<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";
        mso-fareast-language:EN-GB;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We started using the reject_sender_login_mismatch, but it creates its own headache… If, on exchange for example as its quite common, you set up a forward for
a mailbox to an external address then the email is forwarded as from the original sender and not from the user on a domain that should be sending through you and that setting triggers and the email is blocked when it shouldn’t be.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]
<b>On Behalf Of </b>Joolee<br>
<b>Sent:</b> 17 August 2012 08:18<br>
<b>To:</b> MailScanner discussion<br>
<b>Subject:</b> Re: How to block emails that FROM doesn't belongs to server domain list<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">With Postfix, you could do this by enforcing client restrictions:<br>
<a href="http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch" target="_blank">http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch</a><o:p></o:p></p>
<div>
<p class="MsoNormal">On 17 August 2012 06:19, Sergio <<a href="mailto:secmas@gmail.com" target="_blank">secmas@gmail.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thank you, Dave.<br>
<br>
Actually my server is secure in a lot of aspects, but there is nothing you can do for a weak password.<br>
<br>
Right now my server blocks any IP that is trying to send more than 200 emails in an hour and the IP blocked can be free only after we talk to the customer. If we found that the account was compromised we change the password.<br>
<br>
But what I am looking is to not even left 200 emails leave the server when they are sent from a compromised account, we want to go one step ahead.<br>
<br>
By now I have created some MCP rules that delete the emails that the body and/or subject has been used in a compromised account, but I am still looking for something more automatic.<br>
<br>
Regards,<br>
<br>
Sergio<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Thu, Aug 16, 2012 at 3:08 PM, Dave Helton <<a href="mailto:dave@kd0yu.com" target="_blank">dave@kd0yu.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Patching the symptoms will not fix the cause.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You might call the user if you're a small provider and provide a way for them to change
their password.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Disable the account login/email and wait for the user to call if there are too many.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Chances are their email accounts are not the only thing compromised... I'd want to know.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">While this may seem like a drastic measure, do what you have to do before your IP's
make it to the blacklists.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If you have a spammer using an email account, chances are their spam messages are all
the same.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Learn SpamAssassin rules, start writing a few of them.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I could go on... but, the bottom line is you are responsible for these servers. Don't
be afraid to pull some</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">strings to protect what's yours.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">--Dave Helton, KD0YU</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>]
<b>On Behalf Of </b>Sergio<br>
<b>Sent:</b> Thursday, August 16, 2012 3:20 PM<br>
<b>To:</b> MailScanner discussion<br>
<b>Subject:</b> Re: How to block emails that FROM doesn't belongs to server domain list</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-US">Thank all for your inputs.<br>
<br>
What happens is this:<br>
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that is working great. The problem is when a hacker has obtained the password from an account, so, it can send emails authenticating with the account that has been compromised. When a hacker
has access to an account (I am almost sure that any one on the list has seen this), he sends emails but the FROM is changed to something that is not a domain on the server, that is what I am looking to stop.<br>
<br>
Maybe a rule that could check that the FROM is not the same as the authenticated domain.<br>
<br>
Could this be done?<br>
<br>
Best Regards,<br>
<br>
Sergio<o:p></o:p></span></p>
</div>
</div>
<p><span lang="EN-US" style="color:darkblue">___________________________________________________________________
<br>
</span><span lang="EN-US" style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:darkblue">This message has been scanned for viruses and dangerous content by
<a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a> <br>
running on mail server <a href="http://www.kd0yu.com/" target="_blank"><b>KD0YU.COM</b></a>, and is believed to be clean.</span><span lang="EN-US" style="color:darkblue">
</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p><span lang="EN-US" style="color:darkblue">___________________________________________________________________
<br>
</span><span lang="EN-US" style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:darkblue">This message has been scanned for viruses and dangerous content by
<a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a> <br>
running on mail server <a href="http://www.kd0yu.com/%22" target="_blank"><b>KD0YU.COM</b></a>, and is believed to be clean.</span><span lang="EN-US" style="color:darkblue">
<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">
http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">
http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>