Hi Noel, Thanks for your reply. I already have spamhous and clamav in my setup. But, still mails are being passed through it.
I completely understand that it's a very legit way of sending mail. It's done *everywhere*. But, really want to restrict all this as ignorant people are getting mails from email address like "ad...@domain.com" and they get fooled. It passed through both RBL and clamav. The user's domain is also "domain.com". I'm just trying to find a way to make these thing very strict for a certain set of users. If I could just *tag* these kind of mails (for ex, adding POSSIBLE SPAM in subject etc), that would be awesome too. I'm trying to not write a milter for this though. On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote: >> Hi all, >> >> So, I've a condition where people send mails to my domain with with >> fake "From:" header in the body of mail (which Thunderbird or any MUA >> shows while reading the mail). >> >> This is actually an authentic way of sending mail if the user that's >> sending mail has proper authority over the email that's mentioned in >> body part. (which is not the case here) > > Mismatched From: and envelope sender is not a reliable spam > indicator. Look at the headers of this message, look at just about > every legit marketing message, look at every mail list you're signed > up for, look at PayPal mail, look at mail from your bank. > >> >> To make my point clear enough, the spammer is authenticating with a >> certain mailfrom and then it adds a "From: " part in the body which >> Thunderbird picks up while showing the mail. This way people can get >> fooled that mail is actually coming from that user. > > Now you confuse the issue by mentioning authentication. > > If you have trouble with compromised local user accounts, use rate > limits to detect and limit the damage. http://postfwd.org/ > >> >> What are some possible and standard ways of filtering/rejecting those >> kinds of mails? It would a plus to have a "hash" kind of thing that'll >> make sure what all possible "mailfrom" and "from" combinations are. >> > > Use standard anti-spam controls to reject unwanted mail. > > The easy stuff, safe for (almost) everyone: reject_rbl_client > zen.spamhaus.org, reject_unknown_reverse_client_hostname, > http://www.hardwarefreak.com/fqrdns.pcre; > > More powerful, more flexible, more complicated: amavisd-new with > clamav, Sanesecurity antispam signatures, and SpamAssassin. > > > > -- Noel Jones -- Regards, Abhijeet Rastogi (shadyabhi) http://blog.abhijeetr.com
