPKAqjxH1T" MIME-Version: 1.0 Date: Tue, 10 Feb 2015 16:11:15 +0100 Priority: urgent X-Priority: 2 X-Mailer: PRTG Network Monitor 15.1.13.1089 Message-ID: <CPSMTPM-CMT1052sHI300102c61@CPSMTPM-CMT105.kpnxchange.com> X-OriginalArrivalTime: 10 Feb 2015 15:11:15.0999 (UTC) FILETIME=[D0AEDAF0:01D04543] X-RcptDomain: email.com X-Filter-ID: s0sct1PQhAABKnZB5plbIZ7ydXA+duqeoFGU4Pqn17IhLaC/1YCSDU6kxR+iOBNZF+vTqy1/vhkk i2Tulp8Z7sOioHAFBjrs0fB5YXFKkUPxrqk37+nyr8+ABxO1Tdrs0z6bhalFEM/pjPCQA+BAlntg x6OEA3ITh5UAYs+m+551AH8P7BZeMCqME3s8fgIORY5THKqvFwutPXR6X3RDKYBvoC8/P7CO9eLT lKIjoJx6NPzlcg5/6FK/eVDGtQoSCrsfTiXTV6Fs3bgi5EDJgSSYPshQnNWp86quqgdbUdjG+EDf WiHtdXFyFrzb+pxldspammfsHGyP1igf4GTbnfDeVKfT6RD7amrsrA3pbOe3SGMF43kffO93vLz9 y7qcxRjW7bYh4VlqytzCSD1bRZNdxVEOVFwUhyiv4Sa7YZZcWbVtEEL5/zmhpGedflZVaor08hqz zu12GE75palEJc9+XssOskYky54LByNa3aIkEGv5K6MaBJgDuZxoyM/ul8Sfnd6N+5I4ewtatxI4 ++mRUj9mjmli+Fx7fx4g91lPnJ4D8GrgGg2EBeYj6SUYQJtI1O2CdZ6bnYVutIcmjhI9+6zgsKVW YF/l0q/igM72OKHH5lr9xXvSM4nM3avg X-Report-Abuse-To: spam@srv3a.flexfilter.nl X-Filter-Fingerprint: IFrWXGses7OKB5S5G8/dJf0q4InAqB4eHoSGt53KDIXJUWjZ8+qhjyB23tbDuyLOYL8Ff78gYsez 4Rl08xudmXi4esCQ0R1MchVjt7wblGlvhFgW0MjUMRkF5sMCDfftTXNFDzN17hnrWeZYOJvLq0Ic WjZ+XcEjj/7Pkld0zkmvziDInX9WdMov2kn2yXjdwv61T+KDYyYtREgszdyFwv8IxCB3p/oCKvxr eyISh3JGb7OS5oVgiO+kDxZrVPLz3MmEGC2PrUKqLq5WmHK+Nw== X-FlexwebhostingB.V.-Class: ham X-FlexwebhostingB.V.-Evidence: Combined (0.07) X-Recommended-Action: accept This is a multi-part message in MIME format --OTTLbkXh9PBK6J5cRo7kKH=_UPKAqjxH1T Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline content(text)footertext --OTTLbkXh9PBK6J5cRo7kKH=_UPKAqjxH1T Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline headerhtmlcontent(html)footerhtml --OTTLbkXh9PBK6J5cRo7kKH=_UPKAqjxH1T--
Feb, 2015 - Permalink
Good catch!
Is that because the links are not public accessible? In other words, they are not valid in the context of the email?
Feb, 2015 - Permalink
Thank you for the information again. This is probably because the links are indeed publicly unavailable, whether it's because the IP is located inside LAN, or port number is firewalled for all IP's except custom whitelisted.
I've removed header, footer and plain text templates, and created a basic HTML template without any links. For those who want a quick workaround, sharing:
<!-- First two lines must be left empty! -->
<!-- HTML Template per Notification BEGIN -->
<!-- Note: PRTG's email template code has been
optimized for all major email clients and webmailer.
Yes, the HTML code is not "nice", but emails look
good on most email readers-->
<table width="100%" style="border:1px solid #aaa;" cellspacing="0" cellpadding="0">
<tr>
<td height="5" bgcolor="%colorofstate" style="padding:0px;font-size:0;" colspan="3"> </td>
</tr>
<tr bgcolor="%colorofstate">
<td colspan="2">
<table width="100%" bgcolor="%colorofstate" cellspacing="0" cellpadding="0" border="0">
<tr>
<td width="33" rowspan="6" bgcolor="%colorofstate" style="padding:6px;">
<div style="width:21px;background-color:%colorofstate">
<img src="https://prtgicons.paessler.com/prtgx/%iconofstate" width="21" height="21">
</div>
</td>
<td width="100" bgcolor="#ffffff" style="padding:4px">Sensor</td>
<td width="362" bgcolor="#ffffff" style="padding:4px"><strong style="font-size:16px">%shortname</strong></td>
<td width="*" bgcolor="#ffffff" style="padding:4px"> </td>
</tr>
<tr>
<td width="100" style="padding:4px" bgcolor="#eeeeee">Status</td>
<td width="362" style="padding:4px" bgcolor="#eeeeee"><strong style="font-size:16px">%status</strong> %down</td>
<td width="*" style="padding:4px" bgcolor="#eeeeee"> </td>
</tr>
<tr>
<td height="5" bgcolor="%colorofstate" style="padding:0px;font-size:0;" colspan="3"> </td>
</tr>
<tr>
<td width="100" style="padding:4px" bgcolor="#eeeeee">Last Result</td>
<td width="362" style="padding:4px" bgcolor="#eeeeee"><strong>%lastvalue</strong></td>
<td width="*" style="padding:4px" bgcolor="#eeeeee"> </td>
</tr>
<tr>
<td width="100" style="padding:4px" bgcolor="#ffffff">Last Message</td>
<td width="362" style="padding:4px" bgcolor="#ffffff"><strong>%message</strong></td>
<td width="*" style="padding:4px" bgcolor="#ffffff"> </td>
</tr>
<tr>
<td width="100" style="padding:4px" bgcolor="#eeeeee">Date/Time</td>
<td width="362" style="padding:4px" bgcolor="#eeeeee">%datetime (%timezone)</td>
<td width="*" style="padding:4px" bgcolor="#eeeeee"> </td>
</tr>
</table>
</td>
<td bgcolor="%colorofstate"> </td>
</tr>
<tr>
<td height="5" bgcolor="%colorofstate" style="padding:0px;font-size:0;" colspan="3"> </td>
</tr>
<tr>
<td height="15" bgcolor="#ffffff" style="padding:0px;font-size:0;" colspan="3"> </td>
</tr>
<tr>
<td> </td>
<td>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" border="0">
<tr bgcolor="#dddddd">
<td width="100" style="padding:2px 4px 4px 4px;">Last Scan</td>
<td width="362" style="padding:2px 4px 4px 0px;">%lastcheck</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#dddddd"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Last Up</td>
<td style="padding:2px 4px 4px 0px;">%lastup</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#eeeeee"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Last Down</td>
<td style="padding:2px 4px 4px 0px;">%lastdown</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#dddddd"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Uptime</td>
<td style="padding:2px 4px 4px 0px;">%uptime</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#eeeeee"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Downtime</td>
<td style="padding:2px 4px 4px 0px;">%downtime</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#dddddd"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Coverage</td>
<td style="padding:2px 4px 4px 0px;">%coverage [since %cumsince]</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#eeeeee"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Settings</td>
<td style="padding:2px 4px 4px 0px;">%settings</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#dddddd"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Location</td>
<td style="padding:2px 4px 4px 0px;">%location</td>
<td style="padding:2px 4px 4px 0px;" bgcolor="#eeeeee"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Sensor History</td>
<td style="padding:2px 4px 4px 0px;">%history</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Sensor Comments</td>
<td style="padding:2px 4px 4px 0px;">%commentssensor</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Device Comments</td>
<td style="padding:2px 4px 4px 0px;">%commentsdevice</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Group Comments</td>
<td style="padding:2px 4px 4px 0px;">%commentsgroup</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#dddddd">
<td style="padding:2px 4px 4px 4px;">Syslog/Trap Warnings (max. 20)</td>
<td style="padding:2px 4px 4px 0px;">%syslogwarnings%trapwarnings</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#eeeeee">
<td style="padding:2px 4px 4px 4px;">Syslog/Trap Errors (max. 20)</td>
<td style="padding:2px 4px 4px 0px;">%syslogerrors%traperrors</td>
<td style="padding:2px 4px 4px 0px;"> </td>
</tr>
<tr bgcolor="#ffffff">
<td colspan="3" height="10" style="font-size:0;"> </td>
</tr>
</table>
</td>
<td> </td>
</tr>
</table>
<!-- HTML Template per Notification END -->
PS, PRTGToolsFamily: It appears that this problem is not caused by PRTG software. However there is something you can do to help users with this problem. If you could build in a checkbox in notification delivery settings, unchecking which will prevent auto-generating/including links in all emails, that will save all your customers trouble finding out what the problem is, and modifying manually each and every template for removing links manually. Because if they don't emails won't appear in their Inbox, and they might face the consequences of not reacting on time.
Feb, 2015 - Permalink
Are you using PRTG's build in mail server to send the emails or are you using a SMTP relay of your provider?
When using the build in mail server, is your ISP providing you with a dynamic public IP?
Emails originating from a dynamic public IP have a good chance to be treated as spam, so if the latter is the case, you can try routing the emails through the SMTP relay of your hosting provider.
Feb, 2015 - Permalink