[Mimedefang] Blocking messages spoofed with my own e-mailladdress

Jon R. Kibler Jon.Kibler at aset.com
Mon Nov 17 09:33:04 EST 2003 

Stefano McGhee wrote:
> 
> Hello Jeff,
> 
> >
> > I have been seeing a lot of spam come in where the sender faked my own
> > e-mail address as the sender's address.  I should never be receiving a
> > message from outside my network from my domain, so I would think it
> > would be easy to make a MIMEDefang filter to block these.  My Perl
> > skills are woefully lacking, and I am sure others must have had this
> > problem.  Anybody care to share their filter rules to block
> > this kind of
> > spam?
> 
> Don't like Perl?  Put this in your Sendmail access DB file and you won't
> need Perl.
> 
> From:yourdomain.com                 ERROR:"550 No local relay"
> 
> You'll need to make sure your sendmail.mc/cf has the option to allow
> blacklists.  This prevents people from outside trying to send you mail with
> your domain.  HOWEVER, beware that some "legitimate" websites like to send
> you confirmation messages or news messages from your own account, so they
> will be blocked.  I'm OK with it because I think it's wrong, but that's
> just me.
> 
> Write back if you need more clarafication...
> 
> Cheers,
> 
> Stefano

Good timing on this discussion. I was poised to ask a similar question. However, mine is slightly more complex.

We manage several virtual domains. Users of those domains have also been getting forged envelope "From: == To:" addresses, where even an attempted bounce (for example, based on originating from an open proxy server) results in the user still getting the spam. 
For example, assume the following headers:
>              Received: from mail.xyc.com (z.y.x.w.rev-ip.cable-modem.com [w.x.y.z]) by mail.ourserver.net (/) with ESMTP id
>                        hAHDpbmp000551 for <Joe.Smith at xyc.com>; Mon, 17 Nov 2003 08:51:38 -0500 (EST)
>     X-Envelope-Sender: "Susie Hotpants" <Joe.Smith at xyc.com>
>  X-Envelope-Recipient: Joe.Smith at xyc.com

and the following access.db rule:
> rev-ip.cable-modem.com  ERROR:"5.7.1:550 Sorry, we don't accept mail from systems without a real hostname."

Now, when the mail bounces, it still goes to Joe.Smith at xyc.com. (Usually, in reality the trickery is somewhat more complex...  but the basic idea is as shown.)

Stefano, your suggestion works great for a local domain whose incoming mail server does not do internal relay, but it falls apart here, because:
   1)   xyc.com has legit need to send to ourserver.net, and
   2)   all the virtual domains communicate amongst themselves through these same mail servers.

We were looking into setting up a database in sendmail that would filter domains that are in /etc/mail/virtuser-domains based upon the connecting system's netblock, but a brief examination showed that was not practical because too many users connect from remote locations, or have multiple ISPs around the world and use their mail servers, but use their local domain as the From: address.

Any suggestions on the best way to handle this?

TIA for all thoughts!

Sincerely,
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the MIMEDefang mailing list