You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by andy <an...@hazlorealidad.com> on 2006/04/19 16:02:33 UTC
[Fwd: RE: How to reject hoax messages]
Please can somebody help
I sent a message a few days ago and am still confused,
Basically the problem seems to be that xyz@spam.com sends a message to
user@localhost forging it as if it were from webmaster@localhost
I dont really understand the processing pipeline and maillets.
Please can somebody tell me how to stop this happening.
Thanks in advance
Andy Bailey
www.hazlorealidad.com
--------- Mensaje reenviado --------
> Asunto: RE: How to reject hoax messages
> Fecha: Thu, 13 Apr 2006 21:37:13 -0500
> Noel,
>
> Thanks for the quick response, but I am still confused.
>
> I understand that if there was a virus attached ClamAv would help,
>
> But there must be a way to filter out messages that claim to be sent
> from an address that they are not from.
>
>
> Unfortunately I dont have the mail headers
> but what happens is that <Er...@ru.ru> is sending mail from
> [218.188.19.28]) which is not the local ip and sends the message as if
> it were from webmaster@nameOfLocalhost.
>
> There has to be a way of blocking this.
>
> You say its to do with authentication
>
> In my configuration I have
>
> <authRequired>true</authRequired>
> <authorizedAddresses>127.0.0.0/8</authorizedAddresses>
>
> Do the logs show if he authenticated, I dont understand other users I
> have, have to authenticate themselves to send a message, and I hope I
> have james configured to not be a relay.
>
> Obviously if a mail server sends mail to my domain the server will
> accept it without requiring authorization, the point is how are they
> able to send it as if its from the local domain.
>
>
> Thanks
>
> Andy Bailey
>
>
> 11/04/06 12:24:53 DEBUG smtpserver: Command received: HELO RSTN-SERVER
> 11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-hazlo.hazlorealidad.com
> Hello RSTN-SERVER (218.188.19.28 [218.188.19.28])
> 11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-AUTH LOGIN PLAIN
> 11/04/06 12:24:53 DEBUG smtpserver: Sent: 250 AUTH=LOGIN PLAIN
> 11/04/06 12:24:53 DEBUG smtpserver: Calling reset() default Worker #12
> 11/04/06 12:24:55 DEBUG smtpserver: Command received: MAIL FROM:
> <Er...@ru.ru>
>
>
>
> El jue, 13-04-2006 a las 18:09 -0400, Noel J. Bergman escribió:
> > > a spammer/virus each message has a virus attached.
> >
> > I run ClamAV, which would filter those out.
> >
> > > What can I do to reject messages that appear to be from an
> > > account that they are not from.
> >
> > SPF would be one approach, but we don't have SPF support, yet. Another
> > would be to require SMTP AUTH for local senders, or known subnets.
> >
> > --- Noel
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> > For additional commands, e-mail: server-user-help@james.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: [Fwd: RE: How to reject hoax messages]
Posted by Danny Angus <da...@apache.org>.
It might be worth investigating SPam assassin for this, there is a
spam assassin mailet somewhere, perhaps someone on this list can
remind us where to get it from.
On 20/04/06, BJ <bj...@free-man.com> wrote:
> here is the scenario
> the server query who is sending.
> the sender can put any email address in there.
>
> To stop this a mailet needs to check that the IP address in the header
> matches the domain of the email address, and Vpf record in the dns
> server for the domain.
> it should also store the IP address as a spam address.
>
>
> finally, for the forged domains,
> the mailet looks up arin.net for the abuse address of the IP, then sends
> a email with something like:
>
> The sender of the email below, has spoofed the Domain name.
> they have no authorization to use businessesnetwork.com
> All businessesnetwork.com mail originates from xx.xx.xx.*, not
> 71.241.65.96 (then ip in the email header)
>
> then included the email and header.
>
>
> I have been slowly working on the mailet(s) to accomplish this.
>
>
> as far a processing the mailets are executed sequentially.
> if a mailet fails it can be configured to stop the sequencing.
>
>
> andy sent the following on 4/19/06 7:02 AM:
> > Please can somebody help
> >
> > I sent a message a few days ago and am still confused,
> >
> > Basically the problem seems to be that xyz@spam.com sends a message to
> > user@localhost forging it as if it were from webmaster@localhost
> >
> > I dont really understand the processing pipeline and maillets.
> >
> > Please can somebody tell me how to stop this happening.
> >
> > Thanks in advance
> >
> > Andy Bailey
> >
> > www.hazlorealidad.com
> >
> > --------- Mensaje reenviado --------
> >
> >>Asunto: RE: How to reject hoax messages
> >>Fecha: Thu, 13 Apr 2006 21:37:13 -0500
> >>Noel,
> >>
> >>Thanks for the quick response, but I am still confused.
> >>
> >>I understand that if there was a virus attached ClamAv would help,
> >>
> >>But there must be a way to filter out messages that claim to be sent
> >>from an address that they are not from.
> >>
> >>
> >>Unfortunately I dont have the mail headers
> >>but what happens is that <Er...@ru.ru> is sending mail from
> >>[218.188.19.28]) which is not the local ip and sends the message as if
> >>it were from webmaster@nameOfLocalhost.
> >>
> >>There has to be a way of blocking this.
> >>
> >>You say its to do with authentication
> >>
> >>In my configuration I have
> >>
> >> <authRequired>true</authRequired>
> >> <authorizedAddresses>127.0.0.0/8</authorizedAddresses>
> >>
> >>Do the logs show if he authenticated, I dont understand other users I
> >>have, have to authenticate themselves to send a message, and I hope I
> >>have james configured to not be a relay.
> >>
> >>Obviously if a mail server sends mail to my domain the server will
> >>accept it without requiring authorization, the point is how are they
> >>able to send it as if its from the local domain.
> >>
> >>
> >>Thanks
> >>
> >>Andy Bailey
> >>
> >>
> >>11/04/06 12:24:53 DEBUG smtpserver: Command received: HELO RSTN-SERVER
> >>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-hazlo.hazlorealidad.com
> >>Hello RSTN-SERVER (218.188.19.28 [218.188.19.28])
> >>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-AUTH LOGIN PLAIN
> >>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250 AUTH=LOGIN PLAIN
> >>11/04/06 12:24:53 DEBUG smtpserver: Calling reset() default Worker #12
> >>11/04/06 12:24:55 DEBUG smtpserver: Command received: MAIL FROM:
> >><Er...@ru.ru>
> >>
> >>
> >>
> >>El jue, 13-04-2006 a las 18:09 -0400, Noel J. Bergman escribió:
> >>
> >>>>a spammer/virus each message has a virus attached.
> >>>
> >>>I run ClamAV, which would filter those out.
> >>>
> >>>
> >>>>What can I do to reject messages that appear to be from an
> >>>>account that they are not from.
> >>>
> >>>SPF would be one approach, but we don't have SPF support, yet. Another
> >>>would be to require SMTP AUTH for local senders, or known subnets.
> >>>
> >>> --- Noel
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> >>>For additional commands, e-mail: server-user-help@james.apache.org
> >>>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> >>For additional commands, e-mail: server-user-help@james.apache.org
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> > For additional commands, e-mail: server-user-help@james.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: [Fwd: RE: How to reject hoax messages]
Posted by BJ <bj...@free-man.com>.
here is the scenario
the server query who is sending.
the sender can put any email address in there.
To stop this a mailet needs to check that the IP address in the header
matches the domain of the email address, and Vpf record in the dns
server for the domain.
it should also store the IP address as a spam address.
finally, for the forged domains,
the mailet looks up arin.net for the abuse address of the IP, then sends
a email with something like:
The sender of the email below, has spoofed the Domain name.
they have no authorization to use businessesnetwork.com
All businessesnetwork.com mail originates from xx.xx.xx.*, not
71.241.65.96 (then ip in the email header)
then included the email and header.
I have been slowly working on the mailet(s) to accomplish this.
as far a processing the mailets are executed sequentially.
if a mailet fails it can be configured to stop the sequencing.
andy sent the following on 4/19/06 7:02 AM:
> Please can somebody help
>
> I sent a message a few days ago and am still confused,
>
> Basically the problem seems to be that xyz@spam.com sends a message to
> user@localhost forging it as if it were from webmaster@localhost
>
> I dont really understand the processing pipeline and maillets.
>
> Please can somebody tell me how to stop this happening.
>
> Thanks in advance
>
> Andy Bailey
>
> www.hazlorealidad.com
>
> --------- Mensaje reenviado --------
>
>>Asunto: RE: How to reject hoax messages
>>Fecha: Thu, 13 Apr 2006 21:37:13 -0500
>>Noel,
>>
>>Thanks for the quick response, but I am still confused.
>>
>>I understand that if there was a virus attached ClamAv would help,
>>
>>But there must be a way to filter out messages that claim to be sent
>>from an address that they are not from.
>>
>>
>>Unfortunately I dont have the mail headers
>>but what happens is that <Er...@ru.ru> is sending mail from
>>[218.188.19.28]) which is not the local ip and sends the message as if
>>it were from webmaster@nameOfLocalhost.
>>
>>There has to be a way of blocking this.
>>
>>You say its to do with authentication
>>
>>In my configuration I have
>>
>> <authRequired>true</authRequired>
>> <authorizedAddresses>127.0.0.0/8</authorizedAddresses>
>>
>>Do the logs show if he authenticated, I dont understand other users I
>>have, have to authenticate themselves to send a message, and I hope I
>>have james configured to not be a relay.
>>
>>Obviously if a mail server sends mail to my domain the server will
>>accept it without requiring authorization, the point is how are they
>>able to send it as if its from the local domain.
>>
>>
>>Thanks
>>
>>Andy Bailey
>>
>>
>>11/04/06 12:24:53 DEBUG smtpserver: Command received: HELO RSTN-SERVER
>>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-hazlo.hazlorealidad.com
>>Hello RSTN-SERVER (218.188.19.28 [218.188.19.28])
>>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250-AUTH LOGIN PLAIN
>>11/04/06 12:24:53 DEBUG smtpserver: Sent: 250 AUTH=LOGIN PLAIN
>>11/04/06 12:24:53 DEBUG smtpserver: Calling reset() default Worker #12
>>11/04/06 12:24:55 DEBUG smtpserver: Command received: MAIL FROM:
>><Er...@ru.ru>
>>
>>
>>
>>El jue, 13-04-2006 a las 18:09 -0400, Noel J. Bergman escribió:
>>
>>>>a spammer/virus each message has a virus attached.
>>>
>>>I run ClamAV, which would filter those out.
>>>
>>>
>>>>What can I do to reject messages that appear to be from an
>>>>account that they are not from.
>>>
>>>SPF would be one approach, but we don't have SPF support, yet. Another
>>>would be to require SMTP AUTH for local senders, or known subnets.
>>>
>>> --- Noel
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>For additional commands, e-mail: server-user-help@james.apache.org
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>For additional commands, e-mail: server-user-help@james.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org