> We run exim on-premises with spamassassin (all external email comes
> in this way and routes to Exchange online). We also use a number
> of 3rd party email service providers (for things such as marketing
> campaigns) used by various departments at our institution. External
> providers use valid From: addresses pertaining to come from our own
> domain, but generally use their own domain for Return-Path. This
> gives us a headache to identify genuine email arriving from external
> providers (using our From: @domain address) from spam (using forged
> From: addresses).
>
> The two approaches we have been considering are to develop a list of
> valid email providers, which will be a task in itself, and either
> (1) allow only these external IPs (whitelist) to route through our
> exim servers (if sending address is from our domain) or (2) enforce
> external providers to authenticate to our on-premises servers (block
> un-auth connections using our domain).
>
> Departments do have a habit of going out and employing external
> providers without notice. We are leaning towards option(1) but
> overhead in maintaining an up-to-date list and possibility of
> omissions and external IPs changing is a concern. Do others find
> this? There is SPF, but still require valid server list, and worries
> of breaking something.
This is an obvious note, but:
You are also going to have problems for people who are on mailing
lists and send email to those lists. Your message here to exim-users
undoubtedly arrived back at your mail host with your original
in-institution From: address and the mailing list's envelope sender, for
example.
Given that academic environments run mailing lists with all sorts of ad
hoc software and arrangements, I don't think you'll ever be able to find
a set of indicators that are there for legitimate mailing lists and not
there for spammers.
- cks
