On Mon, 13 Aug 2018 at 06:52, Matthias Fechner <ide...@fechner.net> wrote:
> Am 13.08.2018 um 01:29 schrieb Stuart Longland: > > We have a problem where some smart-arse spammers/phishers are spoofing > > the From address, specifying our domain as their from address. In one > > case, the person in question uses my personal address in the From, To > > and Return-Path. In others, they pretend to be a scanner sending a > > supposedly "scanned document". > > setup SPF, there you can define which host is allowed to send emails > from your domain. > The check will be done on the mailserver receiving the "faked" emails. > SPF used on its own as a blocking mechanism works on the envelope sender not the header.from. To block fake senders which use your domain as header.from you should use DMARC, specifying DKIM (and SPF) and using p=reject. Not only will this stop people sending emails purporting to be from you to *your* server but it will largely prevent them from sending them to *anyone else*. This depends on your server and others testing incoming mail for DMARC compliance - but all the major email providers do this. It will also block emails that fake your domain as the envelope sender (Return-Address). The only disadvantages are that it takes a little setting up, and that you can't then use such a domain for posts to mailing lists. As for the text part of the header.from, once you have DMARC covering the other bases you can tackle it with header_checks even though all emails go through it, even those from your legitimate domain senders. The example below is an extract from a header_checks file which attempts to block not only attempts to fake your email address but also your name; it uses pcre syntax not regex, note that the 'if' clauses are nested but unfortunately indenting for the purpose of clarity is not (I think) permitted in pcre files: if /^From:/ # emails with the mail name part of header.from set to your domain(s) will pass here skipping the rest of the tests # faked instances of such can be blocked by opendmarc if your domain has DMARC with p=reject, but not here /(yourdomain1\.tld|yourdomain2\.tld)>?$/ DUNNO # block emails which use your domain as the last part of the text in header.from e.g. "From: y...@yourdomain.tld <impersona...@elsewhere.com>" /^(.*yourdomain1\.tld|yourdomain2\.tld"? <.*)$/ REJECT message content impersonation # inspect emails that use your real name in the text - expand this to work with other names as required: if /^From: ?(S(tuart)? Longland)/ # allow other legitimate email addresses that you use, also from apple and (ubuntu) launchpad if !/(yourexternaladdress@anotherdomain \.tld|@bugs\.launchpad\.net|noreply@email\.apple\.com)>?$/ # and allow if 'via ' e.g. via Dropbox - otherwise block mails !/via / REJECT message content impersonation endif endif endif If you are absolutely set against using DMARC then there is probably a way of blocking faked header.from addresses with a SpamAssassin multi-header test.
