You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by JD...@languageworks.com on 2008/08/22 18:51:28 UTC
Spam from your email address.
How can I tackle spam that came from my own e-mail address that I did not
send. Any info on how to prevent this will be greatly appreciated.
Re: Spam from your email address.
Posted by Chris <cp...@embarqmail.com>.
On Friday 22 August 2008 12:45 pm, mouss wrote:
> Rob McEwen wrote:
> > JDavila@languageworks.com wrote:
> >> How can I tackle spam that came from my own e-mail address that I did
> >> not send. Any info on how to prevent this will be greatly appreciated.
> >
> > I'm not a big fan of Sender Policy Framework (SPF). But if/when
> > something like this happens to me or a client, I find it helps to set a
> > very strict SFP record saying that mail from that domain should *only*
> > come from your main official mail server. That way, recipients of such
> > spam will have more tools available for blocking such messages.
>
> He can setup a rule to add some points if the From header contains his
> domain except if the message "is ALL_TRUSTED". The details depend on his
> mail flow architecture.
>
Here are a few rules that I got somewhere a long time ago. I'm sure the author
if they're around will remind me who they are:
header RM_t_bobbf ToCc =~ /cpollock\@earthlink\.com/ # 98%+ spam
describe RM_t_bobbf Definate spam destination email address
score RM_t_bobbf 0.3
header RM_t_bobbf2 From =~ /cpollock\@embarqmail\.com/i
describe RM_t_bobbf2 Definately not from me
score RM_t_bobbf2 0.3
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Spam from your email address.
Posted by mouss <mo...@netoyen.net>.
Rob McEwen wrote:
> JDavila@languageworks.com wrote:
>> How can I tackle spam that came from my own e-mail address that I did
>> not send. Any info on how to prevent this will be greatly appreciated.
>>
>
> I'm not a big fan of Sender Policy Framework (SPF). But if/when
> something like this happens to me or a client, I find it helps to set a
> very strict SFP record saying that mail from that domain should *only*
> come from your main official mail server. That way, recipients of such
> spam will have more tools available for blocking such messages.
>
He can setup a rule to add some points if the From header contains his
domain except if the message "is ALL_TRUSTED". The details depend on his
mail flow architecture.
> The second problem is that you are probably seeing much backscatter from
> mis-configured servers sending out separate e-mails to your address
> complaining about spam you didn't send. A good solution for that is to
> run UCEProtect's backscatterer list.(http://www.backscatterer.org/). But
> don't outright block on that list (unless you are disparate, this can be
> applied to a single account, and are unable to do my additional
> recommendations...)
>
> Instead, it would be better to block if the sending IP is in
> backscatterer.org *combined* with another attribute, such as the SMTP
> Envelope reporting a "from" address that contains the term "postmaster"
> or "mailer-daemon". Otherwise, you will probably have a significant
> amount of FPs.
and if possible, only do that if the client tries to send mail.
otherwise, you'll also block sites that do CBV/SAV/* (sender
verification callout) such as lists.sourceforge.net.
Re: Spam from your email address.
Posted by ram <ra...@netcore.co.in>.
On Fri, 2008-08-22 at 13:11 -0400, JDavila@languageworks.com wrote:
> I do have a SPF record. I just dont understand how I can recieve a email
> from myself. In the headers it show a completely different address. I am
> not a open relay . I think will try domain keys.....next.
>
No wait.
Just make sure your MTA rejects mail on SPF Fail , or mark them as
spam in your SA. That should be enough for your own server
Re: Spam from your email address.
Posted by John Hardin <jh...@impsec.org>.
On Fri, 22 Aug 2008, JDavila@languageworks.com wrote:
> I do have a SPF record. I just dont understand how I can recieve a email
> from myself.
Ah. You didn't happen to put a "whitelist_from" with your address into
your SA config file, did you? That's a _bad_ idea.
> In the headers it show a completely different address. I am not a open
> relay . I think will try domain keys.....next.
Another thing you can do, if your MTA is guaranteed to be the only source
of mail from your domain, is to put a MTA-level check on the MAIL FROM:
the other guy sends, and reject it as a forgery if it's an address in your
domain.
milter-regex can do this pretty easily. See this for how I do it on my
domains:
http://www.impsec.org/~jhardin/antispam/milter-regex.conf
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
2 days until the 1929th anniversary of the destruction of Pompeii
Re: Spam from your email address.
Posted by JD...@languageworks.com.
I do have a SPF record. I just dont understand how I can recieve a email
from myself. In the headers it show a completely different address. I am
not a open relay . I think will try domain keys.....next.
Rob McEwen <ro...@invaluement.com>
08/22/2008 01:00 PM
To
"users@spamassassin.apache.org" <us...@spamassassin.apache.org>
cc
Subject
Re: Spam from your email address.
JDavila@languageworks.com wrote:
> How can I tackle spam that came from my own e-mail address that I did
not
> send. Any info on how to prevent this will be greatly appreciated.
>
I'm not a big fan of Sender Policy Framework (SPF). But if/when
something like this happens to me or a client, I find it helps to set a
very strict SFP record saying that mail from that domain should *only*
come from your main official mail server. That way, recipients of such
spam will have more tools available for blocking such messages.
The second problem is that you are probably seeing much backscatter from
mis-configured servers sending out separate e-mails to your address
complaining about spam you didn't send. A good solution for that is to
run UCEProtect's backscatterer list.(http://www.backscatterer.org/). But
don't outright block on that list (unless you are disparate, this can be
applied to a single account, and are unable to do my additional
recommendations...)
Instead, it would be better to block if the sending IP is in
backscatterer.org *combined* with another attribute, such as the SMTP
Envelope reporting a "from" address that contains the term "postmaster"
or "mailer-daemon". Otherwise, you will probably have a significant
amount of FPs.
Hope this helps!
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Spam from your email address.
Posted by Rob McEwen <ro...@invaluement.com>.
JDavila@languageworks.com wrote:
> How can I tackle spam that came from my own e-mail address that I did not
> send. Any info on how to prevent this will be greatly appreciated.
>
I'm not a big fan of Sender Policy Framework (SPF). But if/when
something like this happens to me or a client, I find it helps to set a
very strict SFP record saying that mail from that domain should *only*
come from your main official mail server. That way, recipients of such
spam will have more tools available for blocking such messages.
The second problem is that you are probably seeing much backscatter from
mis-configured servers sending out separate e-mails to your address
complaining about spam you didn't send. A good solution for that is to
run UCEProtect's backscatterer list.(http://www.backscatterer.org/). But
don't outright block on that list (unless you are disparate, this can be
applied to a single account, and are unable to do my additional
recommendations...)
Instead, it would be better to block if the sending IP is in
backscatterer.org *combined* with another attribute, such as the SMTP
Envelope reporting a "from" address that contains the term "postmaster"
or "mailer-daemon". Otherwise, you will probably have a significant
amount of FPs.
Hope this helps!
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Spam from your email address.
Posted by John Hardin <jh...@impsec.org>.
On Fri, 22 Aug 2008, JDavila@languageworks.com wrote:
> How can I tackle spam that came from my own e-mail address that I did
> not send. Any info on how to prevent this will be greatly appreciated.
That's called "sender forgery".
Unfortunately there's no real way to _prevent_ it. You can reduce it
somewhat by employing various sender authentication mechanisms, such as by
publishing an SPF record for your domain or by using DomainKeys/DKIM to
sign your legitimate outbound mail. However, for these to work the
recipients need to check that information, and not all recipients do this.
Implementing SPF and/or DomainKeys/DKIM for your outbound mail traffic is
offtopic for this list; google those terms along with your MTA software
name and you should be able to find useful information.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
2 days until the 1929th anniversary of the destruction of Pompeii