This is exactly what I had in mind. Has it made a difference? -- Sam Clippinger
Joe Canner wrote: > Sam et al., > > In case anyone is interested, here are the details of what I did. Time will > tell whether it is effective, but I don't have any reason to believe it > won't be (for this type of spam anyway): > > 1. Set up a config-dir using the "_sender_/tld/mydomain" directory structure > as outlined in the spamdyke documentation. > 2. Create a config file at the bottom of the directory that says > filter-level=require-auth > 3. Remove mydomain.tld from sender-whitelist > 4. Change POP clients to provide SMTP authentication information > 5. If using webmail and web server is different from mail server, may need > to add IP address of web server to IP-whitelist. (I am using Squirrelmail > and I couldn't figure out a way to get SM to do SMTP authentication. > However, since presumably SM users are already authenticated when they log > in, whitelisting shouldn't be a problem) > 6. If necessary, also whitelist any other servers or programs that send you > status updates using your domain name. > > Sorry if this is elementary for most of you. This is my first time digging > this far into spamdyke. Any comments or improvements are most welcome. > > Cheers, > Joe > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Sam Clippinger > Sent: Monday, February 09, 2009 16:38 > To: spamdyke users > Subject: Re: [spamdyke-users] Spammers spoofing internal FROM addresses > > No, I was thinking that you could configure spamdyke to require > authentication whenever a message is delivered _from_ an address at one > of your domains. That should prevent remote clients from spoofing your > addresses, right? Just after I sent that last message, I decided it was > a stupid idea and it obviously wouldn't work but now I can't remember > why I thought that. So I'm either completely wrong or I'm losing my > mind, please let me know which one so I can plan accordingly. :) > > -- Sam Clippinger > > Joe Canner wrote: > >> Sam, >> >> Thanks for your response. I'm trying SPF at the moment to see if that >> > will > >> work. >> >> I'm not sure I understand what you mean about requiring authentication. I >> have smtp-auth-level set to "ondemand-encrypted". Do I need to set it to >> something else? Or do you mean I need to take my domain out of >> rcpthosts/tcp.smtp so that it treats it as external and required >> authentication for relaying? Or something else? >> >> Thanks for your help. >> >> Joe >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Sam Clippinger >> Sent: Friday, February 06, 2009 18:58 >> To: spamdyke users >> Subject: Re: [spamdyke-users] Spammers spoofing internal FROM addresses >> >> I'm still not excited about this idea because I believe it will cause >> more problems than it will solve. Personally, I use a lot of automated >> tools that send me reports/etc using my address and this kind of filter >> would block all of those. Determining whether an rDNS/IP is authorized >> to send email is tricky (SPF was designed for this purpose). I'm open to >> debate, however. >> >> In the short term, could you stop this kind of spam by configuring >> spamdyke to require authentication for all of your local domains? >> >> -- Sam Clippinger >> >> Joe Canner wrote: >> >> >>> Dear Spamdyke community, >>> >>> A month or two ago there was a thread about spam where the FROM >>> address is the same as the TO address (both referring to the recipient >>> of the spam). At the time, this issue was dismissed without much >>> discussion. This has, within the last month, become a very serious >>> problem for us. Because the FROM address is local, it bypasses >>> graylisting, which up until now had been a very effective method of >>> protection. >>> >>> Can anyone suggest a solution to this? Please don't suggest >>> SpamAssassin or blacklists, I am not interested in those right now >>> (too many false positives for one thing, too many unsophisticated >>> users for another). >>> >>> Surely there must be a way in Spamdyke to block mail with a FROM >>> address that is different from the RDNS address. Or, alternatively, to >>> block mail where the TO and FROM addresses are the same and the RDNS >>> address is not local. >>> >>> Thank you all for your assistance. >>> >>> Best Regards, >>> >>> Joe Canner >>> >>> Casablanca, MOROCCO >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >>> >>> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
