Blocking spam that seems to come from yourself...

[albatroz]

One of my customers is receiving a lot of spam messages
that have his email address as the originator (From
and destination (To, as a result, spam assassin can't block them.


Any ideas on how can this be solved and filter those messages?

 

[tillo]

Sure: use SPF.

 

[nobaloney]

Sure: use SPF.

Maybe, maybe not.

The problem is that once we use SPF to validate our email origination, then we're stuck with those origination points.

For example, we can't use our laptops with other mailservers when we travel.

I've considered (as recently as today, when I responded to two clients with the same problem) putting some code into exim.conf to check for mail from and to the same address, but don't know yet how to resolve the same issue.

Jeff

 

[verruckt]

Any word on this? I'm getting hit hard on this type of spam.

 

[jlounds]

I don't know how to fix it (yet), but I did figure out that SMTP authentication is not needed if the message is "from" and "to" the same user.

What am I not understanding? It seems that all mail (except for bounces) should only be accepted if the user is authenticated.

 

[nobaloney]

If that were true, then no one could send you mail without first authenticating on your server.

Authentication can never be required for mail destined to a user on the server. If it were, then I couldn't write you unless I had an account on your server.

Jeff

 

[jlounds]

*blush*

I knew that! :-/

So, back to square one on these types of spam messages then? I researched SPF more, but that opens up a whole new can of worms.

Jeremy

 

[nobaloney]

The problem I see is that if I implement a solution I can never send myself an email.

I do send myself emails from time to time.

Don't you?

Ever?

How about creating a SpamAssassin rule that assigns a point value to emails from you to you?

Jeff

 

[jlounds]

Yeah, I send myself e-mails all the time.

Could you combine your idea (however it works) and also check to see if the message was sent via an authenticated SMTP connection? The only potential problem I see there is sending yourself a message from a different SMTP server.

Or how about this: a high point value if from me and to me, *unless* the "helo" is from one of several hostnames of my PCs?

 

[nobaloney]

Yeah, I send myself e-mails all the time.

I didn't think I was alone in this .

Could you combine your idea (however it works) and also check to see if the message was sent via an authenticated SMTP connection? The only potential problem I see there is sending yourself a message from a different SMTP server.

But many of us do that to...for example, first to see if we can send to hotmail, and then check to see if we can send back from hotmail. Or am I the only one who does that?

Or how about this: a high point value if from me and to me, *unless* the "helo" is from one of several hostnames of my PCs?

I don't have anything to do with SpamAssassin rulesets. My understanding is that DirectAdmin just uses standard rulesets. Is anyone else creating custom rulesets for SpamAssassin? If so, would you be willing to share?

Jeff

 

[andyreed]

check to see if the message was sent via an authenticated SMTP connection? The only potential problem I see there is sending yourself a message from a different SMTP server.

Or how about this: a high point value if from me and to me, *unless* the "helo" is from one of several hostnames of my PCs?

These tools might help:

• Spam Relay Checker at: http://www.3dmail.com/spam/
• Writing and Testing New SpamAssassin Rules http://wiki.apache.org/spamassassin/WritingRules
• SpamAssassin rules: http://www.rulesemporium.com/rules.htm

 

[jlounds]

Here is the rule I came up with -- I am not sure if I want to implement this server-wide, since it would have to be tweaked by hand! But it is nice to know I can set it up for someone who is getting hammered by these. If anyone has ideas on making this more compact, and/or how to better implement something this, I am very interested.

Use at your own risk!

If you plan to put these in "user_prefs", you have to enable "allow_user_rules" in /etc/mail/spamassassin/local.cf

However, spamassassin strongly discourages turning on this feature for security and efficiency purposes. Read more at: http://spamassassin.apache.org/full...html#rule_definitions_and_privileged_settings

header __DY_TEST_FROM From =~ /myaddress\@mydomain\.com/i
header __DY_TEST_TO To =~ /myaddress\@mydomain\.com/i 
header __DY_TEST_CC_1 CC =~ /myaddress\@mydomain\.com/i 
header __DY_TEST_CC_2 CC =~ /undisclosed/i 
header __DY_TEST_CC_3 CC exists:To 
header __DY_HELO_GOOD_1 Received =~ /helo=sendinghostname\.with\.dots\.escaped/i
header __DY_HELO_GOOD_2 Received =~ /helo=webmail\.hostname\.mydomain\.com/i
meta DY_FORGED_FROM  (__DY_TEST_FROM && (__DY_TEST_TO || __DY_TEST_CC_1 || __DY_TEST_CC_2 || !__DY_TEST_CC_3) && !__DY_HELO_GOOD_1 && !__DY_HELO_GOOD_2)
score DY_FORGED_FROM 20
describe DY_FORGED_FROM From myself, but HELO is bad host

 

[elbarto]

Hi guys... i'm facing the same problem that started this thread... I have a customer who is receiving lot's of spam from its email addresses and other non-existent addresses within its domain.

My priority here is to come up with a solution that helps all my clients in the same server.
As I understand, if I activate SPF check (BTW, how do I do that?), everytime an email is received the MTA will check that the source IP address matches the one defined for that domain on the DNS' zone.

This would affect clients who may want to send emails with their addresses from other servers. This does not worry me, because they are supposed to use my mailserver and no other. I can assume that in order to reduce spam on their accounts.

But would there be any other drawbacks? I mean, it's an important decision that will affect an important share of my clients, and I want to be sure what I'm doing.

Thanks in advance.

 

[jnet]

I am looking around but can't find any tutorial on how to enable spf
in Direct admin so that all new domains created have that in DNS entry

 

[elbarto]

If you want to add the SPF record on your DNS zones I think the right way to do it is editing the file /usr/local/directadmin/data/templates/dns_txt.conf

What I have there (which I think it's default, because I haven't touched anything there) is:

|DOMAIN|.="v=spf1 a mx ip4:|SERVER_IP| ~all"

What I want to know is how to configure exim (it is exim who is in charge of this, right?) so that it checks the SPF record of incoming emails. And, of course, what I asked before regarding the impact that that configuration might have on my clients.

 

[jnet]

I do not know what impact it has on clients but one thing I do know is that even Google aps suggest you have that record there , so It is important and seems to be better to have it!
Any body knows what impact it has?

 

[floyd]

Any body knows what impact it has?

Yes. It depends on how you have it set up. Search this forum for SPF and read this http://help.directadmin.com/item.php?id=207

 

[jlounds]

Another problem with SPF is with any servers that send a message on your behalf and use your address in the "from" header. For example, many web site "contact us" forms do this. Also, I know that PayPal sends my automatic subscription payment receipts with my address as the "from"

 

[elbarto]

@jlounds: Mmm and how does that work when you have a gmail address?
All the paypal emails I receive usually come from [email protected]

@floyd: thanks for the link, it was useful to understand further how to configure my DNS

The thing I haven't found yet is how to configure my mailserver to check the SPF record of the incoming emails.

 

[jnet]

Thanks I read it and made some changes but

"v=spf1 a mx ip4:1.2.3.4 -all"

shouldn't be

"v=spf1 a mx ip4:1.2.3.4 ~all"

the sign - or ~?