1 Topic by RajeshM (edited by RajeshM 2020-01-05 19:07:33)

  • RajeshM
  • Member
  • Offline
  • Registered: 2019-09-06
  • Posts: 136

Topic: prevent spoofing of emails

hello,

Our customers sometimes get spam sent to them from a third party server with the MAIL FROM being their own email id.

For example if mycustomer.com is our client's domain hosted on our server.

the spam email would be something like this sent from some other third party server.

the mail from : user@mycustomer.com
to user@mycustomer.com

in the headers, the envelope sender would contain spk and dkim of these would be some domain which are all correctly configured and hence my system would not detected it as spam.

basically what i need is that any emailid/domain (*@mycustomer.com) should reject any email from any third party server where the MAIL FROM email id or domain is present on our server.

to check out how gmail handled such emails, i tried sending such an email to my gmail id
ie i configured an email id on one of my servers which authenticated using it userid and password but the "MAIL FROM" was kept as user@gmail.com.

so basically the email with the "MAIL FROM" as user@gmail.com was sent from my server to my gmail id user@gmail.com. This email was received by gmail but a clear warning was displayed stating the email may be spoofed.

Request your kind help in setting up such a header check to reject such emails or by some other means catch such spam.

thanks
rajesh

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: prevent spoofing of emails

Try this if you use Amavisd + SpamAssassin (SA) and have correct SPF record for your mail domain.

- Add below SA rules in /etc/mail/spamassassin/local.cf:

# To == From and external SPF failed
score TO_EQ_FM_SPF_FAIL 5
# To domain == From domain and external SPF failed
score TO_EQ_FM_DOM_SPF_FAIL 5

You can increase the score (5) to even higher if you want, for example, 10.

- Restart amavisd service.
- Try to send spoofing email to trigger this rule, and check Amavisd log to see the matched SA rule and scores.

Let me know if it doesn't work for you.

3 Reply by RajeshM

  • RajeshM
  • Member
  • Offline
  • Registered: 2019-09-06
  • Posts: 136

Re: prevent spoofing of emails

Hi

This did not work.

The rules did not triggered

Need something that reads the MAIL FROM  compares with the domain list on server and blocks the same. Basically don't allow any domain which is hosted on the server to be used as mail from on port 25.

Rajesh

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: prevent spoofing of emails

OK, try few more rules in /etc/mail/spamassassin/local.cf:

# To == From and direct-to-MX
score TO_EQ_FM_DIRECT_MX 5
# To domain == From domain and HTML image link
score TO_EQ_FM_DOM_HTML_IMG 5
# To domain == From domain and HTML only
score TO_EQ_FM_DOM_HTML_ONLY 5
# To domain == From domain and external SPF failed
score TO_EQ_FM_DOM_SPF_FAIL 5
# To == From and HTML only
score TO_EQ_FM_HTML_ONLY 5
# To == From and external SPF failed
score TO_EQ_FM_SPF_FAIL 5

# Malformed From address
score FROM_ADDR_WS 5

After restarted amavisd service, please try to send spoofed message and show me the Amavisd log related to this message.