How to reject/detect emails claiming to be from my own domain?

Philip Parsons pparsons at techeez.com
Thu Dec 29 17:50:03 UTC 2016 

I am trying to get one that does the envelope-from header so at the MTA side of things.  I am hoping someone has done this with sendmail as changing the MTA is not possible at the moment.  The rule set from Thom van der Boon works great on the From header.




From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Dave Jones
Sent: December 27, 2016 2:21 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: How to reject/detect emails claiming to be from my own domain?

Which From address are you trying to protect from spoofing?  Emails have an envelope-from and a From: header.  The From: header is what is visible in most mail clients.  From my experience (someone please correct me if I am wrong), the "header From" rule does not examine the envelope-from.  This needs to be done at the MTA level before SA.
There was a recent thread on the SA mailing list about how tough it is to protect the visibile From: header from spoofing.  Spammers are getting very sophisticated with their spear phishing by using a visible display name of the CEO with an incorrect email address.  People still fall for it without looking closely at the From email address.

More importantly is to setup proper RBLs at the MTA level that block these low reputation sending IPs that tend to be the source of these spoofs.  I use Postfix postscreen with about two dozen RBLs and DBLs weighted based on their reliability which works very well.  It takes some time to setup and adjust but it has been worth it.  I used to have to spend hours each day on tweaking SA rules always behind the latest spam campaigns from botnets all over the world.  I did have to setup whitelisting with postwhite to whitelist the major mail providers based on their SPF record since some of them allow their outbound mail server IPs to become listed on RBLs.  Now my MailScanner blocks more than 90% of the junk at the MTA level including spoofed email of all kinds.

Now I only have to deal with the occasional sender that gets listed on RBLs from it's own compromised accounts.  At least the Postfix bounce message is very clear as to why it was rejected and usually the sending mail admins can figure out what the problem is before contacting our support.

I still have to tweak SA rules and scores based on new spam campaigns but it's only a few hours a week now instead of a few hours a day.  We filter for about 30,000 mailboxes and do outbound relaying for millions of emails each week.

MTA level checks:
- RBLs
- DBLs
- DNS PTR exists (not if it is correct/matches which is done in SA)
- SPF (header added for SA)
- number of recipients (header added since BCC can't be seen in SA)
- rate limiting
- greylisting

Dave

On Tue, Dec 27, 2016 at 9:17 AM, Philip Parsons <pparsons at techeez.com<mailto:pparsons at techeez.com>> wrote:
Can you explain number 1 more ?


On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote:
> В 20:00 +0000 на 23.12.2016 (пт), Philip Parsons написа:
> >
> > I use Mailscanner and Send mail.
> Hi all,
>
> I would suggest one of (or both)
> 1. setting and relay only after authentication in sendmail
> 2. these letters usually contain files that MailScanner denies.
> MailScanner then sends reports to sender/recipient/postmaster about
> quarantined attachment file. I changed in filename.rules.conf and in
> archive.filename.rules.conf not to deny these files but to forward to
> other email address like me at example.com<mailto:me at example.com> . You must clean this box
> regularly :)
>
> Regards and Happy Holidays
>
> Valentin
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
--

Thank You
Philip Parsons
Techeez on the go
please excuse the spelling.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161229/359954b8/attachment.html>

More information about the MailScanner mailing list