Loading ...
Sorry, an error occurred while loading the content.

Reject mails based on headers (comparing envelop mailfrom and body from)

Expand Messages
  • Abhijeet Rastogi
    Hi all, So, I ve a condition where people send mails to my domain with with fake From: header in the body of mail (which Thunderbird or any MUA shows while
    Message 1 of 5 , May 7, 2013
    • 0 Attachment
      Hi all,

      So, I've a condition where people send mails to my domain with with
      fake "From:" header in the body of mail (which Thunderbird or any MUA
      shows while reading the mail).

      This is actually an authentic way of sending mail if the user that's
      sending mail has proper authority over the email that's mentioned in
      body part. (which is not the case here)

      To make my point clear enough, the spammer is authenticating with a
      certain mailfrom and then it adds a "From: " part in the body which
      Thunderbird picks up while showing the mail. This way people can get
      fooled that mail is actually coming from that user.

      What are some possible and standard ways of filtering/rejecting those
      kinds of mails? It would a plus to have a "hash" kind of thing that'll
      make sure what all possible "mailfrom" and "from" combinations are.

      People can exploit this thing to send mails from say,
      "admin@..." and fool users. In Gmail, they handle this kind of
      thing by showing "via" thing when viewing the mail.

      --
      Regards,
      Abhijeet Rastogi (shadyabhi)
      http://blog.abhijeetr.com
    • Noel Jones
      ... Mismatched From: and envelope sender is not a reliable spam indicator. Look at the headers of this message, look at just about every legit marketing
      Message 2 of 5 , May 7, 2013
      • 0 Attachment
        On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote:
        > Hi all,
        >
        > So, I've a condition where people send mails to my domain with with
        > fake "From:" header in the body of mail (which Thunderbird or any MUA
        > shows while reading the mail).
        >
        > This is actually an authentic way of sending mail if the user that's
        > sending mail has proper authority over the email that's mentioned in
        > body part. (which is not the case here)

        Mismatched From: and envelope sender is not a reliable spam
        indicator. Look at the headers of this message, look at just about
        every legit marketing message, look at every mail list you're signed
        up for, look at PayPal mail, look at mail from your bank.

        >
        > To make my point clear enough, the spammer is authenticating with a
        > certain mailfrom and then it adds a "From: " part in the body which
        > Thunderbird picks up while showing the mail. This way people can get
        > fooled that mail is actually coming from that user.

        Now you confuse the issue by mentioning authentication.

        If you have trouble with compromised local user accounts, use rate
        limits to detect and limit the damage. http://postfwd.org/

        >
        > What are some possible and standard ways of filtering/rejecting those
        > kinds of mails? It would a plus to have a "hash" kind of thing that'll
        > make sure what all possible "mailfrom" and "from" combinations are.
        >

        Use standard anti-spam controls to reject unwanted mail.

        The easy stuff, safe for (almost) everyone: reject_rbl_client
        zen.spamhaus.org, reject_unknown_reverse_client_hostname,
        http://www.hardwarefreak.com/fqrdns.pcre;

        More powerful, more flexible, more complicated: amavisd-new with
        clamav, Sanesecurity antispam signatures, and SpamAssassin.



        -- Noel Jones
      • Abhijeet Rastogi
        Hi Noel, Thanks for your reply. I already have spamhous and clamav in my setup. But, still mails are being passed through it. I completely understand that it s
        Message 3 of 5 , May 7, 2013
        • 0 Attachment
          Hi Noel,

          Thanks for your reply. I already have spamhous and clamav in my setup.
          But, still mails are being passed through it.

          I completely understand that it's a very legit way of sending mail.
          It's done *everywhere*.

          But, really want to restrict all this as ignorant people are getting
          mails from email address like "admin@..." and they get fooled.
          It passed through both RBL and clamav. The user's domain is also
          "domain.com". I'm just trying to find a way to make these thing very
          strict for a certain set of users.

          If I could just *tag* these kind of mails (for ex, adding POSSIBLE
          SPAM in subject etc), that would be awesome too. I'm trying to not
          write a milter for this though.


          On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njones@...> wrote:
          > On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote:
          >> Hi all,
          >>
          >> So, I've a condition where people send mails to my domain with with
          >> fake "From:" header in the body of mail (which Thunderbird or any MUA
          >> shows while reading the mail).
          >>
          >> This is actually an authentic way of sending mail if the user that's
          >> sending mail has proper authority over the email that's mentioned in
          >> body part. (which is not the case here)
          >
          > Mismatched From: and envelope sender is not a reliable spam
          > indicator. Look at the headers of this message, look at just about
          > every legit marketing message, look at every mail list you're signed
          > up for, look at PayPal mail, look at mail from your bank.
          >
          >>
          >> To make my point clear enough, the spammer is authenticating with a
          >> certain mailfrom and then it adds a "From: " part in the body which
          >> Thunderbird picks up while showing the mail. This way people can get
          >> fooled that mail is actually coming from that user.
          >
          > Now you confuse the issue by mentioning authentication.
          >
          > If you have trouble with compromised local user accounts, use rate
          > limits to detect and limit the damage. http://postfwd.org/
          >
          >>
          >> What are some possible and standard ways of filtering/rejecting those
          >> kinds of mails? It would a plus to have a "hash" kind of thing that'll
          >> make sure what all possible "mailfrom" and "from" combinations are.
          >>
          >
          > Use standard anti-spam controls to reject unwanted mail.
          >
          > The easy stuff, safe for (almost) everyone: reject_rbl_client
          > zen.spamhaus.org, reject_unknown_reverse_client_hostname,
          > http://www.hardwarefreak.com/fqrdns.pcre;
          >
          > More powerful, more flexible, more complicated: amavisd-new with
          > clamav, Sanesecurity antispam signatures, and SpamAssassin.
          >
          >
          >
          > -- Noel Jones



          --
          Regards,
          Abhijeet Rastogi (shadyabhi)
          http://blog.abhijeetr.com
        • Tom Hendrikx
          Hi Abhijeet, you might be interested in DMARC, a relatively new technique that tries to do what you want: attach validation rules based on the From header. See
          Message 4 of 5 , May 7, 2013
          • 0 Attachment
            Hi Abhijeet,

            you might be interested in DMARC, a relatively new technique that tries
            to do what you want: attach validation rules based on the From header.

            See dmarc.org for details.


            Tom

            On 05/07/2013 05:06 PM, Abhijeet Rastogi wrote:
            > Hi Noel,
            >
            > Thanks for your reply. I already have spamhous and clamav in my setup.
            > But, still mails are being passed through it.
            >
            > I completely understand that it's a very legit way of sending mail.
            > It's done *everywhere*.
            >
            > But, really want to restrict all this as ignorant people are getting
            > mails from email address like "admin@..." and they get fooled.
            > It passed through both RBL and clamav. The user's domain is also
            > "domain.com". I'm just trying to find a way to make these thing very
            > strict for a certain set of users.
            >
            > If I could just *tag* these kind of mails (for ex, adding POSSIBLE
            > SPAM in subject etc), that would be awesome too. I'm trying to not
            > write a milter for this though.
            >
            >
            > On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njones@...> wrote:
            >> On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote:
            >>> Hi all,
            >>>
            >>> So, I've a condition where people send mails to my domain with with
            >>> fake "From:" header in the body of mail (which Thunderbird or any MUA
            >>> shows while reading the mail).
            >>>
            >>> This is actually an authentic way of sending mail if the user that's
            >>> sending mail has proper authority over the email that's mentioned in
            >>> body part. (which is not the case here)
            >>
            >> Mismatched From: and envelope sender is not a reliable spam
            >> indicator. Look at the headers of this message, look at just about
            >> every legit marketing message, look at every mail list you're signed
            >> up for, look at PayPal mail, look at mail from your bank.
            >>
            >>>
            >>> To make my point clear enough, the spammer is authenticating with a
            >>> certain mailfrom and then it adds a "From: " part in the body which
            >>> Thunderbird picks up while showing the mail. This way people can get
            >>> fooled that mail is actually coming from that user.
            >>
            >> Now you confuse the issue by mentioning authentication.
            >>
            >> If you have trouble with compromised local user accounts, use rate
            >> limits to detect and limit the damage. http://postfwd.org/
            >>
            >>>
            >>> What are some possible and standard ways of filtering/rejecting those
            >>> kinds of mails? It would a plus to have a "hash" kind of thing that'll
            >>> make sure what all possible "mailfrom" and "from" combinations are.
            >>>
            >>
            >> Use standard anti-spam controls to reject unwanted mail.
            >>
            >> The easy stuff, safe for (almost) everyone: reject_rbl_client
            >> zen.spamhaus.org, reject_unknown_reverse_client_hostname,
            >> http://www.hardwarefreak.com/fqrdns.pcre;
            >>
            >> More powerful, more flexible, more complicated: amavisd-new with
            >> clamav, Sanesecurity antispam signatures, and SpamAssassin.
            >>
            >>
            >>
            >> -- Noel Jones
            >
            >
            >
          • Abhijeet Rastogi
            Hi Tom, It feels like this is for a lot more features than what s needed. I am new to this and will definitely give it a read. Thanks for this. For the time
            Message 5 of 5 , May 7, 2013
            • 0 Attachment
              Hi Tom,

              It feels like this is for a lot more features than what's needed. I am
              new to this and will definitely give it a read. Thanks for this.

              For the time being, can you point me to the right doc so that I can
              quickly implement this. (Few pointers would be awesome)

              I had a look at
              http://www.trusteddomain.org/opendmarc/opendmarc.conf.5.html and
              couldn't find a particular option that'll allow me to do that. But
              then, it seems to provide lot more features than this so may be, I'm
              just not able to find them..

              Thanks

              On Tue, May 7, 2013 at 9:29 PM, Tom Hendrikx <tom@...> wrote:
              >
              > Hi Abhijeet,
              >
              > you might be interested in DMARC, a relatively new technique that tries
              > to do what you want: attach validation rules based on the From header.
              >
              > See dmarc.org for details.
              >
              >
              > Tom
              >
              > On 05/07/2013 05:06 PM, Abhijeet Rastogi wrote:
              >> Hi Noel,
              >>
              >> Thanks for your reply. I already have spamhous and clamav in my setup.
              >> But, still mails are being passed through it.
              >>
              >> I completely understand that it's a very legit way of sending mail.
              >> It's done *everywhere*.
              >>
              >> But, really want to restrict all this as ignorant people are getting
              >> mails from email address like "admin@..." and they get fooled.
              >> It passed through both RBL and clamav. The user's domain is also
              >> "domain.com". I'm just trying to find a way to make these thing very
              >> strict for a certain set of users.
              >>
              >> If I could just *tag* these kind of mails (for ex, adding POSSIBLE
              >> SPAM in subject etc), that would be awesome too. I'm trying to not
              >> write a milter for this though.
              >>
              >>
              >> On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njones@...> wrote:
              >>> On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote:
              >>>> Hi all,
              >>>>
              >>>> So, I've a condition where people send mails to my domain with with
              >>>> fake "From:" header in the body of mail (which Thunderbird or any MUA
              >>>> shows while reading the mail).
              >>>>
              >>>> This is actually an authentic way of sending mail if the user that's
              >>>> sending mail has proper authority over the email that's mentioned in
              >>>> body part. (which is not the case here)
              >>>
              >>> Mismatched From: and envelope sender is not a reliable spam
              >>> indicator. Look at the headers of this message, look at just about
              >>> every legit marketing message, look at every mail list you're signed
              >>> up for, look at PayPal mail, look at mail from your bank.
              >>>
              >>>>
              >>>> To make my point clear enough, the spammer is authenticating with a
              >>>> certain mailfrom and then it adds a "From: " part in the body which
              >>>> Thunderbird picks up while showing the mail. This way people can get
              >>>> fooled that mail is actually coming from that user.
              >>>
              >>> Now you confuse the issue by mentioning authentication.
              >>>
              >>> If you have trouble with compromised local user accounts, use rate
              >>> limits to detect and limit the damage. http://postfwd.org/
              >>>
              >>>>
              >>>> What are some possible and standard ways of filtering/rejecting those
              >>>> kinds of mails? It would a plus to have a "hash" kind of thing that'll
              >>>> make sure what all possible "mailfrom" and "from" combinations are.
              >>>>
              >>>
              >>> Use standard anti-spam controls to reject unwanted mail.
              >>>
              >>> The easy stuff, safe for (almost) everyone: reject_rbl_client
              >>> zen.spamhaus.org, reject_unknown_reverse_client_hostname,
              >>> http://www.hardwarefreak.com/fqrdns.pcre;
              >>>
              >>> More powerful, more flexible, more complicated: amavisd-new with
              >>> clamav, Sanesecurity antispam signatures, and SpamAssassin.
              >>>
              >>>
              >>>
              >>> -- Noel Jones
              >>
              >>
              >>
              >
              >



              --
              Regards,
              Abhijeet Rastogi (shadyabhi)
              http://blog.abhijeetr.com
            Your message has been successfully submitted and would be delivered to recipients shortly.