Loading ...
Sorry, an error occurred while loading the content.

Spoofing problem

Expand Messages
  • R F
    I thought I had this one fixed a while back but apparently not. I want to reject emails like this that are sent from one person but claim to be another. Ideas?
    Message 1 of 5 , May 2 11:21 AM
    • 0 Attachment
      I thought I had this one fixed a while back but apparently not. I want to reject emails like this that are sent from one person but claim to be another. Ideas? Notice the first line and the last line:

      From rseem@... Sun May 1 16:37:58 2011
      Return-Path: <rseem@...>
      X-Original-To: gammalist@...
      Delivered-To: gammalist@...
      Received: from localhost (unknown [127.0.0.1])
      by From rseem@... Sun May 1 16:37:58 2011
      Return-Path: <rseem@...>
      X-Original-To: gammalist@...
      Delivered-To: gammalist@...
      Received: from localhost (unknown [127.0.0.1])
      by some.net (Postfix) with ESMTP id E39BD133032F;
      Sun, 1 May 2011 22:37:58 +0000 (UTC)
      X-Virus-Scanned: amavisd-new at some.net
      X-Spam-Flag: NO
      X-Spam-Score: 5.578
      X-Spam-Level: *****
      X-Spam-Status: No, score=5.578 tagged_above=2 required=6.31 tests=[AWL=2.022,
      BAYES_50=0.001, FH_DATE_PAST_20XX=3.554,
      UNPARSEABLE_RELAY=0.001]
      Received: from some.net ([127.0.0.1])
      by localhost (some.net [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id Wg4ztsy25WYa; Sun, 1 May 2011 16:37:58 -0600 (MDT)
      Received: from 18925211147.user.veloxzone.com.br (unknown [189.25.211.147])
      by some.net (Postfix) with ESMTP id 27B2313302AC;
      Sun, 1 May 2011 16:37:58 -0600 (MDT)
      Received: from 189.25.211.147 (account <shara@...>, <listserver@...>,
      <erik@...>, <gammalist@...> HELO some.net)
      by some.net (CommuniGate Pro SMTP 5.2.3)
      with ESMTPA id 678368592 for <shara@...>;
      Sun, 1 May 2011 19:37:57 -0300
      From: <shara@...>, <listserver@...>, <erik@...>,
      <gammalist@...>

      Thanks for any ideas.
    • Ansgar Wiechers
      ... [...] ... Return-Path: [...] From: R F ... Rejecting based on difference between from and
      Message 2 of 5 , May 2 11:35 AM
      • 0 Attachment
        On 2011-05-02 R F wrote:
        > I thought I had this one fixed a while back but apparently not. I want
        > to reject emails like this that are sent from one person but claim to
        > be another. Ideas? Notice the first line and the last line:
        [...]
        > Thanks for any ideas.

        Quoting from the headers of your own mail to this list:

        ----8<----
        Return-Path: <owner-postfix-users@...>
        [...]
        From: R F <mountain2climb@...>
        ---->8----

        Rejecting based on difference between from and envelope-from may not be
        as good an idea as you think.

        Regards
        Angar Wiechers
        --
        "Abstractions save us time working, but they don't save us time learning."
        --Joel Spolsky
      • Noel Jones
        ... [please post in plain text only next time] The above is the envelope sender. You can configure postfix to reject your own domain in the envelope sender
        Message 3 of 5 , May 2 11:45 AM
        • 0 Attachment
          On 5/2/2011 1:21 PM, R F wrote:
          > I thought I had this one fixed a while back but apparently
          > not. I want to reject emails like this that are sent from one
          > person but claim to be another. Ideas? Notice the first line
          > and the last line:
          >
          > From rseem@... <mailto:rseem@...> Sun May 1
          > 16:37:58 2011
          > Return-Path: <rseem@... <mailto:rseem@...>>

          [please post in plain text only next time]

          The above is the envelope sender. You can configure postfix
          to reject your own domain in the envelope sender from outside
          mail. See numerous posts on this in the archives.
          This will reject legit mail, but probably not a great amount.
          Pick your pain threshold.


          > From: <shara@... <mailto:shara@...>>,
          > <listserver@... <mailto:listserver@...>>,
          > <erik@... <mailto:erik@...>>,
          > <gammalist@... <mailto:gammalist@...>>
          >
          > Thanks for any ideas.

          This is the From: header, which is what is typically displayed
          when you read the mail.

          (and multiple addresses in the From: header is allowed,
          although unusual. but there should be a Sender: header if
          there are multiple From:)

          Fortunately, postfix has no feature to compare headers with
          envelope information. Such comparison will likely reject a
          great deal of legit mail (such as this message).

          You could probably convince SpamAssassin or some milter to do
          such comparison if you're determined, but that doesn't make it
          a good idea.

          Your efforts would be better spent on finding more reliable
          ways to detect spam. Browse the archives for ideas.



          -- Noel Jones
        • R F
          ... That is probably something to try, unfortunately have tried google on this but I can t find anything but your post. Can you point me out something?
          Message 4 of 5 , May 2 5:10 PM
          • 0 Attachment
            >
            > The above is the envelope sender.  You can configure postfix to reject your own domain in the envelope sender from outside mail.  See numerous posts on this in the archives.
            > This will reject legit mail, but probably not a great amount.  Pick your pain threshold.

            That is probably something to try, unfortunately have tried google on
            this but I can't find anything but your post. Can you point me out
            something?
          • Noel Jones
            ... The idea is to allow authorized users first -- mynetworks and SASL authenticated -- then reject anyone else using your domain as the sender. A bare-bones
            Message 5 of 5 , May 2 9:55 PM
            • 0 Attachment
              On 5/2/2011 7:10 PM, R F wrote:
              >>
              >> The above is the envelope sender. You can configure postfix to reject your own domain in the envelope sender from outside mail. See numerous posts on this in the archives.
              >> This will reject legit mail, but probably not a great amount. Pick your pain threshold.
              >
              > That is probably something to try, unfortunately have tried google on
              > this but I can't find anything but your post. Can you point me out
              > something?

              The idea is to allow authorized users first -- mynetworks and
              SASL authenticated -- then reject anyone else using your
              domain as the sender. A bare-bones example:

              # main.cf
              smtpd_recipient_restrictions =
              permit_mynetworks
              # uncomment next line if you use SASL
              # permit_sasl_authenticated
              reject_unauth_destination
              check_sender_access hash:/etc/postfix/sender_access


              # sender_access
              my.example.com REJECT sender domain not authorized


              - remember to issue "postfix reload" after editing main.cf.
              - remember to "postmap sender_access" after editing it.



              -- Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.