You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Callum Millard <ca...@swarthmore.org.uk> on 2010/01/12 19:17:44 UTC
Faked _From_ field using our domain - how to filter/score?
I'm sure there's a straight forward way of doing this, but after several of hours searching, I can't find it.
The problem is spam with a faked 'From:' field. Spammers are sending e-mails to our domain with the 'From:' field set to a valid e-mail address from our domain. Here's an edited example:
---------------------------------------------------------------------------->
Received: from localhost (localhost.localdomain [127.0.0.1]) by
ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 571FB198ACDE for
<Va...@ourDomain.ac.uk>; Tue, 12 Jan 2010 15:46:07 +0000 (GMT)
X-Virus-Scanned: amavisd-new at swarthmore.org.uk
X-Spam-Flag: NO
X-Spam-Score: 2.162
X-Spam-Level: **
X-Spam-Status: No, score=2.162 required=4.7 tests=[AWL=-6.560, BAYES_50=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, URIBL_AB_SURBL=1.86,
URIBL_BLACK=1.955]
Received: from ourmailserver.ourDomain.ac.uk ([127.0.0.1]) by localhost
(ourmailserver.ourDomain.ac.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id GwJCdn5Rq7xr for <Va...@ourDomain.ac.uk>; Tue, 12 Jan 2010 15:45:37
+0000 (GMT)
Received-SPF: none (mass-business.com: No applicable sender policy available) receiver=dns2.swarthmore.org.uk; identity=mfrom; envelope-from="toweringtub507@mass-business.com"; helo=hbrn-5d84dddf.pool.mediaWays.net; client-ip=293.132.208.201
Received: from hbrn-5d84dddf.pool.mediaWays.net
(hbrn-5d84d014.pool.mediaWays.net [293.132.208.201]) by
ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 5F4DC198ACDB for
<Va...@ourDomain.ac.uk>; Tue, 12 Jan 2010 15:45:37 +0000 (GMT)
Received: from 293.132.208.201 by mass-business.com.s6a2.psmtp.com; Tue, 12 Jan
2010 16:45:35 +0100
Message-ID: <00...@toweringtub507>
From: <Va...@ourDomain.ac.uk>
To: <Va...@ourDomain.ac.uk>
Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we get started? "I'm on this dating site - come in to me.
Date: Tue, 12 Jan 2010 16:45:35 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA939E.4805B590"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Return-Path: toweringtub507@mass-business.com
X-PMWin-Version: 3.0.2.0, Antivirus-Engine: 3.3.1, Antivirus-Data: 4.49G
X-PureMessage: [Scanned]
From: ValidInternalMailAddress@ourDomain.ac.uk
Sent: 12 January 2010 15:46
To: Valid User
Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we get started? "I'm on this dating site - come in to me. Want to know what the real Russian girls love and warmth? Just a small click
<----------------------------------------------------------------------------
Whilst Postfix drops fake HELO's claiming to be from our domain, this has a valid HELO but a faked 'FROM:'. The problems with this are twofold:
1. It shows up as internal mail so gets -6 points or so from the auto-whitelist thus giving it a decent chance of getting through.
2. Because it has a valid 'From:' field, users are likely to open it as they think it's from another member of staff, or if they're being dim, that they sent it to themselves.
Could anyone point me in the right direction to deal with this. Currently it's fine if we just drop them as there's no situation where mail originating from external networks should have a 'From:' field with our domain in it. This may change in the future if we implement external mail access and the like, so it would be useful if I knew how to drop the messages from the AWL when the 'Received: from' field or similar doesn't match the 'From:' field domain, and then give it a score as appropriate.
I'm sure it's possible as Spamassassin has yet to let me down: it always cheers me up when I watch our costly alternative, Sophos' anti-spam stare dumbly at the task in hand before seeming to turn its back and let the world of spam go about its business unmolested. Having seen Sophos' attempts I've always had Spamassassin in place before Sophos and the rest get's so much as a sniff of external mail.
Any pointers would be very gratefully received as my brain has sat down and given up on this and with these Adobe zero-days about, I'm getting the fear.
Many thanks,
Calum
IT Donkey
Swarthmore Centre
UK
NB. One further point is that Spamassassin is called and hence partially configured by Amavisd-new.
Details:
Fedora Core 9.
Kernel 2.6.27.25-78.2.56.fc9.i686
postfix-2.5.6-1.fc9.i386
spamassassin-3.2.5-1.fc9.i386
amavisd-new-2.5.2-2.fc8.noarch
(All software installed from RPMs.)
Re: Faked _From_ field using our domain - how to filter/score?
Posted by mouss <mo...@ml.netoyen.net>.
Callum Millard a écrit :
> I'm sure there's a straight forward way of doing this, but after several of hours searching, I can't find it.
>
> The problem is spam with a faked 'From:' field. Spammers are sending e-mails to our domain with the 'From:' field set to a valid e-mail address from our domain. Here's an edited example:
> [snip]
spammers aren't the only ones who send you mail with your address in the
From: header. Mailing lists do that too. look at your email as resent to
you by this list.
so stop focusing on the From: header.
it looks like your AWL db went mad. needs a cleanup! (I personally
disable AWL).
Re: Faked _From_ field using our domain - how to filter/score?
Posted by René Berber <r....@computer.org>.
Callum Millard wrote:
[snip]
> The problem is spam with a faked 'From:' field. Spammers are sending
> e-mails to our domain with the 'From:' field set to a valid e-mail
> address from our domain.[snip]
SPF was designed just for that, not only to prevent others from
accepting fake messages that pretend to come from you, also for your
server to do the same.
I use milter-spiff with sendmail; postfix can also use milters. Of
course SPF is not only the milter or SPF tests inside spamassassin, you
have to set it up on your domain DNS master.
[snip]
--
René Berber
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Please.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Kai Schaetzl wrote:
> Skaz wrote on Wed, 13 Jan 2010 08:54:58 -0800 (PST):
>
>> However
>> I will need to drop that restriction once I set up external mail access
>
> what is "external mail access" ?
>
It's mail access for all those "externals" out there. Here's a picture
of one:
http://dvd.ign.com/dor/objects/14284235/the-day-the-earth-stood-still-special-edition/images/the-day-the-earth-stood-still-special-edition-20081204031732410.html
Ted
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Indeed, and that is why I asked what he means with this. This scenario is
already taken care of in that config line.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Faked _From_ field using our domain - how to filter/score?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 13 Jan 2010, Kai Schaetzl wrote:
> Skaz wrote on Wed, 13 Jan 2010 08:54:58 -0800 (PST):
>
>> However I will need to drop that restriction once I set up external
>> mail access
>
> what is "external mail access" ?
Employees sending email from offsite, I would assume.
Hopefully postfix can be configured to check the From: message header the
way he wants, while distinguishing between SMTP AUTH and unauthenticated
submissions, and reject only on unauthenticated submissions.
At that point all he needs to do is require "external users" use SMTP
AUTH to send mail.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
4 days until Benjamin Franklin's 304th Birthday
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Skaz wrote on Wed, 13 Jan 2010 08:54:58 -0800 (PST):
> However
> I will need to drop that restriction once I set up external mail access
what is "external mail access" ?
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Benny Pedersen <me...@junc.org>.
On Wed 13 Jan 2010 05:54:58 PM CET, Skaz wrote
> Sadly SPF won't catch this type of spam as that only deals with the envelope
> and the faked field is in the body. We already have SPF set up anyhow which
> obviously catches a fair few faked HELO's.
ug :/
http://old.openspf.org/wizard.html?mydomain=swarthmore.org.uk&submit=Go!
why lists rfc1918 ip addresses ?, why lists .local hostnames ?
what will happend if this exists remotely ?
> Kai's suggestion for Postfix will work for now, so thanks for that. However
> I will need to drop that restriction once I set up external mail access so
> being able to score messages with a faked 'From' field is what I'd ideally
> like to do: and will need to do in the nearish future. Is there a rule(set)
> around at the minute which can do this, or do I need to learn Pearl in a
> hurry?
Kai's "solution" does not use spf at all, but strict rules in postfix
to achived nearly the same as a working pypolicy-spf daemond
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Skaz <m-...@swarthmore.org.uk>.
Thanks to all who've replied.
Sadly SPF won't catch this type of spam as that only deals with the envelope
and the faked field is in the body. We already have SPF set up anyhow which
obviously catches a fair few faked HELO's.
Kai's suggestion for Postfix will work for now, so thanks for that. However
I will need to drop that restriction once I set up external mail access so
being able to score messages with a faked 'From' field is what I'd ideally
like to do: and will need to do in the nearish future. Is there a rule(set)
around at the minute which can do this, or do I need to learn Pearl in a
hurry?
Calum.
-----Original Message-----
From: John Hardin [mailto:jhardin@impsec.org]
Sent: 12 January 2010 21:18
To: 'users@spamassassin.apache.org'
Subject: Re: [sa] Faked _From_ field using our domain - how to filter/score?
On Tue, 12 Jan 2010, Charles Gregory wrote:
> On Tue, 12 Jan 2010, Callum Millard wrote:
> : The problem is spam with a faked 'From:' field. Spammers are sending
> : e-mails to our domain with the 'From:' field set to a valid e-mail
> : address from our domain.
>
> Unfortunately, if you permit use of your domain name as a 'From' for
> users on other connections (home DSL, etc), then you can only use a
> minimal score in SA and must look for other spamsign.
If you do that you should require they use authenticated and encrypted
SMTP. SPF et. al. can be bypassed if that is known.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
5 days until Benjamin Franklin's 304th Birthday
--
View this message in context: http://old.nabble.com/Faked-_From_-field-using-our-domain---how-to-filter-score--tp27132211p27148198.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Benny Pedersen <me...@junc.org>.
On Tue 12 Jan 2010 07:17:44 PM CET, Callum Millard wrote
> I'm sure there's a straight forward way of doing this, but after
> several of hours searching, I can't find it.
>
> The problem is spam with a faked 'From:' field. Spammers are
> sending e-mails to our domain with the 'From:' field set to a valid
> e-mail address from our domain. Here's an edited example:
google equal sender recipient postfwd
http://www.openspf.org/ add spf to your own domain and test it in your mta
add sender auth to local domain in mta (smtp auth)
whats left now ?
cheating a little here, dkim can do it aswell, but then mta need the
whole body :(
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Skaz wrote on Thu, 14 Jan 2010 04:49:55 -0800 (PST):
> 1) Kai, yes external mail as in mail (sending or receiving) originating
> external to our network in terms of IP, not physically. When I think on it
> though, I'll just insist we use RDP or VPN for access when I set it up.
Still not clear what you mean. If you mean mail that is sent thru your mail
server from "road warriors" - that has to be SMTP AUTHed and therefore isn't
rejected.
> 3) Kai's, your Postfix restrictions, am I right in thinking that they only
> apply to the 'Mail From' part of an SMTP transaction?
> If I'm right in thinking the check_sender_access only deals with the initial
> SMTP transaction and not the envelope, I can use it to block bad 'Mail From'
> commands but would need another filter to catch the faked envelope fields.
There is slight confusion. You are right that this applies only to the SMTP
transaction phase. However, this *is* the envelope. What you refer to with
"envelope fields" are the normal header fields of the message.
> So I think a working filter would do the following:
Apart from doing what you suggested (which might prove difficult) you may
simply switch off AWL as (according to the part of the message you quoted) this
is the main contributing point that these mails are not detected as spam.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Skaz <m-...@swarthmore.org.uk>.
I'm feeling popular for once; 14 replies! Never in all my life ... .. .
Anyhow, thanks once again to all who've offered suggestions.
Just to clarify a couple of points:
1) Kai, yes external mail as in mail (sending or receiving) originating
external to our network in terms of IP, not physically. When I think on it
though, I'll just insist we use RDP or VPN for access when I set it up.
We've got the bandwith and it makes things easier so I won't have to worry
about 'Froms' and the like mismatching with HELO's, etc. Blocking all mail
from an external address with claims to be from *@mynetwork.com is fine.
2) Benny I know Kai's solution doesn't use SPF. As I understand it SPF
deals only with envelope security, not the body, which is where the 'From'
field is. If there are any extensions to the standard SPF - or I've just
got it wrong - which allow you to check the envelope, I'd like to hear more.
I'll check the Postfwd daemon when I've the chance, though I'd rather do it
with Spamassassin if possible as that's in place already.
3) Kai's, your Postfix restrictions, am I right in thinking that they only
apply to the 'Mail From' part of an SMTP transaction? A variation on this
spam problem is people cramming a lot of valid addresses into the CC, BCC,
etc. fields so as to make it look like not only did another staff member
send it, but lots of other members of staff got the message too, so that's a
good reason to open it, isn't it? Or so the thinking goes.
4) Ted those domains are there as we check outgoing as much as incoming
mail: too many people bringing their own laptops in and plugging them in
wherever. I could move the records to an internal view mind so cheers for
the pointer.
If I'm right in thinking the check_sender_access only deals with the initial
SMTP transaction and not the envelope, I can use it to block bad 'Mail From'
commands but would need another filter to catch the faked envelope fields.
So I think a working filter would do the following:
If the originating IP is outside of predetermined IP addresses/domains and
has a from, cc, bcc, any other I don;t know about, address consisting of
*@mynet.com it gets ideally a spamassassin score or if not, just ditched.
Once again, thanks for all the responses.
Calum.
--
View this message in context: http://old.nabble.com/Faked-_From_-field-using-our-domain---how-to-filter-score--tp27132211p27160797.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [sa] Re: Faked _From_ field using our domain - how to
filter/score?
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 13 Jan 2010, Mike Wallace wrote:
: I do this but it only works for rejecting a forged envelope. It doesn't
: work if it's only a forged From header which the example shows.
:
: Does anyone know of a way to handle this type of scenario, where the
: envelope From is valid and the From header is forged and typically
: matches the To header?
The key word here is 'valid'. You need to decide what makes the appearance
of the 'From' header 'valid', and thereby categorize a message as spam
when it fails to exhibit all the criteria of a valid e-mail from that
sender. Nearly all methodology involves a degree of 'configuration'
supplied by the user.
1) Reject all mail where the sender envelope does not match the 'From'
header. Or reject all mail originating from anywhere other than an
'authorized' source.
- Obviouslty this FP's on mailing list mail, so the user must supply
a LIST of valid senders (or other identifying criteria) when their
address will appear in a 'From' header of mail they do not send.
2) If the users agrees and understands (good luck with that! LOL) you can
have them specify (by any convenient mechanism including an e-mail to a
robot) their full legitimate 'From' header. Most spam that uses a faked
>From header does not have a way to generate the correct 'name' portion of
the header.
For example, I personally have a test for:
header From =~ /^"?([^C]|C[^h]|Ch[^a])[^<]+...@hwcn.org>/
I also add a modest score for a similar hit on the 'To' header.
- Charles
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Mike Wallace wrote on Wed, 13 Jan 2010 14:39:13 -0500:
> I do this but it only works for rejecting a forged envelope. It doesn't
> work if it's only a forged From header which the example shows.
Yes, it doesn't work if only the From is forged. You could compare To and
>From in SA and disallow if they match. Or you could compare envelope_from
(if correctly set) and From in SA and fire if they don't.
I think the SMTP AUTH status may also be available in SA or you could
parse that out with a header check and then fire if the mail is not from
an internal source or SMTP AUTHed.
But you will probably have to have some whitelisting for instance for
mailing lists, and other caveats. Basically, I think you can use this only
as a temporary measure if you get a lot of this spam to a specific domain.
Not as a global solution.
SPF in SA might be suited for that.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Benny Pedersen <me...@junc.org>.
On Wed 13 Jan 2010 08:39:13 PM CET, Mike Wallace wrote
> I do this but it only works for rejecting a forged envelope. It
> doesn't work if it's only a forged From header which the example
> shows.
and you get spam from spf pass domains where From: is spf fail ?
> Does anyone know of a way to handle this type of scenario, where the
> envelope From is valid and the From header is forged and typically
> matches the To header?
pastebin a example somewhere :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Mike Wallace <mi...@mlrw.com>.
I do this but it only works for rejecting a forged envelope. It doesn't work if it's only a forged From header which the example shows.
Does anyone know of a way to handle this type of scenario, where the envelope From is valid and the From header is forged and typically matches the To header?
Mike Wallace
mike@mlrw.com
On Jan 12, 2010, at 3:20 PM, Kai Schaetzl wrote:
> Callum Millard wrote on Tue, 12 Jan 2010 18:17:44 +0000:
>
>> Postfix
>
> Postfix? Easy.
>
> smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
> check_recipient_access hash:/etc/mail/allow_recipients,
> reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access
> hash:/etc/mail/access, check_sender_access
> hash:/etc/mail/disallow_my_domains
>
> Note the last one!
>
>
> Kai
>
> --
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
>
>
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
Callum Millard wrote on Tue, 12 Jan 2010 18:17:44 +0000:
> Postfix
Postfix? Easy.
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_recipient_access hash:/etc/mail/allow_recipients,
reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access
hash:/etc/mail/access, check_sender_access
hash:/etc/mail/disallow_my_domains
Note the last one!
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
> In the latter case, you can use the suggested check
> for domains,
It doesn't matter which other mail servers the clients use.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
RE: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by Callum Millard <ca...@swarthmore.org.uk>.
Thanks to all who've replied.
SPF won't catch this type of spam as that only deals with the envelope and the faked field is in the body. We already have SPF set up anyhow which obviously catches a fair few faked HELO's.
Kai's suggestion for Postfix will work for now, so thanks for that. However I will need to drop that restriction once I set up external mail access so being able to score messages with a faked 'From' field is what I'd ideally like to do: and will need to do in the nearish future. Is there a rule(set) around at the minute which can do this or do I need to learn Pearl?
Calum.
-----Original Message-----
From: John Hardin [mailto:jhardin@impsec.org]
Sent: 12 January 2010 21:18
To: 'users@spamassassin.apache.org'
Subject: Re: [sa] Faked _From_ field using our domain - how to filter/score?
On Tue, 12 Jan 2010, Charles Gregory wrote:
> On Tue, 12 Jan 2010, Callum Millard wrote:
> : The problem is spam with a faked 'From:' field. Spammers are sending
> : e-mails to our domain with the 'From:' field set to a valid e-mail
> : address from our domain.
>
> Unfortunately, if you permit use of your domain name as a 'From' for
> users on other connections (home DSL, etc), then you can only use a
> minimal score in SA and must look for other spamsign.
If you do that you should require they use authenticated and encrypted
SMTP. SPF et. al. can be bypassed if that is known.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
5 days until Benjamin Franklin's 304th Birthday
Re: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 12 Jan 2010, Charles Gregory wrote:
> On Tue, 12 Jan 2010, Callum Millard wrote:
> : The problem is spam with a faked 'From:' field. Spammers are sending
> : e-mails to our domain with the 'From:' field set to a valid e-mail
> : address from our domain.
>
> Unfortunately, if you permit use of your domain name as a 'From' for
> users on other connections (home DSL, etc), then you can only use a
> minimal score in SA and must look for other spamsign.
If you do that you should require they use authenticated and encrypted
SMTP. SPF et. al. can be bypassed if that is known.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
5 days until Benjamin Franklin's 304th Birthday
Re: [sa] Faked _From_ field using our domain - how to
filter/score?
Posted by Charles Gregory <cg...@hwcn.org>.
On Tue, 12 Jan 2010, Callum Millard wrote:
: The problem is spam with a faked 'From:' field. Spammers are sending
: e-mails to our domain with the 'From:' field set to a valid e-mail
: address from our domain.
Key question: Can your users send mail 'From' their internal addresses via
ANY intrnet connection, or MUST they use your mail server via approved
internal connections? In the latter case, you can use the suggested check
for domains, or set up your SPF record for your domain.
Unfortunately, if you permit use of your domain name as a 'From' for users
on other connections (home DSL, etc), then you can only use a minimal
score in SA and must look for other spamsign.
- Charles
Re: Faked _From_ field using our domain - how to filter/score?
Posted by Jonas Eckerman <jo...@fsdb.org>.
> 1. It shows up as internal mail so gets -6 points or so from the
> auto-whitelist thus giving it a decent chance of getting through.
If it shows up as internal mail even though its external something is
wrong.
The AWL takes both the renders email address and the sending systems
IP-address into account. For some reason it seems it can't differentiate
between the relevant sending systems in your setup.
Regards
/Jonas