I'm feeling popular for once; 14 replies! Never in all my life ... .. . Anyhow, thanks once again to all who've offered suggestions.
Just to clarify a couple of points: 1) Kai, yes external mail as in mail (sending or receiving) originating external to our network in terms of IP, not physically. When I think on it though, I'll just insist we use RDP or VPN for access when I set it up. We've got the bandwith and it makes things easier so I won't have to worry about 'Froms' and the like mismatching with HELO's, etc. Blocking all mail from an external address with claims to be from *...@mynetwork.com is fine. 2) Benny I know Kai's solution doesn't use SPF. As I understand it SPF deals only with envelope security, not the body, which is where the 'From' field is. If there are any extensions to the standard SPF - or I've just got it wrong - which allow you to check the envelope, I'd like to hear more. I'll check the Postfwd daemon when I've the chance, though I'd rather do it with Spamassassin if possible as that's in place already. 3) Kai's, your Postfix restrictions, am I right in thinking that they only apply to the 'Mail From' part of an SMTP transaction? A variation on this spam problem is people cramming a lot of valid addresses into the CC, BCC, etc. fields so as to make it look like not only did another staff member send it, but lots of other members of staff got the message too, so that's a good reason to open it, isn't it? Or so the thinking goes. 4) Ted those domains are there as we check outgoing as much as incoming mail: too many people bringing their own laptops in and plugging them in wherever. I could move the records to an internal view mind so cheers for the pointer. If I'm right in thinking the check_sender_access only deals with the initial SMTP transaction and not the envelope, I can use it to block bad 'Mail From' commands but would need another filter to catch the faked envelope fields. So I think a working filter would do the following: If the originating IP is outside of predetermined IP addresses/domains and has a from, cc, bcc, any other I don;t know about, address consisting of *...@mynet.com it gets ideally a spamassassin score or if not, just ditched. Once again, thanks for all the responses. Calum. -- View this message in context: http://old.nabble.com/Faked-_From_-field-using-our-domain---how-to-filter-score--tp27132211p27160797.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
