On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote: > Hi all, > > So, I've a condition where people send mails to my domain with with > fake "From:" header in the body of mail (which Thunderbird or any MUA > shows while reading the mail). > > This is actually an authentic way of sending mail if the user that's > sending mail has proper authority over the email that's mentioned in > body part. (which is not the case here)
Mismatched From: and envelope sender is not a reliable spam indicator. Look at the headers of this message, look at just about every legit marketing message, look at every mail list you're signed up for, look at PayPal mail, look at mail from your bank. > > To make my point clear enough, the spammer is authenticating with a > certain mailfrom and then it adds a "From: " part in the body which > Thunderbird picks up while showing the mail. This way people can get > fooled that mail is actually coming from that user. Now you confuse the issue by mentioning authentication. If you have trouble with compromised local user accounts, use rate limits to detect and limit the damage. http://postfwd.org/ > > What are some possible and standard ways of filtering/rejecting those > kinds of mails? It would a plus to have a "hash" kind of thing that'll > make sure what all possible "mailfrom" and "from" combinations are. > Use standard anti-spam controls to reject unwanted mail. The easy stuff, safe for (almost) everyone: reject_rbl_client zen.spamhaus.org, reject_unknown_reverse_client_hostname, http://www.hardwarefreak.com/fqrdns.pcre; More powerful, more flexible, more complicated: amavisd-new with clamav, Sanesecurity antispam signatures, and SpamAssassin. -- Noel Jones
