OK. We are getting sick of this spamming issue. We have a domain that is continually being used by spammers to send out mail as being from them and to them. Is there anyway with Qmail/Vpopmail to always require mail from a specific email address or domain to have to use SMTP-auth even if it is to someone in the same domain?
IE mail coming from [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> going to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> would always go through as far as I know.
This won't work. How would legitimate mail get to your machine? You'd have to get all the remote servers to agree to patch their systems to require smtp auth when sending to your domain. That's impossible.
If you want to get aggressive about forgery, there appear to be 2 leading concepts to prevent it:
1. Greylisting 2. SPF
Greylisting is really effective, and does not require remote MTAs to be compliant. However, it will cause all new mail to bounce (temporary failure) at least once before becoming "Greylisted". This is how it starts tracking legitimate header/IP combinations. To learn more about Greylisting, see:
http://projects.puremagic.com/greylisting/
You'll also find my Greylisting patches on http://www.shupp.org
SPF is something like a DNS based "reverse MX" system to designate permitted senders for mails depending on the domain name. I have not personally experimented with it, but it looks interesting. The upside is that legitimate mail should not bounce. The downside is that the sender's domain must have an SPF dns entry. I don't know how wide-spread SPF dns deployment is. Because of this, you'll have to default to allow non SPF reporting domains, otherwise you'll risk losing a LOT of legitimate mail and pissing off your customers. Here's the SPF link:
http://spf.pobox.com/
And here's a qmail patch to implement SPF:
http://www.saout.de/misc/spf/
If you decide to implement either, please share your experiences here.
Regards,
Bill Shupp
