Blocking emails that claim to come from our domain

Jim Holland mailscanner at MANGO.ZW
Sun Dec 4 21:41:43 GMT 2005 

Hi

On Sun, 4 Dec 2005, Nigel kendrick wrote:

> We are seeing a steady stream of emails from
> adsl-70-248-164-89.dsl.hstntx.swbell.net[70.248.164.89] that claim to come
> from an address in our domain (i.e.: admin at ourdomainname.com) and contain
> the usual stuff about verifying passwords, mail accounts being suspended
> etc. All legitimate users have to login to send mail so what's the most
> effective and simple way to block mail from external sources that contain
> our domain name? At the moment I am just putting the subjects in a
> spamassassin rule but it's a bit of a 'blunt' way of trapping them.

I also used a pretty blunt method as well, noticing that the addresses 
involved were:

administrator at yourdomain
admin at yourdomain
adm at yourdomain
apache at yourdomain
ftp at yourdomain
hostmaster at yourdomain
ident at yourdomain
info at yourdomain
mail at yourdomain
noreply at yourdomain
operator at yourdomain
register at yourdomain
service at yourdomain
staff at yourdomain
subs at yourdomain
support at yourdomain
system at yourdomain
update at yourdomain
validation at yourdomain
webmaster at yourdomain

As none of the above addresses were being used for outgoing mail, I just
put lines such as the following for each of the addresses in the sendmail 
access file:

From:admin at mydomain	550 Blocking spoofed address admin at mydomain

I also found a problem with numerous bounces to such addresses, so put in 
lines such as the following:

To:admin at mydomain	550 This address is no longer valid - please write to postmaster instead

It was quick and dirty but stopped large numbers of problem messages.

More elegant solutions will be found in the archives.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list