Re: catching fake usernames?
>> >> Rick Roe wrote: >> > I get a lot of spam whose From addresses are users that don't exist on >> > my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). >> > I recently set up a scheme to manually blacklist all From addresses on >> > my domains and un-blacklist the fifty or so "real" addresses mail can >> > legitimately come from (the system aliases like postmaster, daemon, >> > and so forth, and a small handful of real users each with a handful of >> > aliases), using blacklist_from and unblacklist_from in the local >> > config file. >> > Hi, if a ender is your domain but the mail comes from outside, it should be authenticated whether it goes to a local or remote address. I know that MS lookback tries to be extra smart and refuses to auth in that case, but there are other mail clients ... Wolfgang Hamann
Re: catching fake usernames?
John Andersen wrote: On Wednesday 30 August 2006 21:25, Benny Pedersen wrote: On Thu, August 31, 2006 05:41, Rick Roe wrote: like there should be a simpler, more automatic way to do this. Am I missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes Won't work if ONE of the recipients is real... OP is talking about _sender_ . so Benny's rule works if OP means envelope sender (in contrast to From header).
Re: catching fake usernames?
Rick Roe wrote: I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so "real" addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. when you say "From addresses", do you mean envelope senders or From headers? - if envelope senders, configure your MTA to reject such mail. In postfix, smtpd_recipient_restrictions = ... reject_unlisted_sender ... will do. similar checks are available in other open source MTAs. - if From headers, then whether to reject at MTA time or not is your choice. purists don't like rejecting based on headers unless they break smtp rules, which is not the case here. with postfix, you'd need a policy_service (or a milter) or a proxy_filter (header checks won't help as you can't list all invalid addresses). This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something? write a script to update the rule file, and make it called by your user creation tool.
Re: catching fake usernames?
> On Thu, August 31, 2006 05:41, Rick Roe wrote: >> like there should be a simpler, more automatic way to do this. Am I >> missing something? > > in postfix main.cf > > smtpd_reject_unlisted_sender = yes In exim.conf, somewhere in acl_check_rcpt: require verify = sender
Re: catching fake usernames?
On Thu, 31 Aug 2006, Matt Kettler wrote: > milter-greylist, while designed for greylisting, has > grown to have a quite flexible ACL system. Using it you could > "whitelist" all your local IPs that legitamately generate mail with your > domain, then follow it up by blacklisting anything else that claims to > be from the local domain. I use milter-regex for that and have been quite satisfied with it. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who "doesn't want to confiscate guns" --- 19 days until Talk Like a Pirate day
Re: catching fake usernames?
On Thu, August 31, 2006 07:24, John Andersen wrote: > Won't work if ONE of the recipients is real... still better then nothing, spf or sender access can take the rest, but since i still not using spf in mta its needed to be done as a restriction class in postfix could be a sender class that reject if client ip is not auth problem is just not as big here to make it needed spamassassin have an accessdb plugin btw, just wish it handlede other db olso -- "This message was sent using 100% recycled spam mails."
Re: catching fake usernames?
On Wednesday 30 August 2006 21:25, Benny Pedersen wrote: > On Thu, August 31, 2006 05:41, Rick Roe wrote: > > like there should be a simpler, more automatic way to do this. Am I > > missing something? > > in postfix main.cf > > smtpd_reject_unlisted_sender = yes Won't work if ONE of the recipients is real... -- _ John Andersen pgp9RVTjvaSlA.pgp Description: PGP signature
Re: catching fake usernames?
On Wednesday 30 August 2006 19:56, Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > > I get a lot of spam whose From addresses are users that don't exist on > > my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). > > [...] > > > Am I missing something? > > Typically it's easiest (and standard) to simply not accept mail for > non-existant users in the first place. Is there a reason you've setup your > system that way? The problem is that if ONE of the names is a real user, the mail has to be passed thru, and the MTA will do so. However, any mail with a totally bogus user as a CC name or just ONE of the recipients is a strong candidate for spam. The more recipients, the stronger the candidacy. -- _ John Andersen pgpUEPJDdZrAl.pgp Description: PGP signature
Re: catching fake usernames?
On Thu, August 31, 2006 05:41, Rick Roe wrote: > like there should be a simpler, more automatic way to do this. Am I > missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes -- "This message was sent using 100% recycled spam mails."
Re: catching fake usernames?
Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > >> I get a lot of spam whose From addresses are users that don't exist on >> my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). >> > [...] > >> Am I missing something? >> > > Typically it's easiest (and standard) to simply not accept mail for > non-existant users in the first place. Is there a reason you've setup your > system that way? > > Erm, Theo, he said *From* users that don't exist, not To users that don't exist.. (ie: forged From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]) There are two solutions I can think of. One is to publish a SPF record for your own domain, and use a SPF milter. The other is to use a tool that does really good in-order access control lists to your MTA. milter-greylist, while designed for greylisting, has grown to have a quite flexible ACL system. Using it you could "whitelist" all your local IPs that legitamately generate mail with your domain, then follow it up by blacklisting anything else that claims to be from the local domain.
Re: catching fake usernames?
On 30-Aug-06, at 11:41 PM, Rick Roe wrote: I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so "real" addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something? SPF will address this at the MTA. Depending on your MTA you may be able to address this by checking against the user database but I wouldn't do it in SpamAssasin. It's a content filter, it shouldn't be verifying user accounts for this purpose. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: catching fake usernames?
On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > I get a lot of spam whose From addresses are users that don't exist on > my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). [...] > Am I missing something? Typically it's easiest (and standard) to simply not accept mail for non-existant users in the first place. Is there a reason you've setup your system that way? -- Randomly Generated Tagline: The descent to Hades is the same from every place. -- Anaxagoras pgpeH1vIWk854.pgp Description: PGP signature
Re: catching fake usernames?
Your MTA should be doing this job and not SA IMHO. - Original Message - From: "Rick Roe" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 30, 2006 9:41 PM Subject: catching fake usernames? |I get a lot of spam whose From addresses are users that don't exist on | my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). | I recently set up a scheme to manually blacklist all From addresses on | my domains and un-blacklist the fifty or so "real" addresses mail can | legitimately come from (the system aliases like postmaster, daemon, | and so forth, and a small handful of real users each with a handful of | aliases), using blacklist_from and unblacklist_from in the local | config file. | | This is a rather fragile system, though -- anytime I go to add any new | users or aliases, I'll have to edit my local.cf files to match. My | user population is rather static, so it's not a big deal, but it seems | like there should be a simpler, more automatic way to do this. Am I | missing something? | |
catching fake usernames?
I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so "real" addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something?