Re: Sudden surge in spam appearing to come from my email address
I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. SA can't block this trash by itself, but if something post the SA invocation can look at the headers you might be able to block it. You can certainly mark it as spam. For instance: # # Ok, catch 'from me' when it isn't header __FROM_ME_1 From =~ //i header __FROM_ME_2 From =~ /\"First Last\" / header __FROM_ME_3 From =~ /First Last / meta NOT_FROM_ME __FROM_ME_1 && !(__FROM_ME_2 || __FROM_ME_3) score NOT_FROM_ME 10 describe NOT_FROM_ME Spammer faking the mail from me! Mind the backslash on the quotes and at sign. Depending on versions of things these are necessary, and don't hurt if they are not necessary.
Re: Sudden surge in spam appearing to come from my email address
On 7/14/23 6:06 PM, Thomas Cameron wrote: I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. SPF with hard fail in your own domain /and/ filtering that respects SPF hard fail will almost certainly stop this like a switch. On 7/14/23 7:28 PM, Thomas Cameron wrote: But because I use several mailing lists, I do not have a hard fail set up. I get SO many notices when I send email to lists that I'm really worried about defining hard failures/rejections. I consider that to be a failure on the mailing list's part. Mailing lists can't successfully operate like they did 25+ years ago. But I'll play around with what you suggested. +10 for SPF. +1 for encouraging mailing list operators to get with the times. You can also do as Robert suggests and use a separate (sub)domain for mailing lists with different SPF settings thereon. Grant. . . .
Re: Sudden surge in spam appearing to come from my email address
I've set up a subdomain lists.mydomain.de (and with regex expressions as local part, to have unique email address per list, forgot to do that here...) with soft spf and dmarc policies and that I only use for mailing lists. Then I can use hard failure spf and dkim policies for the domain mydomain.de itself. Robert Am Freitag, dem 14.07.2023 um 19:28 -0500 schrieb Thomas Cameron: > This kinda raises an important issue. I already have SPF/DMARC/DKIM > set > up. But because I use several mailing lists, I do not have a hard > fail > set up. I get SO many notices when I send email to lists that I'm > really > worried about defining hard failures/rejections. > > But I'll play around with what you suggested. > > Thomas > > On 7/14/23 18:58, David B Funk wrote: > > > > Assuming you own/manage your infrastructure it should be > > straight-forward. > > > > Create SFP records for your domain & SMTP server, set them to > > either > > soft or hard fail mode. > > If you can, also set up DKIM signing of your outgoing mail. > > > > Then create rules that looks for your from address in a message and > > a > > meta which says "if from me & DKIM-fail/SPF-fail hit it hard" > > > > If you can work with the SPF hard fail you will also help to > > improve > > your net reputation as spammers will have a harder time trying to > > "Joe > > Job" you. > > > > > > On Fri, 14 Jul 2023, Thomas Cameron wrote: > > > > > All - > > > > > > I am suddenly getting hammered by a BUNCH of spam that appears to > > > be > > > from me. It scores low, and even though I keep feeding it to > > > Bayes, > > > it's still not hitting the threshold to be marked as spam. > > > > > > When I check the headers, it's coming from multiple random email > > > servers, but many appear to originate from hotmail/outlook.com. > > > So > > > from outlook.com, through some unsecured email server, then to my > > > server. > > > > > > I'm trying to figure out how to block this stuff. Something like > > > "if > > > it appears to come from me, but it's not actually coming from my > > > email server," block it. I don't necessarily think this is a job > > > for > > > SA, but if there's a rule I can tweak or a setting I can change, > > > I'm > > > all ears. > > > > > > Thanks, > > > Thomas > > > > > > > > > -- Robert Senger
Re: Sudden surge in spam appearing to come from my email address
This kinda raises an important issue. I already have SPF/DMARC/DKIM set up. But because I use several mailing lists, I do not have a hard fail set up. I get SO many notices when I send email to lists that I'm really worried about defining hard failures/rejections. But I'll play around with what you suggested. Thomas On 7/14/23 18:58, David B Funk wrote: Assuming you own/manage your infrastructure it should be straight-forward. Create SFP records for your domain & SMTP server, set them to either soft or hard fail mode. If you can, also set up DKIM signing of your outgoing mail. Then create rules that looks for your from address in a message and a meta which says "if from me & DKIM-fail/SPF-fail hit it hard" If you can work with the SPF hard fail you will also help to improve your net reputation as spammers will have a harder time trying to "Joe Job" you. On Fri, 14 Jul 2023, Thomas Cameron wrote: All - I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. I don't necessarily think this is a job for SA, but if there's a rule I can tweak or a setting I can change, I'm all ears. Thanks, Thomas
Re: Sudden surge in spam appearing to come from my email address
Assuming you own/manage your infrastructure it should be straight-forward. Create SFP records for your domain & SMTP server, set them to either soft or hard fail mode. If you can, also set up DKIM signing of your outgoing mail. Then create rules that looks for your from address in a message and a meta which says "if from me & DKIM-fail/SPF-fail hit it hard" If you can work with the SPF hard fail you will also help to improve your net reputation as spammers will have a harder time trying to "Joe Job" you. On Fri, 14 Jul 2023, Thomas Cameron wrote: All - I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. I don't necessarily think this is a job for SA, but if there's a rule I can tweak or a setting I can change, I'm all ears. Thanks, Thomas -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Sudden surge in spam appearing to come from my email address
All - I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. I don't necessarily think this is a job for SA, but if there's a rule I can tweak or a setting I can change, I'm all ears. Thanks, Thomas