How to block emails that FROM doesn't belongs to server domain list

Joolee mailscanner at joolee.nl
Fri Aug 17 08:18:00 IST 2012 

With Postfix, you could do this by enforcing client restrictions:
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch

On 17 August 2012 06:19, Sergio <secmas at gmail.com> wrote:

> Thank you, Dave.
>
> Actually my server is secure in a lot of aspects, but there is nothing you
> can do for a weak password.
>
> Right now my server blocks any IP that is trying to send more than 200
> emails in an hour and the IP blocked can be free only after we talk to the
> customer. If we found that the account was compromised we change the
> password.
>
> But what I am looking is to not even left 200 emails leave  the server
> when they are sent from a compromised account, we want to go one step ahead.
>
> By now I have created some MCP rules that delete the emails that the body
> and/or subject has been used in a compromised account, but I am still
> looking for something more automatic.
>
> Regards,
>
> Sergio
>
> On Thu, Aug 16, 2012 at 3:08 PM, Dave Helton <dave at kd0yu.com> wrote:
>
>> Patching the symptoms will not fix the cause.****
>>
>> ** **
>>
>> You might call the user if you're a small provider and provide a way for
>> them to change their password.****
>>
>> Disable the account login/email and wait for the user to call if there
>> are too many.****
>>
>> Chances are their email accounts are not the only thing compromised...
>> I'd want to know.****
>>
>> ** **
>>
>> While this may seem like a drastic measure, do what you have to do before
>> your IP's make it to the blacklists.****
>>
>> ** **
>>
>> If you have a spammer using an email account, chances are their spam
>> messages are all the same.****
>>
>> Learn SpamAssassin rules, start writing a few of them.****
>>
>> ** **
>>
>> I could go on... but, the bottom line is you are responsible for these
>> servers.  Don't be afraid to pull some****
>>
>> strings to protect what's yours.****
>>
>> ** **
>>
>> --Dave Helton, KD0YU****
>>
>> ** **
>>
>> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
>> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Sergio
>> *Sent:* Thursday, August 16, 2012 3:20 PM
>> *To:* MailScanner discussion
>> *Subject:* Re: How to block emails that FROM doesn't belongs to server
>> domain list****
>>
>> ** **
>>
>> Thank all for your inputs.
>>
>> What happens is this:
>> My server is not Open Relayed and it has SPF and DOMAINKEYS in it and
>> that is working great. The problem is when a hacker has obtained the
>> password from an account, so, it can send emails authenticating with the
>> account that has been compromised. When a hacker has access to an account
>> (I am almost sure that any one on the list has seen this), he sends emails
>> but the FROM is changed to something that is not a domain on the server,
>> that is what I am looking to stop.
>>
>> Maybe a rule that could check that the FROM is not the same as the
>> authenticated domain.
>>
>> Could this be done?
>>
>> Best Regards,
>>
>> Sergio
>>
>> ****
>>
>> ___________________________________________________________________
>> This message has been scanned for viruses and dangerous content by *
>> MailScanner* <http://www.mailscanner.info/>
>> running on mail server *KD0YU.COM* <http://www.kd0yu.com/>, and is
>> believed to be clean. ****
>>
>> ___________________________________________________________________
>> This message has been scanned for viruses and dangerous content by *
>> MailScanner* <http://www.mailscanner.info/>
>> running on mail server *KD0YU.COM* <http://www.kd0yu.com/%22>, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120817/610ea7c1/attachment.html

More information about the MailScanner mailing list