3

I'm facing a problem of verifying a "From:" message field in e-mail messages, in terms of e-mail spoofing. I am currently using SPF and DKIM to verify the origin and integrity of messages, but as far as I can work out, SPF only validates the "Return-Path" header, which is not displayed to the end user in any way (via roundcube or thunderbird) and DKIM only allows for digitally signing the message and assuring the sender is really the one he claims to be. I also tried to dig into DMARC, but this one apparently allows only to force treating not-signed mails originating from out domain as spam (which is good) but is currently used only by big mail providers (Gmail, Yahoo)

Neither of these protect yourself from situation when someone (for example owner of some free shared hosting) decides to run this simple PHP script

<?php
$headers = "From: someone@serverfault.com".PHP_EOL."Reply-To:  someone@serverfault.com".PHP_EOL."Content-type: 
text/plain; charset=iso-8859-2";

if(mail('yourmail@gmail.com', 'Hello', 'Test spam function', $headers))
{
   echo 'Message sent';
}

In gmail you at least see header (not warning) saying "someone@serverfault.com via ", but if you use for ex. Thunderbird to connect via IMAP/POP3 you don't see any such thing - only way to detect scam is to view raw message headers directly. This means there is no protection agains such simple spoofing, even in gmail

IMO this could be easily avoided if for example SFP would verify also the "From:" field, in addition to "Return-path".

I am therefore wondering is there any plugin for Postfix/Amavisd that would allow such spoof-filtering? Or maybe i am misunderstanding some of these technologies (SPF/DKIM/DMARC) and one of them can protect from such spoofing?

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
gds.jerry
  • 61
  • 1
  • 5
  • Please think about this at least twice. There are some valid reasons to spof the `From:` header. If you check this it could be that some emails will not receive the correct user anymore. (I had this problem before as a programmer). – Uwe Plonus Jun 20 '13 at 09:51
  • I agree, but that is why i suggested the use of SPF-like tool (if it exist) - with valid range of IP addresses that are allowed to send mail for particular domain in "From:" field. Or maybe this would be to difficult/complex to implement, yet i can't really think of a scenario that would cause that – gds.jerry Jun 20 '13 at 10:00

1 Answers1

1

There can be quite legitimate reasons for the From:-header to not match the Return-Path:-header. One example is mailing lists - the return path should be to the list server (which will manage bounces, to the point of possibly removing bad addresses from the list), while the From:-header should be from the person actually sending the mail. So you probably do not want to drop all mails where the two headers don't agree.

In answer to your questions about a plugin, I would recommend SpamAssassin which can be combined with Postfix/Amavisd. It will perform a number of tests and add together the test scores to determine whether an email is spam or not.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • It doesn't need to be same and I agree that in some situations it even cannot be same, but at least it should be verified if domain in "From:" header matches the ip address of the server sending message, or matches one of the IP's included in SPF record. Anyways, will check out spamassassin, hopefully there are some algorithms in it for that kind of lookups, thanks :) – gds.jerry Jun 21 '13 at 07:55
  • The link I included shows all the tests it does, it does have at least some From:-tests for domains that are often forged. – Jenny D Jun 21 '13 at 10:15