spam from own email address

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

BlackIce_
I have had a significant backscatter issue in the past. lately I have been
seeing the same issue you all are. I have Spamassassin and a postfix
server setup and it works most of the time. Likely I need additional
filter lines.

I saw the KAM.cf mentioned, but do not see a place to obtain it.

Anyone know where it is now after transitioning to not for profit?

Thanks,

Rick

Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

Bill Cole-3
On 23 Apr 2019, at 17:16, BlackIce_ wrote:

> I have had a significant backscatter issue in the past. lately I have
> been seeing the same issue you all are. I have Spamassassin and a
> postfix server setup and it works most of the time. Likely I need
> additional filter lines.
>
> I saw the KAM.cf mentioned, but do not see a place to obtain it.
>
> Anyone know where it is now after transitioning to not for profit?

http://www.mcgrail.com/downloads/KAM.cf is the newish canonical
location, but the current version is still where it has always been at
https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

Dominic Raferd
In reply to this post by Bill Cole-3


On Tue, 23 Apr 2019 at 18:35, Bill Cole <[hidden email]> wrote:
On 23 Apr 2019, at 11:46, John Peach wrote:

> On 4/23/19 11:39 AM, Paul wrote:
>> Yes I agree with Kevin here, the best solution to this problem is an
>> spf record set to reject mail from any ip that’s not in your
>> allowed list of ips for your domain. Forging a from address is very
>> easy and is one of the main purposes of why spf was created.
>
> There is no need to go to those lengths - assuming that all your own
> email is being submitted over port 587, include -o
> receive_override_options=no_header_body_checks in the master.cf entry
> for submission and use a PCRE header checks file for port 25.
>
> /^From:.*\@example\.com/    REJECT
>

So you don't want to accept messages you or anyone else in your domain
posts to a mailing list such as this one?

I'm quite happy with this in principle (though my actual regex is a little more complicated), but I am only maintaining a few domains for use within our organisation, and I am the only person using mailing lists. Most mailing lists (but not this one, alas, AFAIK) offer a setting to turn off resending of one's own postings back to oneself.
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

MickTW8
In reply to this post by Bill Cole-3
On 23/04/2019 18:34, Bill Cole wrote:

> On 23 Apr 2019, at 11:46, John Peach wrote:
>
>> On 4/23/19 11:39 AM, Paul wrote:
>>> Yes I agree with Kevin here, the best solution to this problem is an
>>> spf record set to reject mail from any ip that’s not in your allowed
>>> list of ips for your domain. Forging a from address is very easy and
>>> is one of the main purposes of why spf was created.
>>
>> There is no need to go to those lengths - assuming that all your own
>> email is being submitted over port 587, include -o
>> receive_override_options=no_header_body_checks in the master.cf entry
>> for submission and use a PCRE header checks file for port 25.
>>
>> /^From:.*\@example\.com/    REJECT
>>
>
> So you don't want to accept messages you or anyone else in your domain
> posts to a mailing list such as this one?
>
> Seems risky...
>

I hadn't thought of that, so thanks Bill for pointing it out.

To the top of my pcre header_checks file, I have added ;
/^List-ID:.*Postfix users <[hidden email]>/    OK
I think this is destined to fail though???

header_checks.5' states :
     'Each message header or message body line is compared against a
list  of patterns.'
Because "From:" will come before "List-Id:" in the message body,  a
"From:" containing my domain should match a REJECT line before an OK
from List-ID.

However, further down header_checks.5 under 'Table search Order' it says:
    ' When a pattern is  found  that  matches  the  input  line, the  
corresponding  action is executed and then the next input line is
inspected.'

So if the action is executed, goodbye message, but if header checks
continues to check the following lines it will find an OK by List-Id.
I suspect that I will not receive a copy this message, but don't know
for sure.  One way to find out {SEND}.


Best wishes,
Mick.
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

MickTW8
In reply to this post by Bill Cole-3
On 23/04/2019 18:34, Bill Cole wrote:

> On 23 Apr 2019, at 11:46, John Peach wrote:
>
>> On 4/23/19 11:39 AM, Paul wrote:
>>> Yes I agree with Kevin here, the best solution to this problem is an
>>> spf record set to reject mail from any ip that’s not in your allowed
>>> list of ips for your domain. Forging a from address is very easy and
>>> is one of the main purposes of why spf was created.
>>
>> There is no need to go to those lengths - assuming that all your own
>> email is being submitted over port 587, include -o
>> receive_override_options=no_header_body_checks in the master.cf entry
>> for submission and use a PCRE header checks file for port 25.
>>
>> /^From:.*\@example\.com/    REJECT
>>
>
> So you don't want to accept messages you or anyone else in your domain
> posts to a mailing list such as this one?
>
> Seems risky...
>

As per B. Reino's suggestion of header check white list, is there any
reason the following main.cf config should not be used ?
header_checks =
    pcre:/etc/postfix/header_checks_pass
    pcre:/etc/postfix/header_checks_fail

Best wishes,
Mick.




Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

Bill Cole-3
On 24 Apr 2019, at 16:04, Mick wrote:

> On 23/04/2019 18:34, Bill Cole wrote:
>> On 23 Apr 2019, at 11:46, John Peach wrote:
>>
>>> On 4/23/19 11:39 AM, Paul wrote:
>>>> Yes I agree with Kevin here, the best solution to this problem is
>>>> an spf record set to reject mail from any ip that’s not in your
>>>> allowed list of ips for your domain. Forging a from address is very
>>>> easy and is one of the main purposes of why spf was created.
>>>
>>> There is no need to go to those lengths - assuming that all your own
>>> email is being submitted over port 587, include -o
>>> receive_override_options=no_header_body_checks in the master.cf
>>> entry for submission and use a PCRE header checks file for port 25.
>>>
>>> /^From:.*\@example\.com/    REJECT
>>>
>>
>> So you don't want to accept messages you or anyone else in your
>> domain posts to a mailing list such as this one?
>>
>> Seems risky...
>>
>
> As per B. Reino's suggestion of header check white list, is there any
> reason the following main.cf config should not be used ?
> header_checks =
>    pcre:/etc/postfix/header_checks_pass
>    pcre:/etc/postfix/header_checks_fail

Yes: it is a generally bad idea to use header_checks to whitelist
anything.

For the details on why, see the documentation in the header_checks man
page and BUILTIN_FILTER_README. If you want *GOOD* filtering, use a
milter or SMTP proxy filter.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

MickTW8
On 24/04/2019 21:51, Bill Cole wrote:

> On 24 Apr 2019, at 16:04, Mick wrote:
>
>> On 23/04/2019 18:34, Bill Cole wrote:
>>> On 23 Apr 2019, at 11:46, John Peach wrote:
>>>
>>>> On 4/23/19 11:39 AM, Paul wrote:
>>>>> Yes I agree with Kevin here, the best solution to this problem is
>>>>> an spf record set to reject mail from any ip that’s not in your
>>>>> allowed list of ips for your domain. Forging a from address is
>>>>> very easy and is one of the main purposes of why spf was created.
>>>>
>>>> There is no need to go to those lengths - assuming that all your
>>>> own email is being submitted over port 587, include -o
>>>> receive_override_options=no_header_body_checks in the master.cf
>>>> entry for submission and use a PCRE header checks file for port 25.
>>>>
>>>> /^From:.*\@example\.com/    REJECT
>>>>
>>>
>>> So you don't want to accept messages you or anyone else in your
>>> domain posts to a mailing list such as this one?
>>>
>>> Seems risky...
>>>
>>
>> As per B. Reino's suggestion of header check white list, is there any
>> reason the following main.cf config should not be used ?
>> header_checks =
>>    pcre:/etc/postfix/header_checks_pass
>>    pcre:/etc/postfix/header_checks_fail
>
> Yes: it is a generally bad idea to use header_checks to whitelist
> anything.

Thanks Bill.


>
> For the details on why, see the documentation in the header_checks man
> page and BUILTIN_FILTER_README. If you want *GOOD* filtering, use a
> milter or SMTP proxy filter.
>

I thought header checks were carried out after all the other smtp
restrictions had passed therefore I didn't see the harm in an 'OK' for a
message header at this stage. That's why it's good to ask. I will the
remove the white list and have thorough read to weigh up the cons and
pros before deciding what to do next.  The purpose of my white list was
to avoid Postfix-users List-Id: (and other lists) being kicked out due
to the sender using my domain in the from field, but it failed and my
last message was rejected in any case.

If there is a simple pre-queue filter to be had that could block forged
message header From:, but allow when selected list IDs come knocking,
I'd give it a try. I did try Amavis and Spamassassin, but they brought
my limited resource VPS to its knees with 98% memory usage.

Thanks again,
Mick.




Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

Wietse Venema
Mick:
> I thought header checks were carried out after all the other smtp
> restrictions had passed therefore I didn't see the harm in an 'OK' for a
> message header at this stage.

Correct, but the OK action applies only to that header, not the
message. The Postfix 3.2 PASS action applies to the message,
but remains unused when a REJECT pattern is matched earlier.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

MickTW8
On 25/04/2019 00:21, Wietse Venema wrote:
> Mick:
>> I thought header checks were carried out after all the other smtp
>> restrictions had passed therefore I didn't see the harm in an 'OK' for a
>> message header at this stage.
> Correct, but the OK action applies only to that header, not the
> message.

Thanks Wietse, that makes sense now. I think you're saying  : Regardless
of whether the first file (white list) matched an OK from List-Id:, the
second file (black list) would still be checked.  As the 'OK' only
applied the List-Id: header, if the second header checks file matches a
reject pattern other than List-ID, message will be rejected.

>   The Postfix 3.2 PASS action applies to the message,
> but remains unused when a REJECT pattern is matched earlier.

PASS is something I shall look forward to in the next couple of years.  
For now I'm on 3.1.9 (Debian stable).
I don't suppose there's a way to read the status List-Id (possibly
matched and OK'd in the first pass - white list) while reading the From
in the second pass (black list)? I think not, but asking just to rule it
out.

Thanks for your explanation as to how it works.


Best wishes,
Mick.


>
> Wietse
>

Reply | Threaded
Open this post in threaded view
|

Re: spam from own email address

Wietse Venema
man 5 header_checks

       DUNNO  Pretend that the input line  did  not  match  any  pattern,  and
              inspect  the next input line. This action can be used to shorten
              the table search.

              For backwards compatibility reasons, Postfix also accepts OK but
              it is (and always has been) treated as DUNNO.

12