>What I was hoping for was, that as someone who does bother checking, to
>find out a solution that would help me prevent from receiving spoofed
>e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is
>not able to do that. I am looking for a way how to detect that e-mail is
>spoofed. Any way.
>Now, for sure users who do not want to bother to check will always
>receive spoofed e-mails easily, so how about users who do want to check?
>What solution that works is out there? What can you actually do to
>prevent receiving spoofed e-mails?
>One of solutions that I proposed is an optional SA plugin that would
>treat the email found in "From:" header as envelope sender and check
>against that, raising the score or doing something if it failed.
>That would obviously work and blocked hackers from spoofing, but as you
>said, it would also break some other stuff, like mailing lists for
>instance, so you deemed this solution evil and something what should
>never be done on any mail server, even if that mail server was used only
>by people who don't care about mailing lists at all.
>So is there actually any other solution? That is what I am looking for,
>and that is why I started this thread.
The best thing you can do is setup postfix postscreen with as many
RBLs properly weighted to block the marjority of spoofing senders.
This has been documented on this list so search the archives.
Second is setup an extensive list of whitelist_auth domains that are
commonly spoofed (ups.com, fedex.com, dhl.com, etc. -- ebay.com
and paypal.com are already in the default rules) then train your Bayes
and adjust scoring on existing rules to block the spoofed spam.
Depending on your user base and where your located, you can use
language detection and country codes to add points to your SA score
with ok_languages and the RelayCountry plugin.
There is no hard and fast way to detect spoofing so just try to block
it in SA just like any other spam. Try to reject as much as you can at
the MTA level so SA only has to check a very small percentage of the
mail connection attempts.