I'm facing a problem of verifying a "From:" message field in e-mail messages, in terms of e-mail spoofing. I am currently using SPF and DKIM to verify the origin and integrity of messages, but as far as I can work out, SPF only validates the "Return-Path" header, which is not displayed to the end user in any way (via roundcube or thunderbird) and DKIM only allows for digitally signing the message and assuring the sender is really the one he claims to be. I also tried to dig into DMARC, but this one apparently allows only to force treating not-signed mails originating from out domain as spam (which is good) but is currently used only by big mail providers (Gmail, Yahoo)
Neither of these protect yourself from situation when someone (for example owner of some free shared hosting) decides to run this simple PHP script
<?php
$headers = "From: someone@serverfault.com".PHP_EOL."Reply-To: someone@serverfault.com".PHP_EOL."Content-type:
text/plain; charset=iso-8859-2";
if(mail('yourmail@gmail.com', 'Hello', 'Test spam function', $headers))
{
echo 'Message sent';
}
In gmail you at least see header (not warning) saying "someone@serverfault.com via ", but if you use for ex. Thunderbird to connect via IMAP/POP3 you don't see any such thing – only way to detect scam is to view raw message headers directly. This means there is no protection agains such simple spoofing, even in gmail
IMO this could be easily avoided if for example SFP would verify also the "From:" field, in addition to "Return-path".
I am therefore wondering is there any plugin for Postfix/Amavisd that would allow such spoof-filtering? Or maybe i am misunderstanding some of these technologies (SPF/DKIM/DMARC) and one of them can protect from such spoofing?
Best Answer
There can be quite legitimate reasons for the From:-header to not match the Return-Path:-header. One example is mailing lists - the return path should be to the list server (which will manage bounces, to the point of possibly removing bad addresses from the list), while the From:-header should be from the person actually sending the mail. So you probably do not want to drop all mails where the two headers don't agree.
In answer to your questions about a plugin, I would recommend SpamAssassin which can be combined with Postfix/Amavisd. It will perform a number of tests and add together the test scores to determine whether an email is spam or not.