Loading ...
Sorry, an error occurred while loading the content.

Question about "spoofing" emails.

Expand Messages
  • Juan Pablo Calomino
    Hi people, I have one question for you. How do you do to avoid this kind of thing? 220 -Empresa de Servicios - XXXXXXX helo mundo 250 SERVER02.xxxxxxxx.com.ar
    Message 1 of 9 , Mar 1, 2007
    • 0 Attachment
      Hi people,

      I have one question for you.

      How do you do to avoid this kind of thing?

      220 -Empresa de Servicios - XXXXXXX
      helo mundo
      250 SERVER02.xxxxxxxx.com.ar
      mail from: <nobody@...>
      250 Ok
      rcpt to: <john.user@...>
      250 Ok
      data
      354 End data with <CR><LF>.<CR><LF>
      FROM: John User <john.user@...>
      TO: <john.user@...>
      SUBJECT: Nada

      Muerte!
      .
      250 Ok: queued as 972C55865D

      I think that it's too difficult to get rid of this
      type of mails, filtering may reject valid emails...

      I hear any suggestions!

      Thanks!
      Juan Pablo.






      __________________________________________________
      Preguntá. Respondé. Descubrí.
      Todo lo que querías saber, y lo que ni imaginabas,
      está en Yahoo! Respuestas (Beta).
      ¡Probalo ya!
      http://www.yahoo.com.ar/respuestas
    • MrC
      ... What specifically is this kind of thing ? The mundo HELO parameter? The nobody@hotmail.com MAIL FROM envelope? Please be more specific about what
      Message 2 of 9 , Mar 1, 2007
      • 0 Attachment
        > I have one question for you.
        >
        > How do you do to avoid this kind of thing?
        >
        > 220 -Empresa de Servicios - XXXXXXX
        > helo mundo
        > 250 SERVER02.xxxxxxxx.com.ar
        > mail from: <nobody@...>
        > 250 Ok
        > rcpt to: <john.user@...>
        > 250 Ok
        > data
        > 354 End data with <CR><LF>.<CR><LF>
        > FROM: John User <john.user@...>
        > TO: <john.user@...>
        > SUBJECT: Nada
        >
        > Muerte!
        > .
        > 250 Ok: queued as 972C55865D
        >
        > I think that it's too difficult to get rid of this type of
        > mails, filtering may reject valid emails...
        >
        > I hear any suggestions!

        What specifically is "this kind of thing" ? The "mundo" HELO parameter?
        The "nobody@..." MAIL FROM envelope?

        Please be more specific about what you are trying to reject.

        MrC
      • Juan Pablo Calomino
        ... Sorry, I m talking about the DATA part: data FROM: John User TO: SUBJECT: Nada. John User may think
        Message 3 of 9 , Mar 1, 2007
        • 0 Attachment
          --- MrC <lists-postfix@...> escribió:

          >
          > > I have one question for you.
          > >
          > > How do you do to avoid this kind of thing?
          > >
          > > 220 -Empresa de Servicios - XXXXXXX
          > > helo mundo
          > > 250 SERVER02.xxxxxxxx.com.ar
          > > mail from: <nobody@...>
          > > 250 Ok
          > > rcpt to: <john.user@...>
          > > 250 Ok
          > > data
          > > 354 End data with <CR><LF>.<CR><LF>
          > > FROM: John User <john.user@...>
          > > TO: <john.user@...>
          > > SUBJECT: Nada
          > >
          > > Muerte!
          > > .
          > > 250 Ok: queued as 972C55865D
          > >
          > > I think that it's too difficult to get rid of this
          > type of
          > > mails, filtering may reject valid emails...
          > >
          > > I hear any suggestions!
          >
          > What specifically is "this kind of thing" ? The
          > "mundo" HELO parameter?
          > The "nobody@..." MAIL FROM envelope?
          >
          > Please be more specific about what you are trying to
          > reject.
          >
          > MrC
          >
          >

          Sorry, I'm talking about the DATA part:

          data
          FROM: John User <john.user@...>
          TO: <john.user@...>
          SUBJECT: Nada.

          John User may think that his mailbox is being used,
          because in the mail he sees that the sender is
          himself, and he doesn't know about MIME.
          I explain that it is fake, so he asks me to try to
          stop this "spoofed" emails.
          And here I am, trying to find ways to stop these
          mails, without stopping valid mails.

          Thanks!
          Juan Pablo.







          __________________________________________________
          Preguntá. Respondé. Descubrí.
          Todo lo que querías saber, y lo que ni imaginabas,
          está en Yahoo! Respuestas (Beta).
          ¡Probalo ya!
          http://www.yahoo.com.ar/respuestas
        • Chris St. Pierre
          ... You really _can t_ stop these. Rejecting messages where envelope sender != from header is a Very Bad Idea that will get you mostly FPs. SPF is an effort
          Message 4 of 9 , Mar 1, 2007
          • 0 Attachment
            On Thu, 1 Mar 2007, Juan Pablo Calomino wrote:

            > John User may think that his mailbox is being used,
            > because in the mail he sees that the sender is
            > himself, and he doesn't know about MIME.
            > I explain that it is fake, so he asks me to try to
            > stop this "spoofed" emails.
            > And here I am, trying to find ways to stop these
            > mails, without stopping valid mails.

            You really _can't_ stop these. Rejecting messages where envelope
            sender != from header is a Very Bad Idea that will get you mostly
            FPs. SPF is an effort to limit sender spoofing, but its effectiveness
            is limited by its adoption rate. (It's still worth publishing and
            checking SPF records, IMHO.)

            This generally only becomes an issue when clueless admins are
            producing backscatter, so helping eliminate backscatter will help.
            You can also read http://www.postfix.org/BACKSCATTER_README.html for
            tips on reducing bounce messages to forged senders.

            (Aside: I dearly hope that Dr. Ken Olum gets joe-jobbed:
            http://www.cio.com/technology/infrastructure/security/spam/five_things_about_fighting_spam.html?CID=28830)

            When you've implemented SPF records and eliminated any backscatter you
            might be sending, you're left with user training and that's about it.

            Chris St. Pierre
            Unix Systems Administrator
            Nebraska Wesleyan University
            -------------------
            Never send mail to thobrux@...
          • MrC
            ... Don t bother going this route. Consider instead beefing up your other UCE controls; you will find the majority of these just disappear. MrC
            Message 5 of 9 , Mar 1, 2007
            • 0 Attachment
              > Sorry, I'm talking about the DATA part:
              >
              > data
              > FROM: John User <john.user@...>
              > TO: <john.user@...>
              > SUBJECT: Nada.
              >
              > John User may think that his mailbox is being used, because
              > in the mail he sees that the sender is himself, and he
              > doesn't know about MIME.
              > I explain that it is fake, so he asks me to try to stop this
              > "spoofed" emails.
              > And here I am, trying to find ways to stop these mails,
              > without stopping valid mails.
              >
              > Thanks!
              > Juan Pablo.

              Don't bother going this route. Consider instead beefing up your other UCE
              controls; you will find the majority of these just disappear.

              MrC
            • mouss
              ... to make him happy, use maildrop to replace the From header... ... to stop (reduce the number of) spam, use a spam filter together with (safe) smtpd checks.
              Message 6 of 9 , Mar 1, 2007
              • 0 Attachment
                Juan Pablo Calomino wrote:
                > --- MrC <lists-postfix@...> escribió:
                >
                >
                >>> I have one question for you.
                >>>
                >>> How do you do to avoid this kind of thing?
                >>>
                >>> 220 -Empresa de Servicios - XXXXXXX
                >>> helo mundo
                >>> 250 SERVER02.xxxxxxxx.com.ar
                >>> mail from: <nobody@...>
                >>> 250 Ok
                >>> rcpt to: <john.user@...>
                >>> 250 Ok
                >>> data
                >>> 354 End data with <CR><LF>.<CR><LF>
                >>> FROM: John User <john.user@...>
                >>> TO: <john.user@...>
                >>> SUBJECT: Nada
                >>>
                >>> Muerte!
                >>> .
                >>> 250 Ok: queued as 972C55865D
                >>>
                >>> I think that it's too difficult to get rid of this
                >>>
                >> type of
                >>
                >>> mails, filtering may reject valid emails...
                >>>
                >>> I hear any suggestions!
                >>>
                >> What specifically is "this kind of thing" ? The
                >> "mundo" HELO parameter?
                >> The "nobody@..." MAIL FROM envelope?
                >>
                >> Please be more specific about what you are trying to
                >> reject.
                >>
                >> MrC
                >>
                >>
                >>
                >
                > Sorry, I'm talking about the DATA part:
                >
                > data
                > FROM: John User <john.user@...>
                > TO: <john.user@...>
                > SUBJECT: Nada.
                >
                > John User may think that his mailbox is being used,
                > because in the mail he sees that the sender is
                > himself, and he doesn't know about MIME.
                > I explain that it is fake, so he asks me to try to
                > stop this "spoofed" emails.
                >

                to make him happy, use maildrop to replace the From header...


                > And here I am, trying to find ways to stop these
                > mails, without stopping valid mails.
                >

                to stop (reduce the number of) spam, use a spam filter together with
                (safe) smtpd checks. only when you get a satisfactory level of spam
                filtering should you look for improvement or for "hard" (unsafe) checks.
              Your message has been successfully submitted and would be delivered to recipients shortly.