On 10/15/16 20:56, David Jones wrote: > > >What I was hoping for was, that as someone who does bother checking, to > > >find out a solution that would help me prevent from receiving spoofed > >e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is > >not able to do that. I am looking for a way how to detect that e-mail is > >spoofed. Any way. > > >Now, for sure users who do not want to bother to check will always > >receive spoofed e-mails easily, so how about users who do want to check? > >What solution that works is out there? What can you actually do to > >prevent receiving spoofed e-mails? > > >One of solutions that I proposed is an optional SA plugin that would > >treat the email found in "From:" header as envelope sender and check > >against that, raising the score or doing something if it failed. > > >That would obviously work and blocked hackers from spoofing, but as you > >said, it would also break some other stuff, like mailing lists for > >instance, so you deemed this solution evil and something what should > >never be done on any mail server, even if that mail server was used only > >by people who don't care about mailing lists at all. > > >So is there actually any other solution? That is what I am looking for, > >and that is why I started this thread. > > The best thing you can do is setup postfix postscreen with as many > RBLs properly weighted to block the marjority of spoofing senders. > This has been documented on this list so search the archives. > > Second is setup an extensive list of whitelist_auth domains that are > commonly spoofed (ups.com, fedex.com, dhl.com, etc. -- ebay.com > and paypal.com are already in the default rules) then train your Bayes > and adjust scoring on existing rules to block the spoofed spam. > > Depending on your user base and where your located, you can use > language detection and country codes to add points to your SA score > with ok_languages and the RelayCountry plugin. > > There is no hard and fast way to detect spoofing so just try to block > it in SA just like any other spam. Try to reject as much as you can at > the MTA level so SA only has to check a very small percentage of the > mail connection attempts. > > Dave
Hi, Thanks for that, I will do that, another thing that comes to my mind: if my mail server sign every single e-mail with DKIM, that e-mail should be signed even if it's redistributed by mailing list daemon or not? I see my own e-mails here and e-mails of some other people in this list to be DKIM signed. So isn't there a way to get either postfix or SA to reject or flag emails that are sent specifically "from my domain" but aren't signed with DKIM? I even think that it's possible to set a DMARC policy to require emails from a domain to be signed. This would block forged e-mails but would not block e-mails from mailing lists. Isn't it somehow possible to tell SA to score-up these mails if they fail this DMARC policy?
