[Dovecot] Emails from invalid local accounts
Hi,
I'm using dovecot 1.2.9 in a postfix/dovecot setup and I'm having issues with receiving spam where the "from" header contains an address like accounting@mydomain.com. Is there some way I can filter out these emails coming from outside our network with an account associated with our network which doesn't exist? Do I just need to configure some custom process to evaluate these addresses, or is there some way either in dovecot or spamassassin to do this?
Thanks,
Steve K
On 10/18/2012 3:32 PM, Steven Kiehl wrote:
Hi,
I'm using dovecot 1.2.9 in a postfix/dovecot setup and I'm having issues with receiving spam where the "from" header contains an address like accounting@mydomain.com. Is there some way I can filter out these emails coming from outside our network with an account associated with our network which doesn't exist? Do I just need to configure some custom process to evaluate these addresses, or is there some way either in dovecot or spamassassin to do this?
Thanks,
Steve K
This should be dealt with in postfix or SpamAssassin, not dovecot, and there are likely other, better ways to detect this particular spam rather than mucking with the From: header.
Sometimes mail arrives with a header something like From: accounting and postfix appends @$myorigin to the unqualified address while passing the mail through your content_filter.
The fix for that is to set in your postfix main.cf remote_header_rewrite_domain = domain.invalid so that unqualified addresses will be rewritten with a known domain. Don't be tempted to reject such mail outright since you'll reject a significant amount of non-spam mail.
Another thing to consider setting in postfix main.cf is: smtpd_reject_unlisted_sender = yes which will reject invalid envelope senders in your domain. (Note the difference between envelope sender and the From: header.)
-- Noel Jones
This is great information on some options I should look into further, however adding the "smtpd_reject_unlisted_sender" option doesn't seem to eliminate the problem. What these spammers are doing is forging the "from" header to be a full address like "accounting@mydomain.com" and they are sending to a real address like "webmaster@mydomain.com". So even if the envelope sender is valid or coming from an outside domain, the visible originating from address is invalid and is in my own domain. And I'm absolutely positive any mail received from these forged from addresses are spam that shouldn't even be delivered.
This is also complicated further by the use of virtual domains and virtual alias mapping (all sql based) in the Postfix configuration. Some of my problem may be that Postfix might not be able to get a comprehensive list of valid mailboxes and aliases to deliver to the virtual transport. I've tried to define the virtual mailbox maps, but every time I do that the aliases stop working.
On Thu, Oct 18, 2012 at 5:00 PM, Noel noeldude@gmail.com wrote:
On 10/18/2012 3:32 PM, Steven Kiehl wrote:
Hi,
I'm using dovecot 1.2.9 in a postfix/dovecot setup and I'm having issues with receiving spam where the "from" header contains an address like accounting@mydomain.com. Is there some way I can filter out these emails coming from outside our network with an account associated with our network which doesn't exist? Do I just need to configure some custom process to evaluate these addresses, or is there some way either in dovecot or spamassassin to do this?
Thanks,
Steve K
This should be dealt with in postfix or SpamAssassin, not dovecot, and there are likely other, better ways to detect this particular spam rather than mucking with the From: header.
Sometimes mail arrives with a header something like From: accounting and postfix appends @$myorigin to the unqualified address while passing the mail through your content_filter.
The fix for that is to set in your postfix main.cf remote_header_rewrite_domain = domain.invalid so that unqualified addresses will be rewritten with a known domain. Don't be tempted to reject such mail outright since you'll reject a significant amount of non-spam mail.
Another thing to consider setting in postfix main.cf is: smtpd_reject_unlisted_sender = yes which will reject invalid envelope senders in your domain. (Note the difference between envelope sender and the From: header.)
-- Noel Jones
On 10/18/2012 8:59 PM, Steven Kiehl wrote:
This is great information on some options I should look into further, however adding the "smtpd_reject_unlisted_sender" option doesn't seem to eliminate the problem.
[This is OT for the dovecot list, and my last post in this thread. Please send all followups to the appropriate postfix, amavisd-new, or spamassassin list in consideration of other list members. Thank you.]
smtpd_reject_unlisted_sender works with the envelope address; this option has no effect on headers.
What these spammers are doing is forging the "from" header to be a full address like "accounting@mydomain.com mailto:accounting@mydomain.com"
Possible, but I doubt it. The only way you'll ever see the more likely original "From: accounting" header is by running postfix in debug mode (which is not recommended) or by using a tcp sniffer in front of postfix. That's why I recommend setting "remote_header_rewrite_domain = domain.invalid". Also, this setting requires a non-ancient postfix, but I don't remember which version; if it shows up in "postconf -n" output, you're OK.
and they are sending to a real address like "webmaster@mydomain.com mailto:webmaster@mydomain.com". So even if the envelope sender is valid or coming from an outside domain, the visible originating from address is invalid and is in my own domain. And I'm absolutely positive any mail received from these forged from addresses are spam that shouldn't even be delivered.
If there are a few frequently-abused addresses, you can add them to a header_checks rule. But don't get too tied up in wack-a-mole header_checks; that's a great time waster for limited benefit.
This is also complicated further by the use of virtual domains and virtual alias mapping (all sql based) in the Postfix configuration. Some of my problem may be that Postfix might not be able to get a comprehensive list of valid mailboxes and aliases to deliver to the virtual transport. I've tried to define the virtual mailbox maps, but every time I do that the aliases stop working.
If your postfix is not able to properly validate recipients, you should ask about that on the postfix list. That is a serious problem. http://www.postfix.org/DEBUG_README.html#mail
The point you're missing is that there is no way to validate the From: header. Look at other features of the unwanted mail for ways to reject it.
-- Noel Jones
At 4PM -0400 on 18/10/12 you (Steven Kiehl) wrote:
I'm using dovecot 1.2.9 in a postfix/dovecot setup and I'm having issues with receiving spam where the "from" header contains an address like accounting@mydomain.com. Is there some way I can filter out these emails coming from outside our network with an account associated with our network which doesn't exist? Do I just need to configure some custom process to evaluate these addresses, or is there some way either in dovecot or spamassassin to do this?
You want to do this in Postfix, with either the smtpd_reject_unlisted_sender parameter or the reject_unlisted_sender policy in smtpd_sender_restrictions. You will need to make sure Postfix has access to the list of valid mailboxes at your domain, which it should have already for recipient checking.
Ben
participants (3)
-
Ben Morrow
-
Noel
-
Steven Kiehl