[exim] Re: Completely remove any name in From: header for inbound email?
Dňa 26. mája 2023 23:45:22 UTC používateľ Victor Ustugov via Exim-users
napísal:
>But more than one address in a From header is rare. And if there are
>several such incorrect addresses in the From header of the attacker's
>email, then it's good that at least one of them can be extracted using a
>simple regular expression.
I do not manipulate From: nor any other (address) header by
that way on incomming mails, nor from wild, nor from users.
But i use ${address:...} expansion to extract address from
Sender: and From: headers (forced to one address) on MSA
to check, that users use only allowed address, to prevent
spoofing. I do that test(s) after syntax verifying, but now i
see that it is not reliable, just because MUA (expected) &
exim can do it wrong...
I did expensive testing of that checks, but the case of
invalid syntax which pass syntax verifying was not
included...
regards
--
Slavko
https://www.slavino.sk/
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Slavko via Exim-users wrote on 27.05.2023 02:44:
> Dňa 26. mája 2023 22:31:56 UTC používateľ Victor Ustugov via Exim-users
> napísal:
>
>>
>> ${if
>> eq{${address:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>\s*\N}{\$1}}}{${address:$rh_From:}}}
>>
>
> Thanks, but do you know that is not perfect too? Eg. try
> add "(comment)" after address and will match invalid
> address...
Oh... I really missed the "comment". Maybe because in real life I met it
a very long time ago.
> Some time ago i search email address regex
> on Internet, and what i found as full RFC compliant
> was horrible complicated, with questionable performance,
> not manageable (i lost in it) and for ASCII only...
I think that in this case it is not necessary to use a very "horrible
complicated" full RFC compliant regexp. It may be sufficient to ignore
all parenthesized text after the last ">". Or even ignore all text in
parentheses after the last ">".
${if
eq{${addresses:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>[^>]*$\N}{\$1}}}{${addresses:$rh_From:}}}
>> But he can't do it either:
>>
>> From: postmas...@your-domain.tld
>
> That is IMO OK, as this will not pass header_syntax check,
> thus one can consider that as expected to don't parse...
--
Best wishes Victor Ustugov
mailto:vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Slavko via Exim-users wrote on 27.05.2023 10:54:
> Dňa 26. mája 2023 23:45:22 UTC používateľ Victor Ustugov via Exim-users
> napísal:
>
>> But more than one address in a From header is rare. And if there are
>> several such incorrect addresses in the From header of the attacker's
>> email, then it's good that at least one of them can be extracted using a
>> simple regular expression.
>
> I do not manipulate From: nor any other (address) header by
> that way on incomming mails, nor from wild, nor from users.
I too.
But this is exactly what the author of the topic needs.
> But i use ${address:...} expansion to extract address from
> Sender: and From: headers (forced to one address) on MSA
> to check, that users use only allowed address, to prevent
> spoofing. I do that test(s) after syntax verifying, but now i
> see that it is not reliable, just because MUA (expected) &
> exim can do it wrong...
I think checking the headers of emails sent by your users could be more
strict. Because if ${address:...} returns empty result then header is
not RFC compliant.
To my mind when checking the headers of messages received from outside,
we should get addresses even from an incorrectly composed header. At
least if we need to check these addresses.
The headers of outgoing emails from our users must always be RFC compliant.
> I did expensive testing of that checks, but the case of
> invalid syntax which pass syntax verifying was not
> included...
--
Best wishes Victor Ustugov
mailto:vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Ahoj,
Dňa Sat, 27 May 2023 13:20:48 +0300 Victor Ustugov via Exim-users
napísal:
> I think that in this case it is not necessary to use a very "horrible
> complicated" full RFC compliant regexp. It may be sufficient to ignore
> all parenthesized text after the last ">". Or even ignore all text in
> parentheses after the last ">".
>
> ${if
> eq{${addresses:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>[^>]*$\N}{\$1}}}{${addresses:$rh_From:}}}
>
And then you get something as this:
From: "postmas...@your-domain.tld"
()
:-)))
My point was, that regex can be not reliable too.
I consider the ${address:} expansion as way to prevent needing that
anyone have to develop own parser, which can end in ugly or even wrong
way as not all (including me) are regex experts...
I do not expect, that ${address:} will parse any wrong syntax. I can
accept, that it can fail in some corner cases of valid syntax. But
i expect, that when header will pass the header_syntax check, then that
expansion will be able to parse it, otherwise something is wrong.
regards
--
Slavko
https://www.slavino.sk
pgprc3UyMGpVi.pgp
Description: Digit??lny podpis OpenPGP
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Ahoj,
Dňa Sat, 27 May 2023 13:37:29 +0300 Victor Ustugov via Exim-users
napísal:
> I think checking the headers of emails sent by your users could be
> more strict. Because if ${address:...} returns empty result then
> header is not RFC compliant.
Yes, but i am not sure, if my ACLs are prepared on case, when
${address:} returns nothing, as i rely on header_syntax check for
that...
I have to recheck whole concept, and i am not sure when i will have
time for it. Anyway, it works for months without false positives, my
users are not desperate, it is just prevention in case of compromise
and that doesn't happen yet...
regards
--
Slavko
https://www.slavino.sk
pgpZypKGBv2xY.pgp
Description: Digit??lny podpis OpenPGP
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Slavko via Exim-users wrote on 27.05.2023 14:00:
> Ahoj,
>
> Dňa Sat, 27 May 2023 13:20:48 +0300 Victor Ustugov via Exim-users
> napísal:
>
>> I think that in this case it is not necessary to use a very "horrible
>> complicated" full RFC compliant regexp. It may be sufficient to ignore
>> all parenthesized text after the last ">". Or even ignore all text in
>> parentheses after the last ">".
>>
>> ${if
>> eq{${addresses:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>[^>]*$\N}{\$1}}}{${addresses:$rh_From:}}}
>>
>
> And then you get something as this:
>
> From: "postmas...@your-domain.tld"
> ()
>
> :-)))
In this case, everything will be fine, because the address will be
returned by ${addresses:...}
But there will be problems with such header:
From: postmas...@your-domain.tld
()
> My point was, that regex can be not reliable too.
Regex is only a workaround. It is needed only because ${address:...} and
${addresses:...} cannot always extract the addresses from the headers.
> I consider the ${address:} expansion as way to prevent needing that
> anyone have to develop own parser, which can end in ugly or even wrong
> way as not all (including me) are regex experts...
> I do not expect, that ${address:} will parse any wrong syntax. I can
> accept, that it can fail in some corner cases of valid syntax. But
> i expect, that when header will pass the header_syntax check, then that
> expansion will be able to parse it, otherwise something is wrong.
--
Best wishes Victor Ustugov
mailto:vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
On 26/05/2023 13:43, Markus Reschke via Exim-users wrote: Hello Sebastian! On Fri, 26 May 2023, Sebastian Arcus via Exim-users wrote: Hello. As so many scams around are based on impersonating someone inside the company, I am wondering if anyone here has considered the more extreme solution of completely removing any name in the From: header for incoming emails? I already have SPF/DKIM/DMARC in place, so the scammers can't actually impersonate the sending email address, but they keep on using the names of people with positions high up in the company. The risks of falling for such emails are much reduced at this stage, but now I'm wondering if the next step would be to just strip all names in the From: field altogether and just leave the email address? Can Exim do that, and has anyone considered it? Have you heard of IDNs (domain names with unicode characters)? For example, your domain is company.com and the bad guy registers cunicode character looking like an o>mpany.com. Then he sets up SPF/DKIM/DMARC for that domain and sends you an email. Could you tell just from the email address if it's from your CEO or a scammer? Removing the names to force users to look at the email address can help to the lower the risk of falling for less sophisticated scams, but it wouldn't work for more professional frauds. That is an interesting point - thank you for flagging it. I haven't seen such a case yet in my setups, but I can see it being perfectly possible. At the moment we are bombarded with emails of the type From: Director Name Hence why I was considering stripping the name from all incoming From: headers. In general things are holding out quite well so far, as the users are constantly reminded to be vigilant and the real domain can't be spoofed because of DKIM/DMARC/SPF - but I am constantly looking into ways to strengthen the security. ciao Markus -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Rejecting connections that have only IP as sender_helo
I was searching through the lists and reading the documentation but I'm
coming up short on blocking IP only senders.
I've seen ACLs checking sender_helo_name using isip{} but that doesn't
seem to do anything for the case of a literal IP:
H=([185.17.76.25])
What's the proper way to check for the above condition and reject it?
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
