Hi all,
A silly question, I did have a look around but I'm just struggling to
find the appropriate keywords to get a definitive answer.
We have a problem where some smart-arse spammers/phishers are spoofing
the From address, specifying our domain as their from address. In one
case, the person in question uses my personal address in the From, To
and Return-Path. In others, they pretend to be a scanner sending a
supposedly "scanned document".
I realise this is a symptom of SMTPs design: it was invented when the
Internet was a little village.
As an example, this is one such email (just the headers, I'll spare you
the body) of the form I'm trying to block (I have substituted some
addresses):
> Return-Path: <stua...@longlandclan.id.au>
> Delivered-To: stua...@longlandclan.id.au
> Received: from borderrouter (unknown […])
> by mailserver (Postfix) with ESMTPS id AEB171728BF
> for <stua...@longlandclan.id.au>; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: from borderrouter (localhost […])
> by borderrouter (Postfix) with ESMTP id A2A4829EBFAC
> for <stua...@longlandclan.id.au>; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: by borderrouter (Postfix, from userid 8)
> id 8750029EBFAB; Sun, 12 Aug 2018 06:28:34 +1000 (AEST)
> Received: from thespammer (unknown […])
> by borderrouter (Postfix) with ESMTP id BAF2B29EBFA7
> for <stua...@longlandclan.id.au>; Sun, 12 Aug 2018 06:28:28 +1000 (AEST)
> Message-ID: <504cccc27cd042726eeee05ef2605...@longlandclan.id.au>
> From: <stua...@longlandclan.id.au>
> To: <stua...@longlandclan.id.au>
> Subject: Let's have fun?
> Date: 11 Aug 2018 11:19:25 -0500
> MIME-Version: 1.0
> Content-Type: text/plain; charset="cp-850"
> Content-Transfer-Encoding: 8bit
> X-Mailer: Qjvgvfhb xhhkhl 9.2
> X-Virus-Scanned: ClamAV using ClamSMTP
The set-up here is two mail servers, both Postfix on Ubuntu. One is the
"border router" and is the primary MX for the domain. It does spam
filtering, then relays to the internal mail server. Legitimate users
can send email on an alternate port which is NAT-ed to the internal
server, has TLS set up, and authenticates users.
I believe this to be low-hanging fruit to try and deal with.
*Legitimate* email, should either:
(1) have a From/Return-Path with a domain *other* than ours
(2) arrive from one of our private network subnets
OR
(3) not arrive on port 25 (if it goes via the other port, the border
router will never "see" it)
There's other spam as well, and I believe I have this reasonably handled
already.
I understand header_checks; this is applied to all incoming mail,
regardless of the source. I wish to apply a header check for these
shenanigans that does *NOT* arrive from the internal network. i.e.
if client_ip not in 192.168.0.0/16:
header_checks = regexp:/etc/postfix/incoming_header_checks
then in that incoming_header_checks I can block it with:
/^(Return-Path|From): .*@longlandclan.id.au>$/ REJECT
The alternative of course is to do something with SpamAssassin or some
custom script, but I'm looking for options.
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
