Forwarders (again)

LawsHosting

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,372
Location
London UK
Ok, a lot of my clients forward their mail from their domains to their hotmail/gmail/etc addresses (they do not use catch-all by the way)..... However, recently I'm seeing a lot of emails being blocked by the addresses they forward to (hotmail/gmail/etc), even when emails are generated within their accounts by scripts....

I know there's a lot of talk about forwarders being dangerous. However, has anyone else encountered similar issues? Do (forward) emails bypass any checks, eg. DKIM, Spam Assassin, etc, because it's outgoing email?

On another note, recently Microsoft blocked our MTA IP due to spam being sent to non-existing addresses due to, what I guess, automated sign-ups from Wordpress. Which is a pain.

Edit: Here's the message from GMail:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked
Click to expand...
 
Last edited:
Peter Laws said:
[..]Do (forward) emails bypass any checks, eg. DKIM, Spam Assassin, etc, because it's outgoing email?
Click to expand...

I wonder about the same thing, and would also like to know a answer to this.

Peter Laws said:
[..]Edit: Here's the message from GMail:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked
Click to expand...

Yes, I see the same thing in mail queue from Gmail on my customers that have email forwarders.
 
SPF "breaks" email forwarding. SRS is a way to fix it.
Click to expand...
So, why isn't this SRS implemented by default?

If I had my way, I'd ban external forwarders - as forwarding to an external addresses is just lazy - but I'd have a lot of unhappy clients.
 
Be interesting to hear views from John & Jeff
Here we have the same problem with clients forwarding to external accounts...
Click to expand...

Do you ignore them?

Of course, the blocked mails are probably spam, but if it is spam, you'd think it'll be blocked at SMTP time by SA or blocklists listed in SB4.1's exim.conf.
 
I've just this moment begun a discussion with John on this issue. Please don't bump after only a day; it takes time to get discussions going.

Perhaps this will end up a feature request.

Jeff
 
Hello,

I googled around, and SRS is a whole new can of worms.
There are a few different implementations.. one being an srsd deamon (entirely new service) just to rewrite the headers.. I'm not a fan.

The other is with Exim, as it does have EXPERIMENTAL_SRS which can be compiled in, but needs all of the srs libraries.. again, get's messy quickly.
It's also experimental meaning it's new, with limited testing, and it's implementation may change in the future, breaking the setup.

On a side-note, SRS will do nothing to prevent spam from leaving your server to remote servers (eg, gmail).
It merely rewrites the headers is the email is "from" your server, instead of the original external sender, solely to satisfy any SPF checks that may be going on.

At the end of the day, if you have forwarders pointing to external places like gmail, it only takes a difference in opinions between SpamAssassin and gmail as to what is spam, for the spam to get through S.A., and be flagged on gmail's end and then you're blocked.

Although we'll never be able to convince all clients to stop using forwarders, one option that most of the major mail providers offer is a remote pop/imap pull.
Basically, your client logs into their gmail account, and adds their DA email account, IP and password, as a new imap account within gmail.
Gmail will then grab any email from the DA box via imap.. and you won't be flagged a spammer if there is spam sitting in there.
Of course, convince Users to do this will likely be difficult, but is an option I encourage people to use when at all possible.

John
 
If we manage to "convince" clients to change, is there, or will there, be any way to restrict the ability to block forwards to external addresses?
 
You can set "email forwarders" to 0 in the packages.
However, this will also prevent the users to make forwards to local email adresses.
 
???? Duh! What strange conclusions are they making? They totally don't understand what you mean. Very odd.

According to me you are typing quite clear English there and I understood your question on their forums the first time I read it.
So either we both think in a foreign language, or they can't read propper English. I think it's the latter one.

I can't find anything wrong or anything "not-understandable" to your question there. It's quite clear what you mean as far as I'm concerned.
 
Got some sort of an answer elsewhere, saying it checks POP/etc accounts hourly (some say you can configure the check), if that's true, we'll be okay as Fail2Ban checks 20 fail logins within 4 minutes for Dovecot..
 
You must log in or register to reply here.
Back
Top