Blocking spammers who spoof From: addresses from my domain

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking spammers who spoof From: addresses from my domain

Stuart Longland-2
Hi all,

A silly question, I did have a look around but I'm just struggling to
find the appropriate keywords to get a definitive answer.

We have a problem where some smart-arse spammers/phishers are spoofing
the From address, specifying our domain as their from address.  In one
case, the person in question uses my personal address in the From, To
and Return-Path.  In others, they pretend to be a scanner sending a
supposedly "scanned document".

I realise this is a symptom of SMTPs design: it was invented when the
Internet was a little village.

As an example, this is one such email (just the headers, I'll spare you
the body) of the form I'm trying to block (I have substituted some
addresses):

> Return-Path: <[hidden email]>
> Delivered-To: [hidden email]
> Received: from borderrouter (unknown […])
> by mailserver (Postfix) with ESMTPS id AEB171728BF
> for <[hidden email]>; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: from borderrouter (localhost […])
> by borderrouter (Postfix) with ESMTP id A2A4829EBFAC
> for <[hidden email]>; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: by borderrouter (Postfix, from userid 8)
> id 8750029EBFAB; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: from thespammer (unknown […])
> by borderrouter (Postfix) with ESMTP id BAF2B29EBFA7
> for <[hidden email]>; Sun, 12 Aug 2018 06:28:28 +1000 (AEST)
> Message-ID: <[hidden email]>
> From: <[hidden email]>
> To: <[hidden email]>
> Subject: Let's have fun?
> Date: 11 Aug 2018 11:19:25 -0500
> MIME-Version: 1.0
> Content-Type: text/plain; charset="cp-850"
> Content-Transfer-Encoding: 8bit
> X-Mailer: Qjvgvfhb xhhkhl 9.2
> X-Virus-Scanned: ClamAV using ClamSMTP

The set-up here is two mail servers, both Postfix on Ubuntu.  One is the
"border router" and is the primary MX for the domain.  It does spam
filtering, then relays to the internal mail server.  Legitimate users
can send email on an alternate port which is NAT-ed to the internal
server, has TLS set up, and authenticates users.

I believe this to be low-hanging fruit to try and deal with.
*Legitimate* email, should either:
(1) have a From/Return-Path with a domain *other* than ours
(2) arrive from one of our private network subnets
OR
(3) not arrive on port 25 (if it goes via the other port, the border
router will never "see" it)

There's other spam as well, and I believe I have this reasonably handled
already.

I understand header_checks; this is applied to all incoming mail,
regardless of the source.  I wish to apply a header check for these
shenanigans that does *NOT* arrive from the internal network.  i.e.

if client_ip not in 192.168.0.0/16:
    header_checks = regexp:/etc/postfix/incoming_header_checks

then in that incoming_header_checks I can block it with:
    /^(Return-Path|From): .*@longlandclan.id.au>$/ REJECT

The alternative of course is to do something with SpamAssassin or some
custom script, but I'm looking for options.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Matthias Fechner
Am 13.08.2018 um 01:29 schrieb Stuart Longland:
> We have a problem where some smart-arse spammers/phishers are spoofing
> the From address, specifying our domain as their from address.  In one
> case, the person in question uses my personal address in the From, To
> and Return-Path.  In others, they pretend to be a scanner sending a
> supposedly "scanned document".

setup SPF, there you can define which host is allowed to send emails
from your domain.
The check will be done on the mailserver receiving the "faked" emails.

Gruß
Matthias

--

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Dominic Raferd


On Mon, 13 Aug 2018 at 06:52, Matthias Fechner <[hidden email]> wrote:
Am 13.08.2018 um 01:29 schrieb Stuart Longland:
> We have a problem where some smart-arse spammers/phishers are spoofing
> the From address, specifying our domain as their from address.  In one
> case, the person in question uses my personal address in the From, To
> and Return-Path.  In others, they pretend to be a scanner sending a
> supposedly "scanned document".

setup SPF, there you can define which host is allowed to send emails
from your domain.
The check will be done on the mailserver receiving the "faked" emails.

SPF used on its own as a blocking mechanism works on the envelope sender not the header.from. To block fake senders which use your domain as header.from you should use DMARC, specifying DKIM (and SPF) and using p=reject. Not only will this stop people sending emails purporting to be from you to *your* server but it will largely prevent them from sending them to *anyone else*. This depends on your server and others testing incoming mail for DMARC compliance - but all the major email providers do this. It will also block emails that fake your domain as the envelope sender (Return-Address). The only disadvantages are that it takes a little setting up, and that you can't then use such a domain for posts to mailing lists.

As for the text part of the header.from, once you have DMARC covering the other bases you can tackle it with header_checks even though all emails go through it, even those from your legitimate domain senders. The example below is an extract from a header_checks file which attempts to block not only attempts to fake your email address but also your name; it uses pcre syntax not regex, note that the 'if' clauses are nested but unfortunately indenting for the purpose of clarity is not (I think) permitted in pcre files:

if /^From:/
# emails with the mail name part of header.from set to your domain(s) will pass here skipping the rest of the tests
# faked instances of such can be blocked by opendmarc if your domain has DMARC with p=reject, but not here
/(yourdomain1\.tld|yourdomain2\.tld)>?$/ DUNNO
# block emails which use your domain as the last part of the text in header.from e.g. "From: [hidden email] <[hidden email]>"
/^(.*yourdomain1\.tld|yourdomain2\.tld"? <.*)$/ REJECT message content impersonation
# inspect emails that use your real name in the text - expand this to work with other names as required:
if /^From: ?(S(tuart)? Longland)/
# allow other legitimate email addresses that you use, also from apple and (ubuntu) launchpad
if !/(yourexternaladdress@anotherdomain\.tld|@bugs\.launchpad\.net|noreply@email\.apple\.com)>?$/
# and allow if 'via ' e.g. via Dropbox - otherwise block mails 
!/via / REJECT message content impersonation
endif
endif
endif

If you are absolutely set against using DMARC then there is probably a way of blocking faked header.from addresses with a SpamAssassin multi-header test.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

@lbutlr
In reply to this post by Stuart Longland-2
On 12 Aug 2018, at 17:29, Stuart Longland <[hidden email]> wrote:
> We have a problem where some smart-arse spammers/phishers are spoofing
> the From address, specifying our domain as their from address.  In one
> case, the person in question uses my personal address in the From, To
> and Return-Path.  In others, they pretend to be a scanner sending a
> supposedly "scanned document".

Don’t accept mail from local users coming from a foreign server?

That’s what I do.

--
99 percent of lawyers give the rest a bad name.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Bastian Blank-3
On Mon, Aug 13, 2018 at 05:19:18AM -0600, @lbutlr wrote:
> On 12 Aug 2018, at 17:29, Stuart Longland <[hidden email]> wrote:
> > We have a problem where some smart-arse spammers/phishers are spoofing
> > the From address, specifying our domain as their from address.  In one
> > case, the person in question uses my personal address in the From, To
> > and Return-Path.  In others, they pretend to be a scanner sending a
> > supposedly "scanned document".
>
> Don’t accept mail from local users coming from a foreign server?
> That’s what I do.

Header vs. envelope.  You should know that.

A mail with your e-mail in the From header comes from the mailing list.

Bastian

--
All your people must learn before you can reach for the stars.
                -- Kirk, "The Gamesters of Triskelion", stardate 3259.2
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Dominic Raferd
In reply to this post by @lbutlr


On Mon, 13 Aug 2018 at 12:20, @lbutlr <[hidden email]> wrote:
On 12 Aug 2018, at 17:29, Stuart Longland <[hidden email]> wrote:
> We have a problem where some smart-arse spammers/phishers are spoofing
> the From address, specifying our domain as their from address.  In one
> case, the person in question uses my personal address in the From, To
> and Return-Path.  In others, they pretend to be a scanner sending a
> supposedly "scanned document".

Don’t accept mail from local users coming from a foreign server?

That’s what I do.

Can that work for the mail address in the header.from? Is it possible to have different header_checks depending on whether or not the mail is authenticated/local or not (I know this is possible for smtpd_restrictions_lists) e.g. like this - assuming all 'outgoing' mail is either authenticated or local:

/etc/postfix/master.cf:
smtp       inet  n       -       y       -       -       smtpd
  -o header_checks=$header_checks_wild

/etc/postfix/main.cf:
# default for emails coming in on ports other than 25, or via pickup: header_checks =
# but for emails arriving via port 25:
header_checks_wild = pcre:/etc/postfix/check_headers_wild.pcre
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Benny Pedersen-2
In reply to this post by Bastian Blank-3
Bastian Blank skrev den 2018-08-13 14:28:

> Header vs. envelope.  You should know that.

spf breaks maillinglists :=)

sender-id breaks, but is depricated with dkim

> A mail with your e-mail in the From header comes from the mailing list.

i wish it was correct, maillinglists that take ownerships make more harm
then good

openarc is basicly just being so that is valid to break dkim :(


sadly
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Richard Damon
On 8/13/18 9:31 AM, Benny Pedersen wrote:
> Bastian Blank skrev den 2018-08-13 14:28:
>
>> Header vs. envelope.  You should know that.
>
> spf breaks maillinglists :=)
Wrong, basic SPF checks the ENVELOPE From, which a good mailinglist will
point to itself. It is only DMARC-SPF that forces it to use the Header From:

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

@lbutlr
In reply to this post by Bastian Blank-3


> On 13 Aug 2018, at 06:28, Bastian Blank <bastian+postfix-users=[hidden email]> wrote:
>
> On Mon, Aug 13, 2018 at 05:19:18AM -0600, @lbutlr wrote:
>> On 12 Aug 2018, at 17:29, Stuart Longland <[hidden email]> wrote:
>>> We have a problem where some smart-arse spammers/phishers are spoofing
>>> the From address, specifying our domain as their from address.  In one
>>> case, the person in question uses my personal address in the From, To
>>> and Return-Path.  In others, they pretend to be a scanner sending a
>>> supposedly "scanned document".
>>
>> Don’t accept mail from local users coming from a foreign server?
>> That’s what I do.
>
> Header vs. envelope.  You should know that.

What un my post gives you the impression that I don’t know that?

> A mail with your e-mail in the From header comes from the mailing list.

That doesn’t describe the OP, where which from is being spoofed was not specified.

--
In other news, Gandalf died. -- Secret Diary of Boromir

Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Stuart Longland-2
In reply to this post by @lbutlr
On 13/08/18 21:19, @lbutlr wrote:
> On 12 Aug 2018, at 17:29, Stuart Longland <[hidden email]> wrote:
>> We have a problem where some smart-arse spammers/phishers are spoofing
>> the From address, specifying our domain as their from address.  In one
>> case, the person in question uses my personal address in the From, To
>> and Return-Path.  In others, they pretend to be a scanner sending a
>> supposedly "scanned document".
>
> Don’t accept mail from local users coming from a foreign server?

The thing is, define "local".  From the border router's perspective (the
host that *actually* receives the email from outside), all users are
remote as all it does is some spam filtering, then forwards it to the
internal server.

The only accounts that are actually local there are aliases for Mailman.

--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking spammers who spoof From: addresses from my domain

Stuart Longland-2
In reply to this post by @lbutlr
On 20/08/18 01:59, @lbutlr wrote:
>> A mail with your e-mail in the From header comes from the mailing list.
> That doesn’t describe the OP, where which from is being spoofed was not specified.

I gave an example email in which the From: header was spoofed.  I
changed addresses of course, but the form of the headers was in the
original post.

That said, some have brought up the issue of mailing lists: which is a
legitimate case where the From: header in the message *will* be my
actual address.

So I might need to ponder my requirements a little more as I think this
is beyond the capabilities of what I was initially thinking of.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.