Tim, Well, to be honest, I really don't understand SPF all that well and I don't have time to experiment with it right now.
Here's what I was experiencing: The qmail SPF checker seems to be using the HELO address to do SPF lookups. The spam in question has a legitimate HELO address, it is just spoofing our domain on the envelope FROM. The SPF checker finds that the sender does not have an SPF record, and without any evidence that there is a problem, lets the message through. Presumably it would not be useful to reject mail from a sender without an SPF record, since there are probably legitimate senders without one. Perhaps someday this can work, just like senders are much more conscious now about rDNS issues than they used to be. I'm sure I am missing something, and I would welcome any guidance in this area. In the meantime, I have a Spamdyke solution (which I will post separately) that seems to work for now. Thanks for your help. Regards, Joe -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tim Mancour Sent: Monday, February 09, 2009 18:00 To: 'spamdyke users' Subject: Re: [spamdyke-users] Spammers spoofing internal FROM addresses If you don't mind me asking, what problem are you having SPF? I've been using SPF for several years now and it does stop the sort of spoofing that you described. Regards, Tim -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joe Canner Sent: Monday, February 09, 2009 11:48 AM To: 'spamdyke users' Subject: Re: [spamdyke-users] Spammers spoofing internal FROM addresses Sam, Having given up on SPF, I am about to try a couple of things related to what you are suggesting: 1. Change filter-level to require-auth. However, I don't know what that will do to legitimate incoming mail from other domains. 2. Change filter-level to require-auth just for senders with my domain (using a _sender_ config-dir). 3. Remove my domain from sender-whitelists if necessary 4. Remove the IP of my mail server from IP-whitelist if necessary Is this more or less what you had in mind? I'll let you know how it goes. Joe -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sam Clippinger Sent: Monday, February 09, 2009 16:38 To: spamdyke users Subject: Re: [spamdyke-users] Spammers spoofing internal FROM addresses No, I was thinking that you could configure spamdyke to require authentication whenever a message is delivered _from_ an address at one of your domains. That should prevent remote clients from spoofing your addresses, right? Just after I sent that last message, I decided it was a stupid idea and it obviously wouldn't work but now I can't remember why I thought that. So I'm either completely wrong or I'm losing my mind, please let me know which one so I can plan accordingly. :) -- Sam Clippinger Joe Canner wrote: > Sam, > > Thanks for your response. I'm trying SPF at the moment to see if that will > work. > > I'm not sure I understand what you mean about requiring > authentication. I have smtp-auth-level set to "ondemand-encrypted". > Do I need to set it to something else? Or do you mean I need to take > my domain out of rcpthosts/tcp.smtp so that it treats it as external > and required authentication for relaying? Or something else? > > Thanks for your help. > > Joe > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Sam > Clippinger > Sent: Friday, February 06, 2009 18:58 > To: spamdyke users > Subject: Re: [spamdyke-users] Spammers spoofing internal FROM > addresses > > I'm still not excited about this idea because I believe it will cause > more problems than it will solve. Personally, I use a lot of automated > tools that send me reports/etc using my address and this kind of > filter would block all of those. Determining whether an rDNS/IP is > authorized to send email is tricky (SPF was designed for this > purpose). I'm open to debate, however. > > In the short term, could you stop this kind of spam by configuring > spamdyke to require authentication for all of your local domains? > > -- Sam Clippinger > > Joe Canner wrote: > >> Dear Spamdyke community, >> >> A month or two ago there was a thread about spam where the FROM >> address is the same as the TO address (both referring to the >> recipient of the spam). At the time, this issue was dismissed without >> much discussion. This has, within the last month, become a very >> serious problem for us. Because the FROM address is local, it >> bypasses graylisting, which up until now had been a very effective >> method of protection. >> >> Can anyone suggest a solution to this? Please don't suggest >> SpamAssassin or blacklists, I am not interested in those right now >> (too many false positives for one thing, too many unsophisticated >> users for another). >> >> Surely there must be a way in Spamdyke to block mail with a FROM >> address that is different from the RDNS address. Or, alternatively, >> to block mail where the TO and FROM addresses are the same and the >> RDNS address is not local. >> >> Thank you all for your assistance. >> >> Best Regards, >> >> Joe Canner >> >> Casablanca, MOROCCO >> >> --------------------------------------------------------------------- >> --- >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
