You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Charles Gregory <cg...@hwcn.org> on 2010/01/12 21:39:10 UTC
Re: [sa] Faked _From_ field using our domain - how to
filter/score?
On Tue, 12 Jan 2010, Callum Millard wrote:
: The problem is spam with a faked 'From:' field. Spammers are sending
: e-mails to our domain with the 'From:' field set to a valid e-mail
: address from our domain.
Key question: Can your users send mail 'From' their internal addresses via
ANY intrnet connection, or MUST they use your mail server via approved
internal connections? In the latter case, you can use the suggested check
for domains, or set up your SPF record for your domain.
Unfortunately, if you permit use of your domain name as a 'From' for users
on other connections (home DSL, etc), then you can only use a minimal
score in SA and must look for other spamsign.
- Charles
Re: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by Kai Schaetzl <ma...@conactive.com>.
> In the latter case, you can use the suggested check
> for domains,
It doesn't matter which other mail servers the clients use.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
RE: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by Callum Millard <ca...@swarthmore.org.uk>.
Thanks to all who've replied.
SPF won't catch this type of spam as that only deals with the envelope and the faked field is in the body. We already have SPF set up anyhow which obviously catches a fair few faked HELO's.
Kai's suggestion for Postfix will work for now, so thanks for that. However I will need to drop that restriction once I set up external mail access so being able to score messages with a faked 'From' field is what I'd ideally like to do: and will need to do in the nearish future. Is there a rule(set) around at the minute which can do this or do I need to learn Pearl?
Calum.
-----Original Message-----
From: John Hardin [mailto:jhardin@impsec.org]
Sent: 12 January 2010 21:18
To: 'users@spamassassin.apache.org'
Subject: Re: [sa] Faked _From_ field using our domain - how to filter/score?
On Tue, 12 Jan 2010, Charles Gregory wrote:
> On Tue, 12 Jan 2010, Callum Millard wrote:
> : The problem is spam with a faked 'From:' field. Spammers are sending
> : e-mails to our domain with the 'From:' field set to a valid e-mail
> : address from our domain.
>
> Unfortunately, if you permit use of your domain name as a 'From' for
> users on other connections (home DSL, etc), then you can only use a
> minimal score in SA and must look for other spamsign.
If you do that you should require they use authenticated and encrypted
SMTP. SPF et. al. can be bypassed if that is known.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
5 days until Benjamin Franklin's 304th Birthday
Re: [sa] Faked _From_ field using our domain - how to filter/score?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 12 Jan 2010, Charles Gregory wrote:
> On Tue, 12 Jan 2010, Callum Millard wrote:
> : The problem is spam with a faked 'From:' field. Spammers are sending
> : e-mails to our domain with the 'From:' field set to a valid e-mail
> : address from our domain.
>
> Unfortunately, if you permit use of your domain name as a 'From' for
> users on other connections (home DSL, etc), then you can only use a
> minimal score in SA and must look for other spamsign.
If you do that you should require they use authenticated and encrypted
SMTP. SPF et. al. can be bypassed if that is known.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
5 days until Benjamin Franklin's 304th Birthday