Hi Abhijeet, you might be interested in DMARC, a relatively new technique that tries to do what you want: attach validation rules based on the From header.
See dmarc.org for details. Tom On 05/07/2013 05:06 PM, Abhijeet Rastogi wrote: > Hi Noel, > > Thanks for your reply. I already have spamhous and clamav in my setup. > But, still mails are being passed through it. > > I completely understand that it's a very legit way of sending mail. > It's done *everywhere*. > > But, really want to restrict all this as ignorant people are getting > mails from email address like "ad...@domain.com" and they get fooled. > It passed through both RBL and clamav. The user's domain is also > "domain.com". I'm just trying to find a way to make these thing very > strict for a certain set of users. > > If I could just *tag* these kind of mails (for ex, adding POSSIBLE > SPAM in subject etc), that would be awesome too. I'm trying to not > write a milter for this though. > > > On Tue, May 7, 2013 at 7:57 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> On 5/7/2013 8:54 AM, Abhijeet Rastogi wrote: >>> Hi all, >>> >>> So, I've a condition where people send mails to my domain with with >>> fake "From:" header in the body of mail (which Thunderbird or any MUA >>> shows while reading the mail). >>> >>> This is actually an authentic way of sending mail if the user that's >>> sending mail has proper authority over the email that's mentioned in >>> body part. (which is not the case here) >> >> Mismatched From: and envelope sender is not a reliable spam >> indicator. Look at the headers of this message, look at just about >> every legit marketing message, look at every mail list you're signed >> up for, look at PayPal mail, look at mail from your bank. >> >>> >>> To make my point clear enough, the spammer is authenticating with a >>> certain mailfrom and then it adds a "From: " part in the body which >>> Thunderbird picks up while showing the mail. This way people can get >>> fooled that mail is actually coming from that user. >> >> Now you confuse the issue by mentioning authentication. >> >> If you have trouble with compromised local user accounts, use rate >> limits to detect and limit the damage. http://postfwd.org/ >> >>> >>> What are some possible and standard ways of filtering/rejecting those >>> kinds of mails? It would a plus to have a "hash" kind of thing that'll >>> make sure what all possible "mailfrom" and "from" combinations are. >>> >> >> Use standard anti-spam controls to reject unwanted mail. >> >> The easy stuff, safe for (almost) everyone: reject_rbl_client >> zen.spamhaus.org, reject_unknown_reverse_client_hostname, >> http://www.hardwarefreak.com/fqrdns.pcre; >> >> More powerful, more flexible, more complicated: amavisd-new with >> clamav, Sanesecurity antispam signatures, and SpamAssassin. >> >> >> >> -- Noel Jones > > >
signature.asc
Description: OpenPGP digital signature
