Author: Chad Leigh Shire.Net LLC Date: To: exim-users Subject: Re: [exim] stopping spam with forged from:
> On May 25, 2022, at 9:45 AM, Cyborg via Exim-users <exim-users@???> wrote:
>
> Am 25.05.22 um 17:20 schrieb Evgeniy Berdnikov via Exim-users:
>> On Wed, May 25, 2022 at 08:38:32AM -0600, Chad Leigh Shire.Net LLC via Exim-users wrote:
>>> What is the best strategy to combat and right out reject mail that
>>> has the from: and the recipient address the same? Or alternately to
>>> force things like SPF checking against the from: in addition to the
>>> envelope-sender? (Not sure if that is a good idea — will it mess up
>>> legit email from mail processors etc )
>> Such a mail may be a test message that user sent to its own address.
>> So blind comparison of From: and To: is not a good idea, especially taking
>> into accout that To: can contain several destination addresses and
>> may be used as Cc: field to keep own copy of outgoing mail.
>>
>> Take a look at DMARC.
> but, a valid user would use SMTP-Auth which the spammer won't use.
>
> so the test: ( From == To || From in To || From in CC ) && SMTP-AUTH==FALSE would be a valid methode IMHO.
>
> It ofcourse requires the use of amtp-auth, but that should be enabled anyway or the server will become or is an open relay for anyone.
>
Yes, we do not allow relaying except from authenticated servers. We are not an ISP, just a mail and web service provider, so we do not have “local networks” to rely on.
I need to see about the mail list that doesn’t re-write the from and see if we get much of that and what to do about that.
We have actually already decided to investigate DMARC but have not yet implemented anything. I am working with one of my important customers who are big in internet security/mail security in some way and are interested in exploring it for their own domain (which I handle), though they have reservatoin so we are working through learning about it and seeing best how to implement. We talkjed about it last week so have just started. (I did look at it myself but never finished last Fall and do get reports from other services).
But in the meantime I was hoping to put some sort of simple exim based restriction in to get the most obvious violators.
