need help with forged To and From
in [Postfix]
|
Prev: Thanks to wietse and the distribution list a new web consoleis born
Next: cheap ghd straighteners
From: Sahil Tandon on 8 Aug 2010 17:04 On Sun, 2010-08-08 at 13:48:04 -0400, donovan jeffrey j wrote: > this weekend I have been hit with a ton of forged spam messages. > here is a sample header > > To: realuser(a)beth.k12.pa.us > Return-Path: <realuser(a)beth.k12.pa.us> Based on the above and some of the sample Received: headers, we can infer that MAIL FROM == RCPT TO. > Received: from 21-182-134-95.pool.ukrtel.net [ .. ] Consider blocking these generic-looking HELOs with a pcre: /\d+([-\.]\d+){3}/ REJECT Generic hostname. > I do have header checks that should thwart this I thought; > > # HEADER_CHECKS(5) > /^Received:.*by beth.k12.pa.us/ REJECT Forged hostname in Received header > if /^Received:/ > /^Received: +from +(beth\.k12\.pa\.us) +/ reject forged client name in Received: header: $1 > /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(beth\.k12\.pa\.us)\)/ reject forged client name in Received: header: $1 > /^Received:.* +by +(beth\.k12\.pa\.us)[[:>:]]/ reject forged mail server name in Received: header: $1 > endif > > did I miss something ? None of these header checks address your problem. Use an access(5) map to reject email from unauthenticated external clients when the domain part of the email address matches one of your domains. You could also use a policy server (this is what I do) to reject email from external clients when sender is equal to recipient. -- Sahil Tandon <sahil(a)FreeBSD.org>
From: Xavier Gillard on 9 Aug 2010 05:47 Le Sun, 8 Aug 2010 13:48:04 -0400, donovan jeffrey j <donovan(a)beth.k12.pa.us> a écrit : > greetings > > this weekend I have been hit with a ton of forged spam messages. > here is a sample header > > > From: realuser(a)beth.k12.pa.us > Subject: realuser(a)beth.k12.pa.us 62% OFF on Pfizer! > Date: August 8, 2010 9:41:57 AM EDT > To: realuser(a)beth.k12.pa.us > Return-Path: <realuser(a)beth.k12.pa.us> You may authenticate your users and use reject_sender_login_mismatch Xavier
First
|
Prev
|
Pages: 1 2 Prev: Thanks to wietse and the distribution list a new web consoleis born Next: cheap ghd straighteners |