How to reject/detect emails claiming to be from my own domain?

Tue Dec 27 22:21:02 UTC 2016

Which From address are you trying to protect from spoofing?  Emails have an
envelope-from and a From: header.  The From: header is what is visible in
most mail clients.  From my experience (someone please correct me if I am
wrong), the "header From" rule does not examine the envelope-from.  This
needs to be done at the MTA level before SA.
There was a recent thread on the SA mailing list about how tough it is to
protect the visibile From: header from spoofing.  Spammers are getting very
sophisticated with their spear phishing by using a visible display name of
the CEO with an incorrect email address.  People still fall for it without
looking closely at the From email address.

More importantly is to setup proper RBLs at the MTA level that block these
low reputation sending IPs that tend to be the source of these spoofs.  I
use Postfix postscreen with about two dozen RBLs and DBLs weighted based on
their reliability which works very well.  It takes some time to setup and
adjust but it has been worth it.  I used to have to spend hours each day on
tweaking SA rules always behind the latest spam campaigns from botnets all
over the world.  I did have to setup whitelisting with postwhite to
whitelist the major mail providers based on their SPF record since some of
them allow their outbound mail server IPs to become listed on RBLs.  Now my
MailScanner blocks more than 90% of the junk at the MTA level including
spoofed email of all kinds.

Now I only have to deal with the occasional sender that gets listed on RBLs
from it's own compromised accounts.  At least the Postfix bounce message is
very clear as to why it was rejected and usually the sending mail admins
can figure out what the problem is before contacting our support.

I still have to tweak SA rules and scores based on new spam campaigns but
it's only a few hours a week now instead of a few hours a day.  We filter
for about 30,000 mailboxes and do outbound relaying for millions of emails
each week.

MTA level checks:
- RBLs
- DBLs
- DNS PTR exists (not if it is correct/matches which is done in SA)
- SPF (header added for SA)
- number of recipients (header added since BCC can't be seen in SA)
- rate limiting
- greylisting

Dave

On Tue, Dec 27, 2016 at 9:17 AM, Philip Parsons <pparsons at techeez.com>
wrote:

> Can you explain number 1 more ?
>
>
> On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote:
> > В 20:00 +0000 на 23.12.2016 (пт), Philip Parsons написа:
> > >
> > > I use Mailscanner and Send mail.
> > Hi all,
> >
> > I would suggest one of (or both)
> > 1. setting and relay only after authentication in sendmail
> > 2. these letters usually contain files that MailScanner denies.
> > MailScanner then sends reports to sender/recipient/postmaster about
> > quarantined attachment file. I changed in filename.rules.conf and in
> > archive.filename.rules.conf not to deny these files but to forward to
> > other email address like me at example.com . You must clean this box
> > regularly :)
> >
> > Regards and Happy Holidays
> >
> > Valentin
> >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >
> --
>
> Thank You
> Philip Parsons
> Techeez on the go
> please excuse the spelling.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161227/78ab1d1f/attachment.html>