spam uses my email address as sender in "header from"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

spam uses my email address as sender in "header from"

Fourhundred Thecat
Hello,

I am receiving spam, where the "header from" is my actual email (ie, the
email that this spam is delivered to)

The "envelope from" that I see in postfix logs is some random email.

What mechanisms are there to reject such messages, which use my email
address as sender ?

Can I reject messages that have different envelope from and header from?

Or what would be the best approach ?

thanks,
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Durga Prasad Malyala
Hi 
You can try implementing dmarc for your domain and use dmarc check while receiving mail. 

Cheers/DP

On Mon, Sep 14, 2020, 16:06 Fourhundred Thecat <[hidden email]> wrote:
Hello,

I am receiving spam, where the "header from" is my actual email (ie, the
email that this spam is delivered to)

The "envelope from" that I see in postfix logs is some random email.

What mechanisms are there to reject such messages, which use my email
address as sender ?

Can I reject messages that have different envelope from and header from?

Or what would be the best approach ?

thanks,
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

allenc
In reply to this post by Fourhundred Thecat
It has been suggested in the past that if the "From" header does not contain
both the email address AND the name of its owner (see my address above) then it
may be rejected - or at least flagged as suspect.

Allen C

On 14/09/2020 11:35, Fourhundred Thecat wrote:

> Hello,
>
> I am receiving spam, where the "header from" is my actual email (ie, the
> email that this spam is delivered to)
>
> The "envelope from" that I see in postfix logs is some random email.
>
> What mechanisms are there to reject such messages, which use my email
> address as sender ?
>
> Can I reject messages that have different envelope from and header from?
>
> Or what would be the best approach ?
>
> thanks,
Reply | Threaded
Open this post in threaded view
|

Re: [External] spam uses my email address as sender in "header from"

Kevin A. McGrail
In reply to this post by Fourhundred Thecat
On 9/14/2020 6:35 AM, Fourhundred Thecat wrote:
> Can I reject messages that have different envelope from and header from?
>
> Or what would be the best approach ?


Are you publishing an SPF record?  Are you using DKIM?  Are you
publishing a DMARC policy (even one with policies of none)?  Are you
using Apache SpamAssassin?

Regards,
KAM

Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Dominic Raferd
In reply to this post by Fourhundred Thecat
On 14/09/2020 11:35, Fourhundred Thecat wrote:

> I am receiving spam, where the "header from" is my actual email (ie, the
> email that this spam is delivered to)
>
> The "envelope from" that I see in postfix logs is some random email.
>
> What mechanisms are there to reject such messages, which use my email
> address as sender ?
>
> Can I reject messages that have different envelope from and header from?
>
> Or what would be the best approach ?

If you are accepting authenticated senders on a different port of your
server from unauthenticated (e.g. 587 versus 25), you can simply block
(with header_checks) any emails sent to your port 25 that have your own
email address in the 'From' header. As you will be sending through your
server using authentication (typically port 587), your own emails will
still pass through.

Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Benny Pedersen-2
In reply to this post by Durga Prasad Malyala
Durga Prasad Malyala skrev den 2020-09-14 13:10:

>> Can I reject messages that have different envelope from and header
>> from?

if you do this you will reject your own postings to maillist here

>> Or what would be the best approach ?

add adsp to from domain in dns, that way spamasassin can track it, but
you have to do dkim then aswell

https://tools.ietf.org/html/rfc5617

https://www.zytrax.com/books//dns/ch9/dkim.html sorry for failing ssl
here, but the content it usefull still



Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Bill Cole-3
In reply to this post by Fourhundred Thecat
On 14 Sep 2020, at 6:35, Fourhundred Thecat wrote:

> Hello,
>
> I am receiving spam, where the "header from" is my actual email (ie,
> the
> email that this spam is delivered to)
>
> The "envelope from" that I see in postfix logs is some random email.
>
> What mechanisms are there to reject such messages, which use my email
> address as sender ?

SPF helps against forged envelope senders. DMARC helps against From:
header forgery.

>
> Can I reject messages that have different envelope from and header
> from?
>
> Or what would be the best approach ?

Examine this message. Is it spam?

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Fourhundred Thecat
In reply to this post by Dominic Raferd
 > On 2020-09-14 14:54, Dominic Raferd wrote:

> On 14/09/2020 11:35, Fourhundred Thecat wrote:
>> I am receiving spam, where the "header from" is my actual email (ie, the
>> email that this spam is delivered to)
>>
>> The "envelope from" that I see in postfix logs is some random email.
>>
>> What mechanisms are there to reject such messages, which use my email
>> address as sender ?
>>
>> Can I reject messages that have different envelope from and header from?
>>
>> Or what would be the best approach ?
>
> If you are accepting authenticated senders on a different port of your
> server from unauthenticated (e.g. 587 versus 25), you can simply block
> (with header_checks) any emails sent to your port 25 that have your own
> email address in the 'From' header. As you will be sending through your
> server using authentication (typically port 587), your own emails will
> still pass through.

yes, I am accepting authenticated senders on port 465, and port 25 is
only for unauthenticated.

But how do I ensure that header_checks only apply to port 25 ?

I have blocked my email address  in header_checks, but now cannot send
emails because they are also blocked.


Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Nick-5
On 2020-09-15 08:53 BST, Fourhundred Thecat wrote:
> yes, I am accepting authenticated senders on port 465, and port 25 is
> only for unauthenticated.
>
> But how do I ensure that header_checks only apply to port 25 ?

<http://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission>
HTH
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Fourhundred Thecat
 > On 2020-09-15 10:18, Nick wrote:
> On 2020-09-15 08:53 BST, Fourhundred Thecat wrote:
>> yes, I am accepting authenticated senders on port 465, and port 25 is
>> only for unauthenticated.
>>
>> But how do I ensure that header_checks only apply to port 25 ?
>
> <http://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission>

thank you, but somehow I cannot make it work.

My header checks work fine when I have it in main.cf (globally)

   header_checks = regexp:/var/local/postfix/maps/header_checks

But when I remove it from main.cf and add last line to master.cf:

smtp      inet      n       -       n       -        -       smtpd
   -o smtpd_tls_security_level=may
   -o smtpd_sasl_auth_enable=no
   -o syslog_name=postfix:25
   -o header_checks=regexp:/var/local/postfix/maps/header_checks

then it does not work.

Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Nick-5
On 2020-09-15 19:39 BST, Fourhundred Thecat wrote:
> > On 2020-09-15 10:18, Nick wrote:
> > <http://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission>

> But when I remove it from main.cf and add last line to master.cf:
>
> smtp      inet      n       -       n       -        -       smtpd
>   -o smtpd_tls_security_level=may
>   -o smtpd_sasl_auth_enable=no
>   -o syslog_name=postfix:25
>   -o header_checks=regexp:/var/local/postfix/maps/header_checks
>
> then it does not work.

You're close but your '-o header_checks' is in the wrong place.  It
needs to go into a cleanup service, not smtpd.  The cleanup service is
reserved for your port 25 smtpd service by giving the former a
distinctive name and giving the latter a '-o cleanup_service_name'.
Take another look at the README (in there it's applied to submission but
the principle is the same).

HTH
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Bill Cole-3
In reply to this post by Fourhundred Thecat
On 15 Sep 2020, at 14:39, Fourhundred Thecat wrote:

>> On 2020-09-15 10:18, Nick wrote:
>> On 2020-09-15 08:53 BST, Fourhundred Thecat wrote:
>>> yes, I am accepting authenticated senders on port 465, and port 25
>>> is
>>> only for unauthenticated.
>>>
>>> But how do I ensure that header_checks only apply to port 25 ?
>>
>> <http://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission>
>
> thank you, but somehow I cannot make it work.
>
> My header checks work fine when I have it in main.cf (globally)
>
>   header_checks = regexp:/var/local/postfix/maps/header_checks
>
> But when I remove it from main.cf and add last line to master.cf:
>
> smtp      inet      n       -       n       -        -       smtpd
>   -o smtpd_tls_security_level=may
>   -o smtpd_sasl_auth_enable=no
>   -o syslog_name=postfix:25
>   -o header_checks=regexp:/var/local/postfix/maps/header_checks
>
> then it does not work.

That is NOT what the cited example in BUILTIN_FILTER_README says to do.
The above provides a header_checks directive to the smtp service, which
runs the "smtpd" component of Postfix and does not use that directive.

The header_checks directive is used by the "cleanup" component of
Postfix, so if you need to use different header_checks for message
submission than for inbound transport, you need to define an alternative
cleanup service and use the cleanup_service_name directive to tell the
smtpd services (typically named smtp, smtps, and submission) which one
to use. The example in BUILTIN_FILTER_README names that msa_cleanup and
uses that for the smtps and submission services, leaving the standard
cleanup & its header_checks for the port 25 smtp service.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Benny Pedersen-2
In reply to this post by Bill Cole-3
Bill Cole skrev den 2020-09-14 21:50:

> SPF helps against forged envelope senders. DMARC helps against From:
> header forgery.

half correct

dmarc can be spf only

you should not say dmarc when its dkim
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Benny Pedersen-2
In reply to this post by Fourhundred Thecat
Fourhundred Thecat skrev den 2020-09-15 20:39:

> My header checks work fine when I have it in main.cf (globally)
>
>   header_checks = regexp:/var/local/postfix/maps/header_checks

header_checks is incomming mails

smtp_header_checks is outgoing mails
Reply | Threaded
Open this post in threaded view
|

Re: spam uses my email address as sender in "header from"

Viktor Dukhovni
> On Sep 15, 2020, at 7:33 PM, Benny Pedersen <[hidden email]> wrote:
>
> header_checks is incomming mails
>
> smtp_header_checks is outgoing mails

Not exactly.  All mail comes in, and then it goes out.

  * header_checks is before transport resolution and delivery scheduling
  * smtp_header_checks is during delivery via SMTP

To the extent that SMTP delivery is *outbound* (rather than inbound
relaying at an edge gateway) your point stands.

As for *outbound* email (going to outside parties), it goes through *both*
header_checks and smtp_header checks.

--
        Viktor.