Re: Preventing email spoofing
Quoting Oded Arbel, from the post of Mon, 19 Jun: You might want to read up on SPF. there's also yahoo's initiative of domainkeys, which is pretty neat, if your SMTP server can implement it. http://antispam.yahoo.com/domainkeys http://ietf.org/html.charters/dkim-charter.html -- Take with a grain of salt Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
Ilya Konstantinov wrote: Elazar Leibovich wrote: Thanks! That's about the tool I've needed. But do you have experience with it? Does it has many (any) false positives? Will it reject many valid clients? SPF is not about guesswork and false positives. For one, it requires the active participation of every domain you wish to be safe about. Since that's probably less than 1% of the domains in today's Internet, you cannot just refuse mail from domains which don't participate in the SPF game. The only thing sensible to do right now, is to refuse messages which fail the SPF test for the domain they *claim* to come from; everything else should be considered neutral. The result? You'd be still left with as much scams coming from random info domains, but when it comes to some high-profile domains which already deployed SPF (microsoft.com, ebay.com, gmail.com, hotmail.com...), you'd filter out all scams pretending to be them. Note that SPF is not something reserved for high-profile domains. Every Nigerian scam domain can deploy SPF and then it'll be verifiable fair and square. So, no easy way of killing off all those Nigerian scams? You betcha there isn't. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] I am not sure SPF will solve this problem However - There is a simpler approach (at least in concept) - that is to drop (and not bounce) every mail that arrives with a RCPTTO user that doesnt exist in your mail domain(s) All of this kind of scam are generating random usernames like [EMAIL PROTECTED] FWIW - there is a patch for qmail that does precisely this Danny www.software.co.il = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
On Mon, 19 Jun 2006 04:44:25 -0700 (PDT), E Leibovich wrote: Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? Is there any written script that does so? This is NOT a good way. Many mailing lists and other sources (e.g. small offices sending their mail through their ISP) will bounce. Even your email - from: [EMAIL PROTECTED] - had come from [EMAIL PROTECTED] Remember - all the headers (except the last Received:, created by your computer) may be forged. Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: Preventing email spoofing
This shouldn't be that easy. For example, I send my mails through my ISP outgoing mail server while my From: field is always set to my gmail account. Regards, Gregory. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Leibovich Sent: Monday, June 19, 2006 2:44 PM To: linux-il Subject: Preventing email spoofing Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? Is there any written script that does so? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
--=-RbnXbV2+yK88GJ6KFsTs Content-Type: text/plain Content-Transfer-Encoding: 7bit On Mon, 2006-06-19 at 04:44 -0700, E Leibovich wrote: Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? You might want to read up on SPF. -- Oded ::.. If you're in a war, instead of throwing a hand grenade at the enemy, throw one of those small pumpkins. Maybe it'll make everyone think how stupid war is, and while they are thinking, you can throw a real grenade at them. -- Deep Thoughts by Jack Handey --=-RbnXbV2+yK88GJ6KFsTs Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 TRANSITIONAL//EN HTML HEAD META HTTP-EQUIV=Content-Type CONTENT=text/html; CHARSET=UTF-8 META NAME=GENERATOR CONTENT=GtkHTML/3.10.1 /HEAD BODY On Mon, 2006-06-19 at 04:44 -0700, E Leibovich wrote: BLOCKQUOTE TYPE=CITE PRE FONT COLOR=#00Is there any automated tool to bounce email not from/FONT FONT COLOR=#00the original server? That is, is there a tool that/FONT FONT COLOR=#00bounces back emails claiming they're from hostA (their/FONT FONT COLOR=#00from:[EMAIL PROTECTED]) however they're really from hostB/FONT FONT COLOR=#00(that is, recieved: from hostB...)./FONT FONT COLOR=#00This seems a good way to prevent many spam messages/FONT FONT COLOR=#00that claim to originate from your server./FONT FONT COLOR=#00Is it a good idea?/FONT /PRE /BLOCKQUOTE BR You might want to read up on SPF.BR BR TABLE CELLSPACING=0 CELLPADDING=0 WIDTH=100% TR TD -- PRE Oded /PRE ::..BR quot;If you're in a war, instead of throwing a hand grenade at the enemy, throw one of those small pumpkins. Maybe it'll make everyone think how stupid war is, and whilenbsp;nbsp;they are thinking, you can throw a real grenade at them.quot;BR nbsp;nbsp;nbsp;nbsp;-- Deep Thoughts by Jack HandeyBR BR /TD /TR /TABLE /BODY /HTML --=-RbnXbV2+yK88GJ6KFsTs-- = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
That's very true, I haven't thought of that. Thanks. Any smarter idea? Maybe I can filter emails coming from my host email address and then make sure they're not recieved: from unknown source (spammers has the habbit of including your hostname in the from: field, so that you'll whitelist them) On 6/19/06, Ehud Karni [EMAIL PROTECTED] wrote: On Mon, 19 Jun 2006 04:44:25 -0700 (PDT), E Leibovich wrote: Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? Is there any written script that does so? This is NOT a good way. Many mailing lists and other sources (e.g. small offices sending their mail through their ISP) will bounce. Even your email - from: [EMAIL PROTECTED] - had come from [EMAIL PROTECTED] Remember - all the headers (except the last Received:, created by your computer) may be forged. Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
The thought-work was already done for you. As Oded said, read about Sender Policy Framework (SPF). Using a mail server with SPF is about all you can do; it ain't good news, but trust the smart people who thought SPF up there isn't a better option. Elazar Leibovich wrote: That's very true, I haven't thought of that. Thanks. Any smarter idea? Maybe I can filter emails coming from my host email address and then make sure they're not recieved: from unknown source (spammers has the habbit of including your hostname in the from: field, so that you'll whitelist them) On 6/19/06, Ehud Karni [EMAIL PROTECTED] wrote: On Mon, 19 Jun 2006 04:44:25 -0700 (PDT), E Leibovich wrote: Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? Is there any written script that does so? This is NOT a good way. Many mailing lists and other sources (e.g. small offices sending their mail through their ISP) will bounce. Even your email - from: [EMAIL PROTECTED] - had come from [EMAIL PROTECTED] Remember - all the headers (except the last Received:, created by your computer) may be forged. Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
Thanks! That's about the tool I've needed. But do you have experience with it? Does it has many (any) false positives? Will it reject many valid clients? On 6/19/06, Ilya Konstantinov [EMAIL PROTECTED] wrote: The thought-work was already done for you. As Oded said, read about Sender Policy Framework (SPF). Using a mail server with SPF is about all you can do; it ain't good news, but trust the smart people who thought SPF up there isn't a better option. Elazar Leibovich wrote: That's very true, I haven't thought of that. Thanks. Any smarter idea? Maybe I can filter emails coming from my host email address and then make sure they're not recieved: from unknown source (spammers has the habbit of including your hostname in the from: field, so that you'll whitelist them) On 6/19/06, Ehud Karni [EMAIL PROTECTED] wrote: On Mon, 19 Jun 2006 04:44:25 -0700 (PDT), E Leibovich wrote: Is there any automated tool to bounce email not from the original server? That is, is there a tool that bounces back emails claiming they're from hostA (their from:[EMAIL PROTECTED]) however they're really from hostB (that is, recieved: from hostB...). This seems a good way to prevent many spam messages that claim to originate from your server. Is it a good idea? Is there any written script that does so? This is NOT a good way. Many mailing lists and other sources (e.g. small offices sending their mail through their ISP) will bounce. Even your email - from: [EMAIL PROTECTED] - had come from [EMAIL PROTECTED] Remember - all the headers (except the last Received:, created by your computer) may be forged. Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
Elazar Leibovich wrote: Thanks! That's about the tool I've needed. But do you have experience with it? Does it has many (any) false positives? Will it reject many valid clients? SPF is not about guesswork and false positives. For one, it requires the active participation of every domain you wish to be safe about. Since that's probably less than 1% of the domains in today's Internet, you cannot just refuse mail from domains which don't participate in the SPF game. The only thing sensible to do right now, is to refuse messages which fail the SPF test for the domain they *claim* to come from; everything else should be considered neutral. The result? You'd be still left with as much scams coming from random info domains, but when it comes to some high-profile domains which already deployed SPF (microsoft.com, ebay.com, gmail.com, hotmail.com...), you'd filter out all scams pretending to be them. Note that SPF is not something reserved for high-profile domains. Every Nigerian scam domain can deploy SPF and then it'll be verifiable fair and square. So, no easy way of killing off all those Nigerian scams? You betcha there isn't. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Preventing email spoofing
On 6/19/06, Ilya Konstantinov [EMAIL PROTECTED] wrote: Note that SPF is not something reserved for high-profile domains. Every Nigerian scam domain can deploy SPF and then it'll be verifiable fair and square. So, no easy way of killing off all those Nigerian scams? You betcha there isn't. That's because SPF is not intended to solve the spam problem, it's intended to solve the domain masquarading problem. It's basically an authentication method where you trust a trusted 3rd party (the DNS server) to tell you which hosts are allowed to send mail on behalf of the domain that you're querying about. For example, my SPF record is: arik.baratz.org.43200 IN TXT v=spf1 include:aspmx.googlemail.com ~all This means that I trust aspmx.googlemail.com to tell which hosts are allowed to send email on my behalf. Google's SPF record is: aspmx.googlemail.com. 7200IN TXT v=spf1 redirect=_spf.google.com and _spf.google.com.274 IN TXT v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all so these are the addresses that can send email for my domain. The immediate benefit from SPF is that it prevents joe-jobs, some spammer using your domain to send spam from. The future benefit when it is widely deployed would be black-list of domains that have sent spam. Since you can't forge your domain, you'd have to send spam from a domain you own, therefore you'd have to keep on buying domains as the existing ones get into the blacklist. -- Arik = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]