Extended FROM header field check

Extended FROM header field check

Postby Jodrik » Thu Jan 24, 2013 9:04 am

My suggestions are the following;

- A check or means of checking wether the FROM being given in the actual email header is equal to the from given in the MAIL FROM when the email was send.
- A check using SPF to see if the FROM being given in the actual email header is SPF qualified.
- A check to block external mailservers (except a whitelist) from setting a FROM in the header which is local on the mailserver. :!: most important

All these option should give a block or SPAM Flag option if possible.

Adding these features will fastly reduce the amount of SPAM we get on a daily basis on our servers. Could you please take the time to implement these changes in the next update?
Jodrik
 
Posts: 40
Joined: Wed Sep 19, 2007 8:39 am
Location: Netherlands

Re: Extended FROM header field check

Postby Code Crafters » Tue Jan 29, 2013 8:25 pm

We used to have a SPAM filter that checked the From header against the SMTP sender but it didn't work very well as it had a lot of false positives. As for SPF and the Sender Domain Check (from AMS local email addresses) that you mentioned, obviously these are already available on the SMTP sender but not on the mail header From. You can of course use content filtering to build up complex rules against header fields which is the main reason SPAM filters focus on the SMTP sender / recipients which is the addresses actually used for delivery of the email. However, I'll forward your suggestions.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Extended FROM header field check

Postby Jodrik » Wed Jan 30, 2013 9:27 am

Hello Chris,

Problem is the following; If a mail gets delivered using a MAIL FROM which is a valid SPF record (or none in most spammers cases) and then the FROM itself is set differently during mail transaction this creates alot of "issues" with our end users who don't understand the deeper workings of mail. Blocking this option to be changed would possibly cause some false positives but these would only be caused to domains that we locally use so we should be able to make exceptions for that. I will attempt to make a CONTENT filter rule for this aswell.
Jodrik
 
Posts: 40
Joined: Wed Sep 19, 2007 8:39 am
Location: Netherlands

Re: Extended FROM header field check

Postby Code Crafters » Sat Feb 02, 2013 8:25 pm

Like I said there are SPAM filters to help but content filters can do more custom filters that you need. SPF only allows users sending from a domain if the sending IP is on the SPF record which means that generally only mail servers for that domain and not any SPAMers can send from that domain if you enable SPF SPAM filters. Sender domain check is also good for your local domains. If you need advice with setting up content filters let me know as these are powerful but sometimes tricky to configure.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Extended FROM header field check

Postby Jodrik » Wed Feb 13, 2013 12:00 pm

I have already both SPF and Sender Domain Check enabled and fully configured.

I tried adding a rule which is

1 - NOT SMTP sender matches "####HEADERFROMADDRESS####" > Set SPAM Flag

This may have been a bit to "hardcore" as it created -alot- of false positives. I'm thinking this may have to do with the fact that stuff like: MAIL FROM: user@example.com and then giving a header which lists: User Fubar <user@example.com" may cause this to fail. Can you confirm this? Perhaps a 'contains' instead of 'matches' could proof more acurate?
Jodrik
 
Posts: 40
Joined: Wed Sep 19, 2007 8:39 am
Location: Netherlands

Re: Extended FROM header field check

Postby Code Crafters » Wed Feb 13, 2013 5:28 pm

The trouble with that as you say is that the header field will never generally exactly match the SMTP sender as they'll be something like:

SMTP Sender:
user@domain.com

From Header:
Some User <user@domain.com>

Try this instead:

1 - From <Header Line Matches> with String Does Not Contain "####FROMADDRESS####" (Case sensitive not ticked) > Set SPAM Flag
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm


Return to Suggestions

Who is online

Users browsing this forum: No registered users and 1 guest

cron