Email Spams On My own Email Address

[Mangas23]

Hello cripperz, I resolve this problem by activate smtp authentification for my virtual domain.

In my exim.conf I add this:

deny
! authenticated = *
condition = ${if match_domain{${domain:${address:$h_from:}}}{+local_domains}}
message = authentication required

At the end of deny.

And modify this:

accept hosts = +relay_hosts

with this:

accept hosts = +relay_hosts
endpass
message = authentication required
authenticated = *

Now every user want send mail to my user's mail (or same mail that send it) or to external mail need to activate smtp authentification and need a valid login pass.

 

[nobaloney]

I believe it also means that no one can send email to their own domain using any other mailserver, with a from address at their domain. This is very limiting (it's been discussed before on these forums); for example if you're at a coffee shop you can't send a copy of an email to yourself.

So it will probably never be a part of a standard implementation. When working on a standard implementation, to be used by everyone under every possible condition, one cannot just tighten up the conditions under which the server is expected to work. Great for your own server, but not something I'd want to see implemented as a default on a shared hosting system.

Jeff

 

[nobaloney]

dkim support issue:
I've asked John at DirectAdmin to verify that no recompile is required any longer to use DKIM support in Exim on DirectAdmin. Once he verifies that we can consider DKIM support to be added.

Jeff

 

[Mangas23]

Generally when you send mail when you are in coffee shop, you use webmail of your account, so it's work perfectly
But yes if you send mail to my user with address "from" to one of my user's domain and use another mail server, you receive a warning message that said "authentification required".

Personal I thinks lot of users don't try to send mail with another mail server (no sense for me), and lot of only use webmail.

So yes it's not a solution that work for every body, but I think for me and certainly for lot of people, it's perfect

 

[interfasys]

Quick note regarding BATV. This won't work with the way Exim is configured.

#IN TRANSPORTS
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
return_path = ${prvs {$return_path}{BATVKEY}}

because Exim sends bounce messages too and they have an empty return path

 

[WiNeOS]

Quick note regarding BATV. This won't work with the way Exim is configured.

because Exim sends bounce messages too and they have an empty return path

You are correct. Use this return_path instead:

return_path = ${if match_address{$return_path}{*@*} {${prvs {$return_path} {BATVKEY}}} fail }

 

[interfasys]

Yep, this works

 

[IT_Architect]

I believe it also means that no one can send email to their own domain using any other mailserver, with a from address at their domain...for example if you're at a coffee shop you can't send a copy of an email to yourself.

I must be missing something. If I'm in the coffee shop running Outlook, and my mail servers are mail.mydomain.com, my mail is going out 587 to exim on mail.mydomain.com, ssl or not. So why can't I send and receive the same as if I'm anywhere else? If I'm on a public computer, I would need to use webmail in any case because I don't have my Outlook, and one can force SSL at the server.

1. If we're sending mail from a protected address such as
[email protected], it rewrites the return-path to some magically
generated address instead:
Return-Path: [email protected]
2. If we receive a bounce (empty reverse-path) addressed to one of
those magically-generated addresses, it rewrites the destination back to
the original [email protected] using a router. (batv_redirect)

So from what I read from this, is the return path that the recipient sees, is no longer the same as the from path. I can see how that could work but it seems like that would raise scores on the recipient end. Assuming that it uses different return paths each time, I would THINK that once anybody has any one of your Return-Paths, they could use it forever.

i think that implement dkim (exim 4.7) in your SpamBlocker like you made with spamassassin will be great and is more important than batv.Greetz

DKIM only works if SpamAssassin scans spoofed messages. Currently, the spoofed messages don't get scanned at all while the non-spoofed messages do. I'm guessing that implicates exim.conf where the rules define what gets scanned.

# Spam Assassin
spamcheck_director:
  driver = accept
  condition = "${if and { \
			{!def:h_X-Spam-Flag:} \
			{!eq {$received_protocol}{spam-scanned}} \
			{!eq {$received_protocol}{local}} \
			{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
			{<{$message_size}{100k}} \
		} {1}{0}}"
  retry_use_local_part
  transport = spamcheck
  no_verify

Here is an example of the same To and From except on has a spoofed address.

Spoofed Message:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 19 Apr 2010 12:41:20 -0400
Received: from [158.170.168.134] (helo=BTSPXZO)
*by server1.domainstop.com with esmtp (Exim 4.71)
*(envelope-from <[email protected]>)
*id 1O3u28-0003bW-21; Mon, 19 Apr 2010 12:41:20 -0400
Received: from 158.170.168.134 by smtp1.loreal.com; Mon, 19 Apr 2010
12:41:14 -0400
Message-ID: <000d01cadfdf$20292970$6400a8c0@conceivingm2>
From: "leadingedgeita.com support" <[email protected]>
To: <[email protected]>
Subject: leadingedgeita.com account notification
Date: Mon, 19 Apr 2010 12:41:14 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
* boundary="----=_NextPart_000_0006_01CADFDF.20292970"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Antivirus-Scanner: Scanned with ClamAV
X-Text-Classification: other

*

Normal message:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 19 Apr 2010 19:14:19 -0400
Received: from mail by server1.domainstop.com with spam-scanned (Exim 4.71)
	(envelope-from <[email protected]>)
	id 1O40AQ-000DkL-31
	for [email protected]; Mon, 19 Apr 2010 19:14:19 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	server1.domainstop.com
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE
	autolearn=ham version=3.3.1
X-Spam-Relay-Country: 
Received: from c-71-205-43-123.hsd1.mi.comcast.net ([71.205.43.123] helo=DELL9400)
	by server1.domainstop.com with esmtpsa (TLSv1:RC4-MD5:128)
	(Exim 4.71)
	(envelope-from <[email protected]>)
	id 1O40AP-000DkE-PY
	for [email protected]; Mon, 19 Apr 2010 19:14:14 -0400
From: <[email protected]>
To: <[email protected]>
Subject: Test
Date: Mon, 19 Apr 2010 19:14:09 -0400
Organization: Leading Edge IT Architects
Message-ID: <8FEF1CD023E44657AD8C7CDB7541E498@DELL9400>
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_00AE_01CADFF4.7DFB0EA0"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcrgFgI8drqlnu2BRN6tt25rIg0vqw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Antivirus-Scanner: Scanned with ClamAV
X-Text-Classification: other

Thanks!

 

[interfasys]

So from what I read from this, is the return path that the recipient sees, is no longer the same as the from path. I can see how that could work but it seems like that would raise scores on the recipient end. Assuming that it uses different return paths each time, I would THINK that once anybody has any one of your Return-Paths, they could use it forever.

The return-path expires and you only check for a valid signature for bounces. That means that legitimate emails can be sent to you whenever, but a bounce must happen quickly, which is the expected behaviour.
You can also implement it differently and try with a header.

 

[interfasys]

I believe it also means that no one can send email to their own domain using any other mailserver, with a from address at their domain. This is very limiting (it's been discussed before on these forums); for example if you're at a coffee shop you can't send a copy of an email to yourself.
Jeff

I'm also confused by this statement.
If I'm in a coffee shop or using a public wifi with my laptop, I'll connect directly to my server via a VPN. I'll be authenticated and will have no problem sending emails to myself.
If I'm using the computers provided by the place, then I'll use the webmail which will be connected to the mail system via Apache.
What is the use case these days for sending mail from the SMTP server of a 3rd party? I'm guessing you'll want to do that if you DA server is overloaded? But then mail checking wouldn't be fun either.

 

[IT_Architect]

The return-path expires and you only check for a valid signature for bounces. That means that legitimate emails can be sent to you whenever, but a bounce must happen quickly, which is the expected behaviour. You can also implement it differently and try with a header.

I'm going to have to re-read about the product to understand it a little better.

What is the use case these days for sending mail from the SMTP server of a 3rd party?

The only thing I can think of is a few years ago, when ISPs shutdown port 25, some ISPs, such as sbcglobal.net, required their customers to use their servers to send e-mail. Thus your smtp mail server had to be for example sbcglobal.net, and of course you needed to fill in the reply-to with your real domain. That made anybody with a laptop furious because they needed to have a different profile every place they went. 25 will, and should, forever remain closed for dynamic IPs, but I don't know of any ISP that would dare to filter 587 anymore.

Thanks for your enlightening replies.

 

[nobaloney]

Please do; I don't have time yet to study it well enough to decide to use it. And I don't want to keep delaying the next SpamBlocker Powered exim.conf release.

And I still don't see what makes one message spoofed and the other not. What specific lines are being spoofed?

Jeff

 

[IT_Architect]

I believe it also means that no one can send email to their own domain using any other mailserver, with a from address at their domain

The problem won't be the coffee shop, but I did think of a common situation where this is a problem. Monitoring software only wants to know where to send the message. In that case, the sender and receiver are always the same, it's always unauthenticated, and it's seldom from an IP listed in the spf or from a server listed in the mx records. We must conclude from this that not all "spoofed" messages are spam. To make it a little more challenging, alerts are not always from static IPs. I do believe it is reasonable to require the submitting hosts be resolvable. (DynDNS etc.) SpamAssassin has SHORTCIRCUIT, which may be able to be used. However, unless SpamAssassin actually gets a chance to scan these messages, discussing options available within SpamAssassin to address the problem are simply an "exercise"

Thanks!

 

[IT_Architect]

...I still don't see what makes one message spoofed and the other not. What specific lines are being spoofed?Jeff

This says it better than I will. http://en.wikipedia.org/wiki/E-mail_spoofing However, any e-mail sent from ?@<mydomain.tld> that does not originate from one of the domain's e-mail servers, gives the appearance of a spoof. I just checked the messages originating from our Windows SBS servers at our clients, and they are not scanned by SpamAssassin either. As I recall from way back is, there was some problem with doing that, that has to do with learning.

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 20 Apr 2010 00:00:01 -0400
Received: from 171-159-53-15-michigan.hfc.comcastbusiness.net ([171.159.53.15] helo=aimsv-server100)
	by server1.domainstop.com with esmtpa (Exim 4.71)
	(envelope-from <[email protected]>)
	id 1O44cy-000Iwp-Cu
	for [email protected]; Tue, 20 Apr 2010 00:00:01 -0400
Message-ID: <2496078.1271736000241.JavaMail.SYSTEM@aimsv-server100>
Date: Mon, 19 Apr 2010 23:59:59 -0400 (EDT)
From: [email protected]
To: [email protected]
Subject: Dell UPS Management Software
Mime-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_9_30393391.1271735999553"
X-Antivirus-Scanner: Scanned with ClamAV
X-Text-Classification: other

I believe the problem is cleanly resolvable, but I also respect the code in the current exim.conf in the SpamAssassin area as well thought out, and that a well thought out solution for this will not necessarily be the most obvious one. I did send a message to support@directadmin concerning this issue.

Thanks!

 

[nobaloney]

I think I understand you now; the "From" doesn't match the helo or envelope sender. This construct is acceptable. It happens, for example, whenever I get mail from a mailing list, or whenever I get mail from a forwarder which forwards across servers.

Why doesn't this email get sent through SpamAssssin? I can't see why. Can you?

Jeff

 

[IT_Architect]

Why doesn't this email get sent through SpamAssssin? I can't see why. Can you?Jeff

No. I'm working with DA support. Up until now, every time I've been sure that the fix has been identified, something happens to prove it hasn't. Increasing this: {<{$message_size}{100k}} in the exim.conf cause the spoofed messages from our Customers' SBSs to be scanned, but not the phishing e-mails thus far, nor does ClamAV catch the trojans they send feigning themselves as zip files, although the message header indicates they have been scanned.

 

[interfasys]

(Are you running ClamAV 0.96? It's supposed to be better at identifying hidden malware)

 

[IT_Architect]

(Are you running ClamAV 0.96? It's supposed to be better at identifying hidden malware)

Yes. Sanity is my challenge at the moment. A lot has happened between this post and the last. SpySweeper went through an update and it will no longer take the messages in. The freshclam update ran between my last message and now, and the servers show they took in new signature files. Unlike before, when I try to send an e-mail containing a trojan, it bounces and says it has a trojan, even though it it has been handing me the trojans for a few days now. I received a notification from one of our customer's servers earlier that is running TrendMicro Worry Free Network AV that it detected the trojans, triggered scans at 3 AM, and came up with 3 PCs that it said it cleaned it from. I just got an e-mail along with a screen shot from the same customer that one of their PCs has a trojan. Thus, Trend also must have gotten the word earlier today as well. This is not a small problem. It's good that clamd and the AV programs seem be getting it now, but exim should be routing it through spamd in which case it would have never made landfall. I may not have the chance to see why that happened now because the trojans will probably not get that far.

Thanks!

 

[IT_Architect]

I've been working with DirectAdmin support. These are the results of the testing.
1. Taking this line
{!eq {$received_protocol}{local}} \
out made no difference
2. This line
{<{$message_size}{100k}}
needs to be about ~100K larger than the size Outlook reports if you want SpamAssassin to scan it. Changing it from 100k to 200k would still skip the phishing messages that Outlook reports at 113k, 146k, 172k, 173k while it would start to scan the SBS messages that show 108k-115k. If I make it 300k, it scans the phishing messages as well. I don't understand why, but it was very repeatable.
3. DA ClamAV proceedures and SpamAssassin procedures don't appear to interfere with each other. This was previously unknown, and testing for that was part of the troubleshooting exercise.
4. ClamAV updates need to be performed quite frequently. At 9 PM yesterday I ran FreshClam, and by 1:05 AM, I had my first updated trojans in the mailbox. FreshClam in daemon mode checks every two hours by default. I decided to use it rather than cron for maintenance reasons.
5. On the client end, I changed SpySweeper from updating daily to hourly, the only two options available, and will change Trend Micro Worry Free to 2 hours on the SBSs.

We'll see how it goes.

 

[nobaloney]

2. This line
{<{$message_size}{100k}}
needs to be about ~100K larger than the size Outlook reports if you want SpamAssassin to scan it. Changing it from 100k to 200k would still skip the phishing messages that Outlook reports at 113k, 146k, 172k, 173k while it would start to scan the SBS messages that show 108k-115k. If I make it 300k, it scans the phishing messages as well. I don't understand why, but it was very repeatable.

I do understand why; perhaps I should have thought of this earlier. Email is designed as a 7-bit protocol. So attachments are not just attached; they're converted, generally to the MIME standard, so they'll work with 7-bit systems (generally the ASCII characterset). That makes them much larger. There's a good explanation here.

4. ClamAV updates need to be performed quite frequently. At 9 PM yesterday I ran FreshClam, and by 1:05 AM, I had my first updated trojans in the mailbox. FreshClam in daemon mode checks every two hours by default. I decided to use it rather than cron for maintenance reasons.

We've always started freshclam as a daemom, with this line in rc.local:

/usr/local/bin/freshclam -d -c 24

It starts freshclam as a daemon and tells it to check 24 times in 24 hours, or in other words, hourly.

Jeff