1

Topic: Blocking Fake Emails

iRedMail v0.9.8 MySQL Nginx

I am having two spam/phishing issues lately and I cannot seem to get ahead of it.  The main issue is fake emails, where the From name shows an employee's name but the email address is some random email.  Those are passing all the SPF and Blacklist rules, mostly because they are hacked, valid email accounts and they simply change the From Name that is shows.  Lately a new one is that the from is showing a real email as the name, but then a fake email underneath it.  This is what I really want to block.

Example: realemail@domain.com <fakeemail@randomdomain.com>

Since most email clients show the Name and not the email, recipient think its from the real email address.  Is there a regex I could put in Amavis to block the @ sign or even domain.com in the from side not including the actual email?

Is there a way to look up names to see if they exist locally and soft blacklist them?

Example:  Real Name <fakeemail@randomdomain.com>

If "Real Name" exists in the DB or even in a manually created file, but is external it would add Spamassassin points or soft black list.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Blocking Fake Emails

I'm having the same issue. I'm receiving emails with the header From: EmailUser <user@domain.com><fake@fakedomian.com> and .doc attachments. Amavis seems to not block them or even mark them as spam.

3

Re: Blocking Fake Emails

loseraru wrote:

I'm having the same issue. I'm receiving emails with the header From: EmailUser <user@domain.com><fake@fakedomian.com> and .doc attachments. Amavis seems to not block them or even mark them as spam.

First:  according to RFC2822 / 822  the mail header used when connecting to a remote mailserver

Mail From: This Is My Name <my.mailaddress.domain.tld>
The characters before <mailaddress>  is just a free form string with the senders name. It is normally stripped of. If looking at an incomming emial in "raw" format, the mail address string is visible as:
   Return-Path: <my.mailaddress.domain.tld>

This mail address is the one checked in Greylisting and mail header scans (white-list, black-lists)

The next issue is that during the data phase, the incomming mail often includes a "From" field. It's really up to the mail client how to display the header and data fields. According to my knowledge, most mail clients (if not all ) displays the "From" data field as is.

In short: The faked address is probably coming from the DATA filed "From" and not the HEADER Field "Mail From".
Thats why the  mail scanner and amavis failes to block.

If someone has a method of blocking when "From:" and Mail From:"  differs, let us all know!

4

Re: Blocking Fake Emails

Any solution, i have same problem

Thanks

5

Re: Blocking Fake Emails

As has been answered already in some topics, the correct place is to fight these kind of spams is in SpamAssassin.
I have no clue for the moment on how to construct such a ruleset, but if/when I do I will post a link.
The starting point might be: https://wiki.apache.org/spamassassin/

Rules should, I think, be placed in /etc/mail/spamassassin/local.cf

Free beer to the winner ;-)

Note: the problem might be "false negative reporting", but start with setting the spamscore to "+0.1" and check the result.
Test using "telnet mailserver.tld 25" using:  mail from: correct.sender@tld, rcpt to: correct.recipient@tld, data, To: correct.recipient, from: Fake.sender, and view the raw mail message (or all headers)
Regards

6

Re: Blocking Fake Emails

I also had same issue, I sorted it out by changing on SMTP HELO side: my current /etc/postfix/main.cf is:

smtpd_helo_restrictions =
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    permit_sasl_authenticated
    permit_mynetworks

I took permit_mynetworks at the end and majority fake emails got rejected due to non fqdn helo hostname and unknown helo hostnames. Try playing with it if it solves  your issue.

7

Re: Blocking Fake Emails

Hello again.
Blocking with "smtpd_helo_restrictions" will NOT solve this specific issue. Its just checks how the sending mail server identifies himself, not the actual sender individual or as the problem we have, the fake sender.

Sequence: 1) helo_hostname (= sending mail server), 2) mail_from (=Mail Envelope sender name) -> 3) From: (=Mail Header sender name)
The first two can filtered out with GreyList and various BlackLists, but the FROM: in the mail header will pass the postfix check without actions. You need  to use SpamAssassin rules to cope with  that (I guess, what I'm currently investigating)

And another note: one has to be very carefull when modifying the smtpd_helo_restrictions. The lines are evaluated in order top to down. So in Your case, you first reject "reject_non_fqdn_helo_hostname" and then "permit_sasl_authenticated". I would perhaps do it the other way around, to allow what ever hostname as long as they can log in using SASL, and then reject. But that's really up to Your environment to figure out what fits the best.
Regards, I

8

Re: Blocking Fake Emails

If you have set reject_sender_login_mismatch plugin activated then it will not allow such emails.

https://docs.iredmail.org/manage.iredapd.html

And another note: one has to be very carefull when modifying the smtpd_helo_restrictions. The lines are evaluated in order top to down. So in Your case, you first reject "reject_non_fqdn_helo_hostname" and then "permit_sasl_authenticated". I would perhaps do it the other way around, to allow what ever hostname as long as they can log in using SASL, and then reject. But that's really up to Your environment to figure out what fits the best.
Regards,

Yes I know the order and how it works, but if you want to stop majority of mismatching hosts that is the first point which will stop them. However in my case it is working flawlessly.

9

Re: Blocking Fake Emails

ketan.aagja wrote:

If you have set reject_sender_login_mismatch plugin activated then it will not allow such emails.

This is not applicable in this case.
iRedAPD doesn't get mail headers (and mail body) from Postfix, so iRedAPD doesn't know the sender address in "From:" header. which means iRedAPD cannot reject this fake email.

10

Re: Blocking Fake Emails

ketan.aagja wrote:

If you have set reject_sender_login_mismatch plugin activated then it will not allow such emails.

https://docs.iredmail.org/manage.iredapd.html

And another note: one has to be very carefull when modifying the smtpd_helo_restrictions. The lines are evaluated in order top to down. So in Your case, you first reject "reject_non_fqdn_helo_hostname" and then "permit_sasl_authenticated". I would perhaps do it the other way around, to allow what ever hostname as long as they can log in using SASL, and then reject. But that's really up to Your environment to figure out what fits the best.
Regards,

Yes I know the order and how it works, but if you want to stop majority of mismatching hosts that is the first point which will stop them. However in my case it is working flawlessly.

OK, fine with me.
For those of You finding this discusion later on:
Adding 
   reject_non_fqdn_helo_hostname
before
    permit_sasl_authenticated
    permit_mynetworks
effectivly drops any connections from misconfigured IMAP email clients (in the SMTP sending phase). If they dont send the FQDN in te EHLO phase, they are rejected.
If you are only using Roundcube/SOGo Web GUI, then you are fine.

The Postfix foras (elsewhere) shows various examples how to configure this, and the implications it might have.
Also check http://www.postfix.org/SMTPD_ACCESS_README.html

The evaluation order of the postfix access restriction lists are:
  client, helo, sender, relay, recipient, data, or end-of-data
As soon as a restriction states REJECT or DEFER, the rest of the restriction lists are skipped. Thats why having a "PERMIT" statement in the top works like a white listening, for the more restrictive REJECT statements later on.
So in short: smtp_sender_restrictions are evaluated AFTER smtp_helo-retrictions (correct me if I'm wrong)
brgrds, I

11

Re: Blocking Fake Emails

swejun wrote:

Adding 
   reject_non_fqdn_helo_hostname
before
    permit_sasl_authenticated
    permit_mynetworks
effectivly drops any connections from misconfigured IMAP email clients (in the SMTP sending phase). If they dont send the FQDN in te EHLO phase, they are rejected.

We put "reject_non_fqdn_helo_hostname" after "permit_sasl_authenticated" (and "permit_mynetworks") on purpose. Because many Windows OS use non-fqdn hostname, so we need to bypass them if they successfully performed smtp auth.

I think your change will cause the issue.

12

Re: Blocking Fake Emails

Hi Huangbin.

Is there any other way we can block the phishing or fraud email by domain?
Thanks.

Regards
WH

13

Re: Blocking Fake Emails

wh.leong wrote:

Hi Huangbin.

Is there any other way we can block the phishing or fraud email by domain?
Thanks.

Regards
WH

Also, any best practices we can adore on our email server?
Thanks.

14

Re: Blocking Fake Emails

wh.leong wrote:

Is there any other way we can block the phishing or fraud email by domain?

- Keep your SpamAssassin rules up to date.
- Try some trusted third-party clamav virus database signatures. For example, https://sanesecurity.com/usage/signatures/
- Try some trusted DNSBL services.

15

Re: Blocking Fake Emails

Hello,
I think I have the same problem, we receive emails from spoofed CEO name arriving from different mailserver ( gmail too ) with different email address.

I think we can solve the problem with header_checks but I'm not skilled on this, can someone help me to write a pcre expression who says :
if the email header has first name + last name not corresponding at firstname.lastname@domain.com reject it
example

/^From:.*firstname lastname  but not if firstname.lastname@domain.com/ REJECT

regards
Stefano

16

Re: Blocking Fake Emails

solved by creating a new rule in settings->Filters in user's web interface, no need to write to header_checks.
the rule must match all of the following :
if FROM contains "FirstName LastName" and FROM not contains "@rightdomain" delete message

bb