How to block emails that FROM doesn't belongs to server domain list

Dave Helton dave at KD0YU.COM
Thu Aug 16 22:08:35 IST 2012 

Patching the symptoms will not fix the cause.

You might call the user if you're a small provider and provide a way for them to change their password.
Disable the account login/email and wait for the user to call if there are too many.
Chances are their email accounts are not the only thing compromised... I'd want to know.

While this may seem like a drastic measure, do what you have to do before your IP's make it to the blacklists.

If you have a spammer using an email account, chances are their spam messages are all the same.
Learn SpamAssassin rules, start writing a few of them.

I could go on... but, the bottom line is you are responsible for these servers.  Don't be afraid to pull some
strings to protect what's yours.

--Dave Helton, KD0YU

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Sergio
Sent: Thursday, August 16, 2012 3:20 PM
To: MailScanner discussion
Subject: Re: How to block emails that FROM doesn't belongs to server domain list

Thank all for your inputs.

What happens is this:
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that is working great. The problem is when a hacker has obtained the password from an account, so, it can send emails authenticating with the account that has been compromised. When a hacker has access to an account (I am almost sure that any one on the list has seen this), he sends emails but the FROM is changed to something that is not a domain on the server, that is what I am looking to stop.

Maybe a rule that could check that the FROM is not the same as the authenticated domain.

Could this be done?

Best Regards,

Sergio


___________________________________________________________________
This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>
running on mail server KD0YU.COM<http://www.kd0yu.com/>, and is believed to be clean.

-- 
This message has been scanned for viruses and dangerous content
by MailScanner at KD0YU.COM, and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120816/f50a3468/attachment.html

More information about the MailScanner mailing list