I'm sure there's a straight forward way of doing this, but after several of
hours searching, I can't find it.
The problem is spam with a faked 'From:' field. Spammers are sending e-mails
to our domain with the 'From:' field set to a valid e-mail address from our
domain. Here's an edited example:
---------------------------------------------------------------------------->
Received: from localhost (localhost.localdomain [127.0.0.1]) by
ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 571FB198ACDE for
<validinternalmailaddr...@ourdomain.ac.uk>; Tue, 12 Jan 2010 15:46:07 +0000
(GMT)
X-Virus-Scanned: amavisd-new at swarthmore.org.uk
X-Spam-Flag: NO
X-Spam-Score: 2.162
X-Spam-Level: **
X-Spam-Status: No, score=2.162 required=4.7 tests=[AWL=-6.560, BAYES_50=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, URIBL_AB_SURBL=1.86,
URIBL_BLACK=1.955]
Received: from ourmailserver.ourDomain.ac.uk ([127.0.0.1]) by localhost
(ourmailserver.ourDomain.ac.uk [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP
id GwJCdn5Rq7xr for <validinternalmailaddr...@ourdomain.ac.uk>; Tue, 12
Jan 2010 15:45:37
+0000 (GMT)
Received-SPF: none (mass-business.com: No applicable sender policy available)
receiver=dns2.swarthmore.org.uk; identity=mfrom;
envelope-from="toweringtub...@mass-business.com";
helo=hbrn-5d84dddf.pool.mediaWays.net; client-ip=293.132.208.201
Received: from hbrn-5d84dddf.pool.mediaWays.net
(hbrn-5d84d014.pool.mediaWays.net [293.132.208.201]) by
ourmailserver.ourDomain.ac.uk (Postfix) with ESMTP id 5F4DC198ACDB for
<validinternalmailaddr...@ourdomain.ac.uk>; Tue, 12 Jan 2010 15:45:37 +0000
(GMT)
Received: from 293.132.208.201 by mass-business.com.s6a2.psmtp.com; Tue, 12 Jan
2010 16:45:35 +0100
Message-ID: <000d01ca939e$4805b590$6400a...@toweringtub507>
From: <validinternalmailaddr...@ourdomain.ac.uk>
To: <validinternalmailaddr...@ourdomain.ac.uk>
Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we
get started? "I'm on this dating site - come in to me.
Date: Tue, 12 Jan 2010 16:45:35 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA939E.4805B590"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Return-Path: toweringtub...@mass-business.com
X-PMWin-Version: 3.0.2.0, Antivirus-Engine: 3.3.1, Antivirus-Data: 4.49G
X-PureMessage: [Scanned]
From: validinternalmailaddr...@ourdomain.ac.uk
Sent: 12 January 2010 15:46
To: Valid User
Subject: Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we
get started? "I'm on this dating site - come in to me. Want to know what the
real Russian girls love and warmth? Just a small click
<----------------------------------------------------------------------------
Whilst Postfix drops fake HELO's claiming to be from our domain, this has a
valid HELO but a faked 'FROM:'. The problems with this are twofold:
1. It shows up as internal mail so gets -6 points or so from the
auto-whitelist thus giving it a decent chance of getting through.
2. Because it has a valid 'From:' field, users are likely to open it as they
think it's from another member of staff, or if they're being dim, that they
sent it to themselves.
Could anyone point me in the right direction to deal with this. Currently it's
fine if we just drop them as there's no situation where mail originating from
external networks should have a 'From:' field with our domain in it. This may
change in the future if we implement external mail access and the like, so it
would be useful if I knew how to drop the messages from the AWL when the
'Received: from' field or similar doesn't match the 'From:' field domain, and
then give it a score as appropriate.
I'm sure it's possible as Spamassassin has yet to let me down: it always cheers
me up when I watch our costly alternative, Sophos' anti-spam stare dumbly at
the task in hand before seeming to turn its back and let the world of spam go
about its business unmolested. Having seen Sophos' attempts I've always had
Spamassassin in place before Sophos and the rest get's so much as a sniff of
external mail.
Any pointers would be very gratefully received as my brain has sat down and
given up on this and with these Adobe zero-days about, I'm getting the fear.
Many thanks,
Calum
IT Donkey
Swarthmore Centre
UK
NB. One further point is that Spamassassin is called and hence partially
configured by Amavisd-new.
Details:
Fedora Core 9.
Kernel 2.6.27.25-78.2.56.fc9.i686
postfix-2.5.6-1.fc9.i386
spamassassin-3.2.5-1.fc9.i386
amavisd-new-2.5.2-2.fc8.noarch
(All software installed from RPMs.)
