How to reject/detect emails claiming to be from the own domain

sendmailspamassassinspf

We have following e-mail topology:

Exchange server --------- Sendmail server ---------------Internet

On sendmail server there is no any user mailbox and messages with sender address user@my.domain.com can arrive only from exchange server and never from Internet.
Basing on this fact I want to limit amount of received spam by rejecting all emails incoming from Internet and claiming to be from my own domain (anyuser@my.domain.com).

I have configured an SPF record for my domain and installed on sendmail server a spfmilter, spamassassin and spamass-milter packages. It works well, but there are two issues :

  1. If during SMTP conversation sender specify bad address in "MAIL FROM:" command, it will be rejected, but sender can still issue another "MAIL FROM:" command and if this second address will be accepted, whole messages will be accepted too. I prefer that sender should have no second chance and if he specify at last one address rejected by spfmilter, the whole message should be unconditionally rejected.

  2. If sender has specified valid addresses (accepted by spfmilter), it can issue DATA command and then put a line (as message body) like this "From: <me@my.domain.com>". This line is not a part of SMTP conversation but it becomes part of message header (my outlook display this address as a sender address). So I want configure an spamassassin filter test/rule, which will mark message as a spam (after DATA command it is already too late for rejecting message) if sender addresses given in message header don't match addresses specified as a part of SMTP conversation, but don't know how to do this.

Any suggestions?

Best Answer

I use Exim configured with mysql to filter my email. I find the configuration easier to do. Sendmail configuration has always seemed quite cryptic to me.

  1. To prevent a sender from changing the mail_from identity and retrying you will need to add their IP address to a blacklist and enforce the blacklist. If you can get the filter to drop the connection rather than reject the mail_from, then they will need to reconnect to change the mail_from address. I don't think many senders will do so. I'll check my database and update later.

  2. The following rule will check to see if the From address is withing the 'example.com' domain. Add these lines to your local.cf file and restart spamassassin. Increase the score when you are confident that it is working correctly. This presumes you are not using spamassassin for outgoing email. 

header   LOCAL_FROM_HERE        From =~ /[.@]example.com/
score    LOCAL_FROM_HERE        -0.75
describe LOCAL_FROM_HERE        From header is local address

EDIT: I ran some queries on my database of email data. Of 2500 connections that used a local address in the MAIL FROM command, only 28 retried with a non-local address. This is about a 1% fail rate on just rejecting the use of local addresses in the MAIL FROM command. I found no cases where a server reconnected and tried a non-local address.

Assuming the Envelope_from header is added before spamassassin filters the message both conditions can be combined in a single blacklist entry in local.cf. Again this assumes you do not run spamassassin on outgoing email.

blacklist_from   *@example.com

EDIT2: I use an ACL in Exim to reject the Mail From command if a local domain is used in the address. This applies if the connecting host is not one I consider local. Local hostss include servers on the local network, approved relays, and hosts using an authenticated connection on the submission port (587).

Related Topic