You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Per-Erik irt Persson <pe...@irt.kth.se> on 2013/08/21 09:59:01 UTC
reject unverified sender with infut from spamassassin
I have used spamassassin as one of my tools to fight phishing for a while.
Recently this idea which involves smtpverification and logmonitoring
emerged.
Monitoring the syslog for certain phishy tags such as EMAIL_URI_PHISH or
similar and connecting this to a trigger that extracts the senders
emailaddress is giving me a nice overview today.
But hooking this up to a script that inserts the sender into the postfix
accesslist and requesting smtpverification for those specific senders
should be working like a charm.
I can be quite aggressive in which tags I use since I do not classify it
as phishing or not, just requesting that the sender actually exists.
This will not stop emails sent from legitimate emailservers but botnets
and hacked webservers will have a hard time configuring/reimplementing
something that works with smtpverification.
Has someone done something similair before?
Or is smtpverification just a path that you don't want to walk down?
Re: reject unverified sender with infut from spamassassin
Posted by Robert Schetterer <rs...@sys4.de>.
Am 21.08.2013 11:41, schrieb Per-Erik irt Persson:
> On 08/21/2013 10:22 AM, Robert Schetterer wrote:
>> Am 21.08.2013 09:59, schrieb Per-Erik irt Persson:
>>> Or is smtpverification just a path that you don't want to walk down?
>> please read i.e
>>
>> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>>
>> ....
>>
>> Sender address verification for all email
>>
>> Unfortunately, sender address verification cannot simply be turned on
>> for all email
>>
>> ...
>>
>> so ,in short words , you may do sender verify in very very special cases
>> but never do it global, sender may be forged, so your verify does smtp to
>> orig servers of forged mail addresses, so at the end your server may get
>> blacklisted , also it doesnt work very fine with "greylisting" servers
>>
>> try better ways, i.e analyze your logs see if spf, dkim check may help etc
>>
> Thanks for the input, so far I have only added smtpverification to
> emailaddesses that I suspect being hosted on hacked webservers and
> sending things that I assume is phishing.
> You are right that I could automatically rule out smtpverification for
> sites that seems to use spf and dkim properly, no matter how phishy the
> content looks to spamassassin.
> If I collect enough evidence about a sender and the emailserver
> he/she/it actually comes from, I could just as well reject it.
> All this is combined with the frequency of the sender, phishingemails
> usually don't travel alone...
>
>
as i wrote
you may do sender verify in very very special cases, so if you have
enough "filter jedi power" before doing verify,it might work fine for
your case/place
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: reject unverified sender with infut from spamassassin
Posted by Per-Erik irt Persson <pe...@irt.kth.se>.
On 08/21/2013 10:22 AM, Robert Schetterer wrote:
> Am 21.08.2013 09:59, schrieb Per-Erik irt Persson:
>> Or is smtpverification just a path that you don't want to walk down?
> please read i.e
>
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
> ....
>
> Sender address verification for all email
>
> Unfortunately, sender address verification cannot simply be turned on
> for all email
>
> ...
>
> so ,in short words , you may do sender verify in very very special cases
> but never do it global, sender may be forged, so your verify does smtp to
> orig servers of forged mail addresses, so at the end your server may get
> blacklisted , also it doesnt work very fine with "greylisting" servers
>
> try better ways, i.e analyze your logs see if spf, dkim check may help etc
>
Thanks for the input, so far I have only added smtpverification to
emailaddesses that I suspect being hosted on hacked webservers and
sending things that I assume is phishing.
You are right that I could automatically rule out smtpverification for
sites that seems to use spf and dkim properly, no matter how phishy the
content looks to spamassassin.
If I collect enough evidence about a sender and the emailserver
he/she/it actually comes from, I could just as well reject it.
All this is combined with the frequency of the sender, phishingemails
usually don't travel alone...
Re: reject unverified sender with infut from spamassassin
Posted by Robert Schetterer <rs...@sys4.de>.
Am 21.08.2013 09:59, schrieb Per-Erik irt Persson:
> Or is smtpverification just a path that you don't want to walk down?
please read i.e
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
....
Sender address verification for all email
Unfortunately, sender address verification cannot simply be turned on
for all email
...
so ,in short words , you may do sender verify in very very special cases
but never do it global, sender may be forged, so your verify does smtp to
orig servers of forged mail addresses, so at the end your server may get
blacklisted , also it doesnt work very fine with "greylisting" servers
try better ways, i.e analyze your logs see if spf, dkim check may help etc
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein