How to block emails that FROM doesn't belongs to server domain list

Jason Ede J.Ede at birchenallhowden.co.uk
Mon Aug 20 09:57:36 IST 2012 

We started using the reject_sender_login_mismatch, but it creates its own headache… If, on exchange for example as its quite common, you set up a forward for a mailbox to an external address then the email is forwarded as from the original sender and not from the user on a domain that should be sending through you and that setting triggers and the email is blocked when it shouldn’t be.

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Joolee
Sent: 17 August 2012 08:18
To: MailScanner discussion
Subject: Re: How to block emails that FROM doesn't belongs to server domain list

With Postfix, you could do this by enforcing client restrictions:
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
On 17 August 2012 06:19, Sergio <secmas at gmail.com<mailto:secmas at gmail.com>> wrote:
Thank you, Dave.

Actually my server is secure in a lot of aspects, but there is nothing you can do for a weak password.

Right now my server blocks any IP that is trying to send more than 200 emails in an hour and the IP blocked can be free only after we talk to the customer. If we found that the account was compromised we change the password.

But what I am looking is to not even left 200 emails leave  the server when they are sent from a compromised account, we want to go one step ahead.

By now I have created some MCP rules that delete the emails that the body and/or subject has been used in a compromised account, but I am still looking for something more automatic.

Regards,

Sergio
On Thu, Aug 16, 2012 at 3:08 PM, Dave Helton <dave at kd0yu.com<mailto:dave at kd0yu.com>> wrote:
Patching the symptoms will not fix the cause.

You might call the user if you're a small provider and provide a way for them to change their password.
Disable the account login/email and wait for the user to call if there are too many.
Chances are their email accounts are not the only thing compromised... I'd want to know.

While this may seem like a drastic measure, do what you have to do before your IP's make it to the blacklists.

If you have a spammer using an email account, chances are their spam messages are all the same.
Learn SpamAssassin rules, start writing a few of them.

I could go on... but, the bottom line is you are responsible for these servers.  Don't be afraid to pull some
strings to protect what's yours.

--Dave Helton, KD0YU

From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Sergio
Sent: Thursday, August 16, 2012 3:20 PM
To: MailScanner discussion
Subject: Re: How to block emails that FROM doesn't belongs to server domain list

Thank all for your inputs.

What happens is this:
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that is working great. The problem is when a hacker has obtained the password from an account, so, it can send emails authenticating with the account that has been compromised. When a hacker has access to an account (I am almost sure that any one on the list has seen this), he sends emails but the FROM is changed to something that is not a domain on the server, that is what I am looking to stop.

Maybe a rule that could check that the FROM is not the same as the authenticated domain.

Could this be done?

Best Regards,

Sergio

___________________________________________________________________
This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>
running on mail server KD0YU.COM<http://www.kd0yu.com/>, and is believed to be clean.

___________________________________________________________________
This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>
running on mail server KD0YU.COM<http://www.kd0yu.com/%22>, and is believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120820/3a5eade5/attachment.html

More information about the MailScanner mailing list