Without using using the mta, I just want to mark them high enough.
looking to block emails from @secnap.net to @secnap.net where its an
external email and SPF doesn't match.
Was thinking of some header rules that look for EnvelopeFrom and
From:addr, and ALL_TRUSTED.
(Internal senders might not have their rfc1918 addresses listed in the
SPF records :-).
I would think this is a common enough thing that maybe a plugin could be
written (yes, its all open source!)
(yes, most of these emails score high enough, and, yes, if you send an
email to yourself from several mis-configured travel sites, they forge
your email address)
something similar to blacklist_from, but its blacklist_from_not_spf.
(I think we can do some blacklist_from_not_dkim easy enough... with the
optional auth and domain signing stuff)
problem with a
blacklist_from *...@secnap.net
whitelist_from_spf *...@secnap.net. the blacklist_from would trigger
always, and the whitelist_from_spf would only trigger on emails where !
ALL_TRUSTED.
Other problem, is if you use a spf check && ! ALL_TRUSTED, and spammer
sends the email from a real email address. that email address has a
valid spf, and he forged the (only user visible email address, the
header). since SPF doesn't look at header from, and SpamAssassing isn't
using SENDER_ID (I assume due to patent issues)?,
it really becomes difficult to score an email from your domain, to your
domain.
I am thinking of something like:
ifplugin Mail::SpamAssassin::Plugin::SPF
def_whitelist_from_spf *...@secnap.net
header __LOCAL_SPOOFED From:addr =~ /\...@secnap\.net/
header __LOCAL_SPOOFED2 EnvelopeFrom =~ /\...@secnap\.net/
meta LOCAL_SPOOFED ((!SPF_PASS && !ALL_TRUSTED) && (__LOCAL_SPOOFED ||
__LOCAL_SPOOFED2))
tflags LOCAL_SPOOFED net
endif
(if it all_trusted, you won't get the spf checks. so you don't check
anything.
it its user_in_def_spf_wl (which covers SPF_PASS. don't know why one vs
the other, but I used the long one) you don't check anything.
this just about cover all cases? except the status emails from travel
web sites, and 'email me this link' type emails? (which are FORGED
emails in fact!)
(still think a 'blacklist_from_not_spf *...@secnap.net would be cool)
something similar to what firewalls and routers can now do for what wan
interface an ip comes from.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________