Without using using the mta, I just want to mark them high enough.

looking to block emails from @secnap.net to @secnap.net where its an external email and SPF doesn't match.

Was thinking of some header rules that look for EnvelopeFrom and From:addr, and ALL_TRUSTED.

(Internal senders might not have their rfc1918 addresses listed in the SPF records :-).

I would think this is a common enough thing that maybe a plugin could be written (yes, its all open source!) (yes, most of these emails score high enough, and, yes, if you send an email to yourself from several mis-configured travel sites, they forge your email address)

something similar to blacklist_from, but its blacklist_from_not_spf.
(I think we can do some blacklist_from_not_dkim easy enough... with the optional auth and domain signing stuff)

problem with a
blacklist_from *...@secnap.net
whitelist_from_spf *...@secnap.net. the blacklist_from would trigger always, and the whitelist_from_spf would only trigger on emails where ! ALL_TRUSTED.

Other problem, is if you use a spf check && ! ALL_TRUSTED, and spammer sends the email from a real email address. that email address has a valid spf, and he forged the (only user visible email address, the header). since SPF doesn't look at header from, and SpamAssassing isn't using SENDER_ID (I assume due to patent issues)?, it really becomes difficult to score an email from your domain, to your domain.

I am thinking of something like:

ifplugin Mail::SpamAssassin::Plugin::SPF
def_whitelist_from_spf *...@secnap.net
header __LOCAL_SPOOFED From:addr =~ /\...@secnap\.net/
header __LOCAL_SPOOFED2 EnvelopeFrom =~  /\...@secnap\.net/
meta LOCAL_SPOOFED ((!SPF_PASS && !ALL_TRUSTED) && (__LOCAL_SPOOFED || __LOCAL_SPOOFED2))
tflags LOCAL_SPOOFED net
endif

(if it all_trusted, you won't get the spf checks. so you don't check anything. it its user_in_def_spf_wl (which covers SPF_PASS. don't know why one vs the other, but I used the long one) you don't check anything.

this just about cover all cases? except the status emails from travel web sites, and 'email me this link' type emails? (which are FORGED emails in fact!)

(still think a 'blacklist_from_not_spf *...@secnap.net would be cool)
something similar to what firewalls and routers can now do for what wan interface an ip comes from.

--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________

Reply via email to