Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Tom Hendrikx (tomwhyscream.net)
Date: Tue May 07 2013 - 10:59:56 CDT
you might be interested in DMARC, a relatively new technique that tries
to do what you want: attach validation rules based on the From header.
See dmarc.org for details.
On 05/07/2013 05:06 PM, Abhijeet Rastogi wrote:
> Hi Noel,
> Thanks for your reply. I already have spamhous and clamav in my setup.
> But, still mails are being passed through it.
> I completely understand that it's a very legit way of sending mail.
> It's done *everywhere*.
> But, really want to restrict all this as ignorant people are getting
> mails from email address like "admindomain.com" and they get fooled.
> It passed through both RBL and clamav. The user's domain is also
> "domain.com". I'm just trying to find a way to make these thing very
> strict for a certain set of users.
> If I could just *tag* these kind of mails (for ex, adding POSSIBLE
> SPAM in subject etc), that would be awesome too. I'm trying to not
> write a milter for this though.
> On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njonesmegan.vbhcs.org> wrote:
>> On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote:
>>> Hi all,
>>> So, I've a condition where people send mails to my domain with with
>>> fake "From:" header in the body of mail (which Thunderbird or any MUA
>>> shows while reading the mail).
>>> This is actually an authentic way of sending mail if the user that's
>>> sending mail has proper authority over the email that's mentioned in
>>> body part. (which is not the case here)
>> Mismatched From: and envelope sender is not a reliable spam
>> indicator. Look at the headers of this message, look at just about
>> every legit marketing message, look at every mail list you're signed
>> up for, look at PayPal mail, look at mail from your bank.
>>> To make my point clear enough, the spammer is authenticating with a
>>> certain mailfrom and then it adds a "From: " part in the body which
>>> Thunderbird picks up while showing the mail. This way people can get
>>> fooled that mail is actually coming from that user.
>> Now you confuse the issue by mentioning authentication.
>> If you have trouble with compromised local user accounts, use rate
>> limits to detect and limit the damage. http://postfwd.org/
>>> What are some possible and standard ways of filtering/rejecting those
>>> kinds of mails? It would a plus to have a "hash" kind of thing that'll
>>> make sure what all possible "mailfrom" and "from" combinations are.
>> Use standard anti-spam controls to reject unwanted mail.
>> The easy stuff, safe for (almost) everyone: reject_rbl_client
>> zen.spamhaus.org, reject_unknown_reverse_client_hostname,
>> More powerful, more flexible, more complicated: amavisd-new with
>> clamav, Sanesecurity antispam signatures, and SpamAssassin.
>> -- Noel Jones
- application/pgp-signature attachment: OpenPGP digital signature