<div dir="ltr">Which From address are you trying to protect from spoofing? Emails have an envelope-from and a From: header. The From: header is what is visible in most mail clients. From my experience (someone please correct me if I am wrong), the "header From" rule does not examine the envelope-from. This needs to be done at the MTA level before SA.<div>There was a recent thread on the SA mailing list about how tough it is to protect the visibile From: header from spoofing. Spammers are getting very sophisticated with their spear phishing by using a visible display name of the CEO with an incorrect email address. People still fall for it without looking closely at the From email address.</div><div><br></div><div>More importantly is to setup proper RBLs at the MTA level that block these low reputation sending IPs that tend to be the source of these spoofs. I use Postfix postscreen with about two dozen RBLs and DBLs weighted based on their reliability which works very well. It takes some time to setup and adjust but it has been worth it. I used to have to spend hours each day on tweaking SA rules always behind the latest spam campaigns from botnets all over the world. I did have to setup whitelisting with postwhite to whitelist the major mail providers based on their SPF record since some of them allow their outbound mail server IPs to become listed on RBLs. Now my MailScanner blocks more than 90% of the junk at the MTA level including spoofed email of all kinds.</div><div><br></div><div>Now I only have to deal with the occasional sender that gets listed on RBLs from it's own compromised accounts. At least the Postfix bounce message is very clear as to why it was rejected and usually the sending mail admins can figure out what the problem is before contacting our support.</div><div><br></div><div>I still have to tweak SA rules and scores based on new spam campaigns but it's only a few hours a week now instead of a few hours a day. We filter for about 30,000 mailboxes and do outbound relaying for millions of emails each week.</div><div><br></div><div>MTA level checks:</div><div>- RBLs</div><div>- DBLs</div><div>- DNS PTR exists (not if it is correct/matches which is done in SA)</div><div>- SPF (header added for SA)</div><div>- number of recipients (header added since BCC can't be seen in SA)</div><div>- rate limiting</div><div>- greylisting</div><div><br></div><div>Dave</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 27, 2016 at 9:17 AM, Philip Parsons <span dir="ltr"><<a href="mailto:pparsons@techeez.com" target="_blank">pparsons@techeez.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Can you explain number 1 more ? <br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote:<br>
> В 20:00 +0000 на 23.12.2016 (пт), Philip Parsons написа:<br>
> ><br>
> > I use Mailscanner and Send mail.<br>
> Hi all,<br>
><br>
> I would suggest one of (or both)<br>
> 1. setting and relay only after authentication in sendmail<br>
> 2. these letters usually contain files that MailScanner denies.<br>
> MailScanner then sends reports to sender/recipient/postmaster about<br>
> quarantined attachment file. I changed in filename.rules.conf and in<br>
> archive.filename.rules.conf not to deny these files but to forward to<br>
> other email address like <a href="mailto:me@example.com">me@example.com</a> . You must clean this box<br>
> regularly :)<br>
><br>
> Regards and Happy Holidays<br>
><br>
> Valentin<br>
><br>
><br>
> -- <br>
> MailScanner mailing list<br>
> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.<wbr>info</a><br>
> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
><br>
><br>
</div></div><span class="im HOEnZb">--<br>
<br>
Thank You<br>
Philip Parsons<br>
Techeez on the go<br>
please excuse the spelling.<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
</div></div></blockquote></div><br></div>