Koozali.org: home of the SME Server

Blocking emails address' that don't match names.

Offline brainamess

  • *
  • 39
  • +0/-0
Blocking emails address' that don't match names.
« on: October 25, 2019, 08:02:18 PM »
I am not sure if there is a simple way to do this but if I can do this on the server side it may be cool.

I have two employees getting a lot if spam between them, from their own names but obviously not their email address.

Example:

User1 has the proper email of user1@mydomain.com

I get emails from totally bogus emails using user1's name.

Can I make some kind of filter that would say if user1's email is not user1@mydomain.com it's a fake email and drop it?

It's very difficult for me to find a pattern to use to block them because they are so similar to the real emails they would get with invoices and such. So blocking by pattern blocks valid emails.

I am sure I am not thinking big enough here. Any input is great input!

Happy Friday!

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #1 on: October 25, 2019, 10:01:02 PM »
Example of bogus email?

Qmail is designed to be able to recieve variationd around a main email to the user mailbox.

One way is by using the pseudonyms. Easy to remove the unnecessary ones.

Another is by interpreting special characters inside the email like +.
It those emails are of this kind this will be harder to refuse them at connexion.
However there will still be the solution to filter them to trash or junk using maildrop or procmail. 

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #2 on: October 25, 2019, 10:03:36 PM »
The emails are as simple as this. With the siewhui@mpartnerspl.com always changing.


-------- Original message --------
From: Andrew Disarro <siewhui@mpartnerspl.com>
Date: 2019-10-25 2:31 p.m. (GMT-05:00)
To: sandra.england@everypointhudson.com
Subject: Your invoice and reports are available for  account for viewing

Good Morning,


Need to know where to charge this invoice.


THX,



Andrew Disarro
EMAIL:andrew.disarro@everypoint.ca|


Offline Fumetto

  • *
  • 874
  • +1/-0
Re: Blocking emails address' that don't match names.
« Reply #3 on: October 25, 2019, 10:16:32 PM »
From here: "For your information, pseudonyms of "firstname.lastname" and "firstname_lastname" are automatically created for each account".

If you have username "jonbonjovi" with firstname "jon" and lastname "jovi" you have 3 email/pseudonyms:
jonbonjovi@
jon.jovi@
jon_jovi@

Can be this the case?

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #4 on: October 25, 2019, 10:29:16 PM »
From here: "For your information, pseudonyms of "firstname.lastname" and "firstname_lastname" are automatically created for each account".

If you have username "jonbonjovi" with firstname "jon" and lastname "jovi" you have 3 email/pseudonyms:
jonbonjovi@
jon.jovi@
jon_jovi@

Can be this the case?

Lets work with Andrew:

Andrews actual email is andrew.disarro; adisarro; andrew_disarro @mydomain (we have 4 domains here)

So yes there are pseudonyms... I am just not seeing how this could be where my issue is.

But we only have 4 domains, so if a spoof email is just using our mans name (Andrew Disarro) but showing a totally different domain sending it, can I do anything about it?

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Blocking emails address' that don't match names.
« Reply #5 on: October 26, 2019, 03:02:45 AM »
We get (some) emails like this at work -

To: CEO
From: VP Finance (fake-email@gmail.com)
...

"fake-email@gmail.com" is a *real* email address from a *real* email service provider -- so spam filters can't help.

Unless you have hired the only Andrew Disarro on the planet, you are asking your mail server to realize based on the content of the email that someone is pretending to be Andrew but is using a different email address.  Tricky.

An increasing number of the orgs we communicate with at work insert an unmistakable warning at the top of the email body.  Here are two examples I saw today - both appear just below the Subject and above the original email.

This message originated from OUTSIDE the XXXX network. Stop and think before clicking a link or opening attachments.



[Caution External E-Mail] (highlighted in yellow)

(Sadly, I don't know how they are doing this...)

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #6 on: October 26, 2019, 02:13:11 PM »
Lets work with Andrew:

Andrews actual email is andrew.disarro; adisarro; andrew_disarro @mydomain (we have 4 domains here)

So yes there are pseudonyms... I am just not seeing how this could be where my issue is.

But we only have 4 domains, so if a spoof email is just using our mans name (Andrew Disarro) but showing a totally different domain sending it, can I do anything about it?

Ok the issue is with spoofing in the from email address. 

Misunderstanding there. 


Unfortunately you can not do anything directly on the sender. 
Let me explain. You have user adisarro@mydomain.com
Yes the most probable that adisarro@yopmail.com is a phishing. But it is probable that your user could have someone with same name, unless having a very very unique name, in another legitimate company and if you filter them out you might miss legitimate mail. 


What you can do : enforce more spam filter, uribl, dnsbl,rhbl, clamav filtering, use of unoficial clamav db, check of dkim, check of early talker, geoip filter on really improbable country you are not working with....
And finally manual spam learning using bayes.  By moving known spam to a leqrn folder with the spamlearn contrib.
 
Grey listing could also help unless they spoof legitimate server to send their junk


Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Blocking emails address' that don't match names.
« Reply #7 on: October 26, 2019, 04:15:01 PM »
What you can do : enforce more spam filter, uribl, dnsbl,rhbl, clamav filtering, use of unoficial clamav db, check of dkim, check of early talker, geoip filter on really improbable country you are not working with....
And finally manual spam learning using bayes.  By moving known spam to a leqrn folder with the spamlearn contrib.
 
Grey listing could also help unless they spoof legitimate server to send their junk

We get quite a bit of what SANS calls "CEO Fraud", but which more generally I would call "fake coworker" email that will not be blocked by any of these.

*Some* of the "fake coworker" emails we receive come from compromised mail servers - an attacker relays an email through a 3rd party mail server that is poorly configured, or where they have obtained a user's credentials.  These mail servers will eventually appear on a block list (probably)  -- but greylisting won't help since they are all "real" mail servers.

More of the "fake coworker" email that I see is coming from real gmail, outlook.com or yahoo.com email addresses - an attacker creates a real account, then configures an email client to use that service for SMTP relay using the name of one of your coworkers.  Or they may create a specific email account intended to spoof a specific coworker using the coworker's account name on a different mail server - for example, my coworker "beth lovely" has a personal email "beth@yahoo.com"; an attacker creates "beth@gmail.com" for "beth lovely".  I'm not aware of any spam filter technique that is going to catch these other than end-user training.

We became hyper-aware of this when a staffperson in our accounting department *almost* wired £25000 to an attacker.  The attack consisted of:
- an email from a real gmail account using the name of our President
- followed by a real-time email conversation between our staffperson and the "fake" gmail account
- followed (if I recall correctly) by an actual telephone conversation between the staffperson and the attacker.

Luckly, our staffperson followed procedure requiring further verification before doing any fund transfers...

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #8 on: October 28, 2019, 05:32:54 PM »
I appreciate all the input for this!

For one thing, at least I know I am not alone on this!

This has inspired me to write a document about good email etiquette for all the employees here. Hopefully they will read it when I am done!

Thank you everyone for the help.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #9 on: October 29, 2019, 02:08:27 AM »
And as a result of all the issues with email... eg server to server security, end to end encryption (PGP anyone???), junk, etc etc etc... companies are moving to things like chat based systems... see Slack, Teams, Matteemost, Rocket.Chat etc.

Internally = no junk (because you have controlled access)

Good encryption, easy to handle attachments, mobile apps, can be federated to other systems, hooks/APIs to external systens like CRMs etc, web chat (+bots) clients etc etc.

I can see a future not so far away when email is as dead as fax.

Interesting times ahead.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #10 on: October 29, 2019, 04:38:11 PM »
An approach from my university: adding a header to all mails coming from outside.

Could be a tag in the subject.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #11 on: October 30, 2019, 11:52:15 AM »
We have a situation ourselves.
A number of our suppliers belong to a group. The group offers them a mailing system, via mailgun.

The problem is the mailgun emails pass the filter headers we use to reject junk cleanly.

Of course the smart arses know this don't they..... grrrrrr.

Where it falls down is you can't filter with the headers that actually give the game away so it passes this lot:

dispatching EHLO do159-142.mailgun.net
(ehlo) helo: pass
(mail) resolvable_fromhost: pass, designmediaservice.com has MX at mx2.smak4www.com
sender_permitted_from: pass, designmediaservice.com: Sender is authorized

envelope-from="bounce+c3f563.7fcf54-user=ourdomain.co.uk@designmediaservice.com";


But here are the headers that tell us what we want to know - we want to block ones from printinggood:

Sender: no-reply=printinggood.co.uk@designmediaservice.com
Return-Path: no-reply@printinggood.co.uk
To: user@ourdomain.co.uk
From: PrintingGood <no-reply@printinggood.co.uk>
Reply-To: PrintingGood <help@printinggood.co.uk>



One answer may be another plugin.

I was having a look at this

https://github.com/smtpd/qpsmtpd/blob/master/plugins/badmailfromto

Quote
=head1 DESCRIPTION
Much like the similar badmailfrom, this plugin references both the
FROM: and TO: lines, and if they both are present in the badmailfromto
config file (a whitespace-delimited list of FROM/TO pairs), then the message is
blocked as if the recipient (TO) didn't exist.  This is specifically designed
to not give the impression that the sender is blocked (good for cases of
harassment).

I'll give it a test.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #12 on: December 06, 2019, 12:30:37 AM »
I'm having this problem a lot lately as well. My issue is the emails are all valid. There is nothing wrong with it or anything to filter. The problem is when my users open the email in M$ Outlook they see a name they trust and don't bother to read the email address; spoofed display name.

Sometimes the email shows up with the Display Name of a known internal user. Sometimes the Display Name is from one of our customers. Never mind the body of the email is obviously bad and it's targeted to make the user open an attachment. The body can even include a copy of one of our emails. Somewhere someone is getting information to target us specifically.

I wonder if it's possible to modify the from in the email header for external email? Maybe run a regular expression on the from data and pull everything out but what is in the <>? This would make Outlook show the email address and not someone that a user might know. Does this sound feasible? Any potential problems with this approach?
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #13 on: December 06, 2019, 07:23:44 AM »
devtay

Do you have RBL & SBL lists enabled in order to block email coming from mail server sources that are known spam senders. This will potentially block those "fake" senders.

Also if practical for you, I find blocking virtually ALL email attachment types especially zip (in server manager) is also a very effective way of blocking spam emails.

The above methods work best on a sme server that is in server/gateway mode, rather than server only mode.

See the email Howto for db setting details
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #14 on: December 06, 2019, 07:59:01 AM »
the issue is not RBL

the issue is exploit of the way the mail client will print to the user the content of the From: field


https://www.mailsploit.com/index

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #15 on: December 06, 2019, 07:39:13 PM »
Yes. We are using rbl but not sbl. The sbl lists are too aggressive and legit email gets blocked.

Code: [Select]
RBLList=zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net
RHSBL=enabled

For the particular email I'm trying to kill now, I even changed the spamcop rule weight in an effort to push it over my spam threshold of 4. Tricky little suckers just changed where they sent the email from. Here is my header info:

Code: [Select]
* -0.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000]
*  1.4 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
* -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, *      medium trust *      [66.228.55.240 listed in list.dnswl.org]
*  3.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net *      [Blocked - see <https://www.spamcop.net/bl.shtml?190.148.209.148>]
* -0.0 SPF_PASS SPF: sender matches SPF record *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's *       domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *      valid

I can't block the normal type attachments (pdf, word doc, excel, etc) we use them in day to day business. I haven't had much luck with the attachment filtering anyways. I did the instructions to block .rtf .img and .iso and it doesn't work. I've also tried attachment filtering with the hash. When I run the commands to get the hash it comes out all A's for the .iso filtering. I digress though. I've spent so much time on this to no avail I tend to run on about it. Sorry.

devtay

Do you have RBL & SBL lists enabled in order to block email coming from mail server sources that are known spam senders. This will potentially block those "fake" senders.

Also if practical for you, I find blocking virtually ALL email attachment types especially zip (in server manager) is also a very effective way of blocking spam emails.

The above methods work best on a sme server that is in server/gateway mode, rather than server only mode.

See the email Howto for db setting details
You can't stop what's coming. It ain't all waiting on you.

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #16 on: December 06, 2019, 07:40:02 PM »
Correct. My understanding of the situation as well. That's why I was thinking if I could eliminate everything except for a proper email address in the From field, the users would be less likely to open it. Seeing adfasgasd@163.com.vn would make them less likely to open the email than seeing a name they know.

the issue is not RBL

the issue is exploit of the way the mail client will print to the user the content of the From: field


https://www.mailsploit.com/index
« Last Edit: December 06, 2019, 07:42:33 PM by devtay »
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #17 on: December 07, 2019, 09:18:15 AM »
Jean-Philippe Pialasse

Yeah I understand that,  but if the mail is coming from a "bad" source, then RBL etc should block it, whether a fake From is used or not.

Even you mentioned RBLs earlier in this thread.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #18 on: December 08, 2019, 03:23:08 AM »
devtay

Quote
Yes. We are using rbl but not sbl. The sbl lists are too aggressive and legit email gets blocked.

Code: [Select]
RBLList=zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net
RHSBL=enabled

I personally find the bl.spamcop.net list too aggressive, spamhaus & barracudacentral are OK.

Re SBL lists, the default install settings are way too aggressive.
I find that the conservative list in the Email Howto is OK for me (ie not aggressive)
ie
A conservative setting for the associated DNSBL SBLList is:

config setprop qpsmtpd SBLList dbl.spamhaus.org
config setprop qpsmtpd RHSBL enabled
signal-event email-update


Quote
I can't block the normal type attachments (pdf, word doc, excel, etc) we use them in day to day business.

All the zip variants should be blocked in my opinion & experience, they are used by spammers.
You can set that in server manager without any coding needed.
Get your users to pack to the rar format, seems much less used by spammers.


Quote
I haven't had much luck with the attachment filtering anyways. I did the instructions to block .rtf .img and .iso and it doesn't work. I've also tried attachment filtering with the hash. When I run the commands to get the hash it comes out all A's for the .iso filtering.

I have followed posts here about this & also investigated extensively, it is hard to find common signatures for those formats, they change so much between sources of file creation, so yes I agree it is difficult for these types of attachments.

There is also another blocking list type that can be configured:

config setprop qpsmtpd UBLList rhsbl.sorbs.net
config setprop qpsmtpd URIBL enabled
signal-event email-update


Spam rejection is really a multi factored approach, so every little bit helps.

Can I ask is your sme server in server & gateway mode with a bridged modem in front of it, or is it in server only mode with another firewall in front of it (the former is better for spam rejection & various mechanisms employed by sme server).
I quote these comments from the Email Howto:

Server Only
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules

« Last Edit: December 08, 2019, 03:37:32 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #19 on: December 09, 2019, 01:24:48 AM »
Jean-Philippe Pialasse

Yeah I understand that,  but if the mail is coming from a "bad" source, then RBL etc should block it, whether a fake From is used or not.

Even you mentioned RBLs earlier in this thread.

I do not disagree with the fact they are useful for some kind of spam.

the issue here would be a person sending an email using e.g. @gmail.com will not get catch by  RBL.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #20 on: December 09, 2019, 01:07:41 PM »
An increasing number of the orgs we communicate with at work insert an unmistakable warning at the top of the email body.  Here are two examples I saw today - both appear just below the Subject and above the original email.

This message originated from OUTSIDE the XXXX network. Stop and think before clicking a link or opening attachments.


(Sadly, I don't know how they are doing this...)

https://www.reddit.com/r/sysadmin/comments/8m13g5/adding_warning_message_to_emails_originating/

I presume any mail going off their server that isn't going to a LOCAL address gets the message added.

I guess there must be a way of inserting it somehow.

Equally, does it really work?

https://www.reddit.com/r/sysadmin/comments/8m13g5/adding_warning_message_to_emails_originating/

Quote
Can confirm the users ignore after the first week. At least it's due diligence and we can show them they were warned on the exact email they got phished on.

So I am not sure it is worth the effort......

Using some GeoIP and blocklists and then whitelist the ones with badly configured mail servers is the best balance we have......
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #21 on: December 09, 2019, 01:26:10 PM »
Modifying the body will break the dkim signature. And you might want to check it on the client to help alerting the user. I do it myself with a thunderbird plugin.

As i said i see that practice in my university. But on the other hand they do not allow the use of their own smtp when off campus, do not use dkim signing and thus it is easy to impersonate an user.

The add of a string in the subject seems a better approach.

Also creating a qpsmtpd plugin to filter out the content of the From to only show the email address without any obfuscation would be great. I might need some example of bad mail to try to do something.  If you have send them to security at koozali org.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com