Mailing List Archive: SpamAssassin: users

How to delete emails with FROM that is not in the server?

Index | Next | Previous | View Threaded

secmas at gmail

Aug 15, 2012, 9:40 PM

Post #1 of 8 (364 views)
Permalink

How to delete emails with FROM that is not in the server?

Hello all,
wondering if there could be a rule where the email that is delivered from
the server could be checked the FROM that the domain exist on the server,
Is it possible?

What I am looking is to block any email that is send from my server that is
not using any of the domain accounts that belongs to that server.

Thank you in advance.

Best Regards,

Sergio Cabrera

jhardin at impsec

Aug 15, 2012, 10:09 PM

Post #2 of 8 (336 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

On Wed, 15 Aug 2012, Sergio wrote:

> Hello all,
> wondering if there could be a rule where the email that is delivered from
> the server could be checked the FROM that the domain exist on the server,
> Is it possible?
>
> What I am looking is to block any email that is send from my server that is
> not using any of the domain accounts that belongs to that server.

That's not what SA is for.

Read up how to configure whatever your MTA is to prevent "open relay".

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control enables genocide while doing little to reduce crime.
-----------------------------------------------------------------------
Today: the 67th anniversary of the end of World War II

dbfunk at engineering

Aug 15, 2012, 10:12 PM

Post #3 of 8 (337 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

On Wed, 15 Aug 2012, Sergio wrote:

> Hello all,
> wondering if there could be a rule where the email that is delivered from the server could be checked the FROM that the domain exist on the server, Is it possible?
>
> What I am looking is to block any email that is send from my server that is not using any of the domain accounts that belongs to that server.
>
> Thank you in advance.
>
> Best Regards,
>
> Sergio Cabrera

That sort of check is best done at the SMTP-server (MTA) level. How is SA
to know who are the valid users on your system (including aliases,
forwards, etc).

Your SMTP server must know who your valid recipients are so it can reject
unknown users and deliver the valid ones. So just apply the same kind of
check to the From address (IE if domain === us, check to make sure user ==
ours, else SMTP-REJECT). Details are MTA specific, but most have some kind
of built in check for doing this sort of thing.

The thing which SA can be used for is to hit forgery spam. IE if the
'From' domain is ours, and the sending host isn't one we bless, hit it.
(If you have valid SPF records this is trivially easy to do).

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

secmas at gmail

Aug 16, 2012, 1:13 PM

Post #4 of 8 (332 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

Thank all for your inputs.

What happens is this:
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that
is working great. The problem is when a hacker has obtained the password
from an account, so, it can send emails authenticating with the account
that has been compromised. When a hacker has access to an account (I am
almost sure that any one on the list has seen this), he sends emails but
the FROM is changed to something that is not a domain on the server, that
is what I am looking to stop.

Maybe a rule that could check that the FROM is not the same as the
authenticated domain.

Could this be done?

Best Regards,

Sergio

On Wed, Aug 15, 2012 at 11:12 PM, David B Funk <dbfunk [at] engineering
> wrote:

> On Wed, 15 Aug 2012, Sergio wrote:
>
> Hello all,
>> wondering if there could be a rule where the email that is delivered from
>> the server could be checked the FROM that the domain exist on the server,
>> Is it possible?
>>
>> What I am looking is to block any email that is send from my server that
>> is not using any of the domain accounts that belongs to that server.
>>
>> Thank you in advance.
>>
>> Best Regards,
>>
>> Sergio Cabrera
>>
>
> That sort of check is best done at the SMTP-server (MTA) level. How is SA
> to know who are the valid users on your system (including aliases,
> forwards, etc).
>
> Your SMTP server must know who your valid recipients are so it can reject
> unknown users and deliver the valid ones. So just apply the same kind of
> check to the From address (IE if domain === us, check to make sure user ==
> ours, else SMTP-REJECT). Details are MTA specific, but most have some kind
> of built in check for doing this sort of thing.
>
> The thing which SA can be used for is to hit forgery spam. IE if the
> 'From' domain is ours, and the sending host isn't one we bless, hit it.
> (If you have valid SPF records this is trivially easy to do).
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_**admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
>

jhardin at impsec

Aug 16, 2012, 1:22 PM

Post #5 of 8 (330 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

On Thu, 16 Aug 2012, Sergio wrote:

> My server is not Open Relayed and it has SPF and DOMAINKEYS in it and
> that is working great. The problem is when a hacker has obtained the
> password from an account, so, it can send emails authenticating with the
> account that has been compromised. When a hacker has access to an
> account (I am almost sure that any one on the list has seen this), he
> sends emails but the FROM is changed to something that is not a domain
> on the server, that is what I am looking to stop.

That is indeed considered a subcase of open relay. There should be a list
of domains that control whether mail is accepted by an MTA, such that
({domain in list} -> {any}) is accepted, and {{any} -> {domain in list})
is accepted, and anything else is rejected.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An operating system design that requires a system reboot in order to
install a document viewing utility does not earn my respect.
-----------------------------------------------------------------------
8 days until the 1933rd anniversary of the destruction of Pompeii

KMcGrail at PCCC

Aug 16, 2012, 1:22 PM

Post #6 of 8 (332 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

On 8/16/2012 4:13 PM, Sergio wrote:
> , he sends emails but the FROM is changed to something that is not a
> domain on the server, that is what I am looking to stop.
>
> Maybe a rule that could check that the FROM is not the same as the
> authenticated domain.
I think SA is the wrong tool for the issue.

You might be able to do this with a trust_auth rule if you kno m4, etc.
However, I would likely look at using MIMEDefang and use with 1sendmail
auth macros.

http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+21.+The+D+Define+a+Macro+Configuration+Command/auth_authen/

Here's another page with some pointers on macros and mimedefang:

http://www.novosial.org/mimedefang/macro-pass/index.html

Regards,
KAM

secmas at gmail

Aug 16, 2012, 2:58 PM

Post #7 of 8 (329 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

Thank you, KAM.

I will take a look at those URLs, appreciated.

John, that is what I am looking to do and that is why I thought that SA
could have a rule for this. I will read the info that KAM sent.

Best Regards,

Sergio

On Thu, Aug 16, 2012 at 2:22 PM, John Hardin <jhardin [at] impsec> wrote:

> On Thu, 16 Aug 2012, Sergio wrote:
>
> My server is not Open Relayed and it has SPF and DOMAINKEYS in it and
>> that is working great. The problem is when a hacker has obtained the
>> password from an account, so, it can send emails authenticating with the
>> account that has been compromised. When a hacker has access to an account
>> (I am almost sure that any one on the list has seen this), he sends emails
>> but the FROM is changed to something that is not a domain on the server,
>> that is what I am looking to stop.
>>
>
> That is indeed considered a subcase of open relay. There should be a list
> of domains that control whether mail is accepted by an MTA, such that
> ({domain in list} -> {any}) is accepted, and {{any} -> {domain in list}) is
> accepted, and anything else is rejected.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~**jhardin/<http://www.impsec.org/%7Ejhardin/>
> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ------------------------------**------------------------------**
> -----------
> An operating system design that requires a system reboot in order to
> install a document viewing utility does not earn my respect.
> ------------------------------**------------------------------**
> -----------
> 8 days until the 1933rd anniversary of the destruction of Pompeii
>

jhardin at impsec

Aug 16, 2012, 3:11 PM

Post #8 of 8 (331 views)
Permalink

Re: How to delete emails with FROM that is not in the server? [In reply to]

On Thu, 16 Aug 2012, Sergio wrote:

> John, that is what I am looking to do and that is why I thought that SA
> could have a rule for this. I will read the info that KAM sent.

No, that sort of thing is the responsibility of the MTA.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
8 days until the 1933rd anniversary of the destruction of Pompeii

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads