how to cope with SA spoofed from addresses?

how to cope with SA spoofed from addresses?

am 03.07.2007 16:54:58 von olafilink

Hello,

we have SA setup so it whitelists mail from our own domain. Sometimes
i see mail coming in that has a spoofed from-address that is set to
our own domain and to an existing email-address on our domain (ie
from=to , both: myuser@mydomain.com). These emails are then seen as
whitelisted and thus don't score as spam. How can we setup SA to cope
with this?

Olaf

Re: how to cope with SA spoofed from addresses?

am 03.07.2007 19:24:36 von Garen Erdoisa

olafmol wrote:
> Hello,
>
> we have SA setup so it whitelists mail from our own domain. Sometimes
> i see mail coming in that has a spoofed from-address that is set to
> our own domain and to an existing email-address on our domain (ie
> from=to , both: myuser@mydomain.com). These emails are then seen as
> whitelisted and thus don't score as spam. How can we setup SA to cope
> with this?
>

This is what SPF (Sender Permitted From) is designed to help prevent.

See: http://www.openspf.org/

for more information on SPF.

In a nutshell, you publish via a special DNS record, what machines are
allowed to originate email with your domain in the return path. Other
sites including your own check incoming mail headers vs the published
SPF policy, and can reject or tag suspect email that fail the SPF test.
There are other issues this raises however mostly with email forwarding
through your domain mail that was originated on other domains. The above
website has links to tools that will help solve the forwarding issues.

--
Garen

Re: how to cope with SA spoofed from addresses?

am 03.07.2007 22:54:14 von Alan Clifford

On Tue, 3 Jul 2007, olafmol wrote:

o> Hello,
o>
o> we have SA setup so it whitelists mail from our own domain. Sometimes
o> i see mail coming in that has a spoofed from-address that is set to
o> our own domain and to an existing email-address on our domain (ie
o> from=to , both: myuser@mydomain.com). These emails are then seen as
o> whitelisted and thus don't score as spam. How can we setup SA to cope
o> with this?
o>
o> Olaf
o>
o>

Don't whitelist your own domain and certainly not your own domain in the
from: header. Spam Assassin checks for spam, whether it comes from your
domain or outside, so your own domain might actually be a valid spam
indicator if your are receiving lots of spoof mail. So you have broken
Spam Assassin!

Just leave it alone and let it does its stuff without adding, if I might
be a tad critical, badly thought out extra rules.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
However, unless this a very old message, a "tuna" will swim right
through. )