Koozali.org: home of the SME Server

Blocking emails address' that don't match names.

Offline brainamess

  • *
  • 39
  • +0/-0
Blocking emails address' that don't match names.
« on: October 25, 2019, 08:02:18 PM »
I am not sure if there is a simple way to do this but if I can do this on the server side it may be cool.

I have two employees getting a lot if spam between them, from their own names but obviously not their email address.

Example:

User1 has the proper email of user1@mydomain.com

I get emails from totally bogus emails using user1's name.

Can I make some kind of filter that would say if user1's email is not user1@mydomain.com it's a fake email and drop it?

It's very difficult for me to find a pattern to use to block them because they are so similar to the real emails they would get with invoices and such. So blocking by pattern blocks valid emails.

I am sure I am not thinking big enough here. Any input is great input!

Happy Friday!

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #1 on: October 25, 2019, 10:01:02 PM »
Example of bogus email?

Qmail is designed to be able to recieve variationd around a main email to the user mailbox.

One way is by using the pseudonyms. Easy to remove the unnecessary ones.

Another is by interpreting special characters inside the email like +.
It those emails are of this kind this will be harder to refuse them at connexion.
However there will still be the solution to filter them to trash or junk using maildrop or procmail. 

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #2 on: October 25, 2019, 10:03:36 PM »
The emails are as simple as this. With the siewhui@mpartnerspl.com always changing.


-------- Original message --------
From: Andrew Disarro <siewhui@mpartnerspl.com>
Date: 2019-10-25 2:31 p.m. (GMT-05:00)
To: sandra.england@everypointhudson.com
Subject: Your invoice and reports are available for  account for viewing

Good Morning,


Need to know where to charge this invoice.


THX,



Andrew Disarro
EMAIL:andrew.disarro@everypoint.ca|


Offline Fumetto

  • *
  • 874
  • +1/-0
Re: Blocking emails address' that don't match names.
« Reply #3 on: October 25, 2019, 10:16:32 PM »
From here: "For your information, pseudonyms of "firstname.lastname" and "firstname_lastname" are automatically created for each account".

If you have username "jonbonjovi" with firstname "jon" and lastname "jovi" you have 3 email/pseudonyms:
jonbonjovi@
jon.jovi@
jon_jovi@

Can be this the case?

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #4 on: October 25, 2019, 10:29:16 PM »
From here: "For your information, pseudonyms of "firstname.lastname" and "firstname_lastname" are automatically created for each account".

If you have username "jonbonjovi" with firstname "jon" and lastname "jovi" you have 3 email/pseudonyms:
jonbonjovi@
jon.jovi@
jon_jovi@

Can be this the case?

Lets work with Andrew:

Andrews actual email is andrew.disarro; adisarro; andrew_disarro @mydomain (we have 4 domains here)

So yes there are pseudonyms... I am just not seeing how this could be where my issue is.

But we only have 4 domains, so if a spoof email is just using our mans name (Andrew Disarro) but showing a totally different domain sending it, can I do anything about it?

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Blocking emails address' that don't match names.
« Reply #5 on: October 26, 2019, 03:02:45 AM »
We get (some) emails like this at work -

To: CEO
From: VP Finance (fake-email@gmail.com)
...

"fake-email@gmail.com" is a *real* email address from a *real* email service provider -- so spam filters can't help.

Unless you have hired the only Andrew Disarro on the planet, you are asking your mail server to realize based on the content of the email that someone is pretending to be Andrew but is using a different email address.  Tricky.

An increasing number of the orgs we communicate with at work insert an unmistakable warning at the top of the email body.  Here are two examples I saw today - both appear just below the Subject and above the original email.

This message originated from OUTSIDE the XXXX network. Stop and think before clicking a link or opening attachments.



[Caution External E-Mail] (highlighted in yellow)

(Sadly, I don't know how they are doing this...)

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #6 on: October 26, 2019, 02:13:11 PM »
Lets work with Andrew:

Andrews actual email is andrew.disarro; adisarro; andrew_disarro @mydomain (we have 4 domains here)

So yes there are pseudonyms... I am just not seeing how this could be where my issue is.

But we only have 4 domains, so if a spoof email is just using our mans name (Andrew Disarro) but showing a totally different domain sending it, can I do anything about it?

Ok the issue is with spoofing in the from email address. 

Misunderstanding there. 


Unfortunately you can not do anything directly on the sender. 
Let me explain. You have user adisarro@mydomain.com
Yes the most probable that adisarro@yopmail.com is a phishing. But it is probable that your user could have someone with same name, unless having a very very unique name, in another legitimate company and if you filter them out you might miss legitimate mail. 


What you can do : enforce more spam filter, uribl, dnsbl,rhbl, clamav filtering, use of unoficial clamav db, check of dkim, check of early talker, geoip filter on really improbable country you are not working with....
And finally manual spam learning using bayes.  By moving known spam to a leqrn folder with the spamlearn contrib.
 
Grey listing could also help unless they spoof legitimate server to send their junk


Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Blocking emails address' that don't match names.
« Reply #7 on: October 26, 2019, 04:15:01 PM »
What you can do : enforce more spam filter, uribl, dnsbl,rhbl, clamav filtering, use of unoficial clamav db, check of dkim, check of early talker, geoip filter on really improbable country you are not working with....
And finally manual spam learning using bayes.  By moving known spam to a leqrn folder with the spamlearn contrib.
 
Grey listing could also help unless they spoof legitimate server to send their junk

We get quite a bit of what SANS calls "CEO Fraud", but which more generally I would call "fake coworker" email that will not be blocked by any of these.

*Some* of the "fake coworker" emails we receive come from compromised mail servers - an attacker relays an email through a 3rd party mail server that is poorly configured, or where they have obtained a user's credentials.  These mail servers will eventually appear on a block list (probably)  -- but greylisting won't help since they are all "real" mail servers.

More of the "fake coworker" email that I see is coming from real gmail, outlook.com or yahoo.com email addresses - an attacker creates a real account, then configures an email client to use that service for SMTP relay using the name of one of your coworkers.  Or they may create a specific email account intended to spoof a specific coworker using the coworker's account name on a different mail server - for example, my coworker "beth lovely" has a personal email "beth@yahoo.com"; an attacker creates "beth@gmail.com" for "beth lovely".  I'm not aware of any spam filter technique that is going to catch these other than end-user training.

We became hyper-aware of this when a staffperson in our accounting department *almost* wired £25000 to an attacker.  The attack consisted of:
- an email from a real gmail account using the name of our President
- followed by a real-time email conversation between our staffperson and the "fake" gmail account
- followed (if I recall correctly) by an actual telephone conversation between the staffperson and the attacker.

Luckly, our staffperson followed procedure requiring further verification before doing any fund transfers...

Offline brainamess

  • *
  • 39
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #8 on: October 28, 2019, 05:32:54 PM »
I appreciate all the input for this!

For one thing, at least I know I am not alone on this!

This has inspired me to write a document about good email etiquette for all the employees here. Hopefully they will read it when I am done!

Thank you everyone for the help.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #9 on: October 29, 2019, 02:08:27 AM »
And as a result of all the issues with email... eg server to server security, end to end encryption (PGP anyone???), junk, etc etc etc... companies are moving to things like chat based systems... see Slack, Teams, Matteemost, Rocket.Chat etc.

Internally = no junk (because you have controlled access)

Good encryption, easy to handle attachments, mobile apps, can be federated to other systems, hooks/APIs to external systens like CRMs etc, web chat (+bots) clients etc etc.

I can see a future not so far away when email is as dead as fax.

Interesting times ahead.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #10 on: October 29, 2019, 04:38:11 PM »
An approach from my university: adding a header to all mails coming from outside.

Could be a tag in the subject.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #11 on: October 30, 2019, 11:52:15 AM »
We have a situation ourselves.
A number of our suppliers belong to a group. The group offers them a mailing system, via mailgun.

The problem is the mailgun emails pass the filter headers we use to reject junk cleanly.

Of course the smart arses know this don't they..... grrrrrr.

Where it falls down is you can't filter with the headers that actually give the game away so it passes this lot:

dispatching EHLO do159-142.mailgun.net
(ehlo) helo: pass
(mail) resolvable_fromhost: pass, designmediaservice.com has MX at mx2.smak4www.com
sender_permitted_from: pass, designmediaservice.com: Sender is authorized

envelope-from="bounce+c3f563.7fcf54-user=ourdomain.co.uk@designmediaservice.com";


But here are the headers that tell us what we want to know - we want to block ones from printinggood:

Sender: no-reply=printinggood.co.uk@designmediaservice.com
Return-Path: no-reply@printinggood.co.uk
To: user@ourdomain.co.uk
From: PrintingGood <no-reply@printinggood.co.uk>
Reply-To: PrintingGood <help@printinggood.co.uk>



One answer may be another plugin.

I was having a look at this

https://github.com/smtpd/qpsmtpd/blob/master/plugins/badmailfromto

Quote
=head1 DESCRIPTION
Much like the similar badmailfrom, this plugin references both the
FROM: and TO: lines, and if they both are present in the badmailfromto
config file (a whitespace-delimited list of FROM/TO pairs), then the message is
blocked as if the recipient (TO) didn't exist.  This is specifically designed
to not give the impression that the sender is blocked (good for cases of
harassment).

I'll give it a test.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #12 on: December 06, 2019, 12:30:37 AM »
I'm having this problem a lot lately as well. My issue is the emails are all valid. There is nothing wrong with it or anything to filter. The problem is when my users open the email in M$ Outlook they see a name they trust and don't bother to read the email address; spoofed display name.

Sometimes the email shows up with the Display Name of a known internal user. Sometimes the Display Name is from one of our customers. Never mind the body of the email is obviously bad and it's targeted to make the user open an attachment. The body can even include a copy of one of our emails. Somewhere someone is getting information to target us specifically.

I wonder if it's possible to modify the from in the email header for external email? Maybe run a regular expression on the from data and pull everything out but what is in the <>? This would make Outlook show the email address and not someone that a user might know. Does this sound feasible? Any potential problems with this approach?
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #13 on: December 06, 2019, 07:23:44 AM »
devtay

Do you have RBL & SBL lists enabled in order to block email coming from mail server sources that are known spam senders. This will potentially block those "fake" senders.

Also if practical for you, I find blocking virtually ALL email attachment types especially zip (in server manager) is also a very effective way of blocking spam emails.

The above methods work best on a sme server that is in server/gateway mode, rather than server only mode.

See the email Howto for db setting details
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #14 on: December 06, 2019, 07:59:01 AM »
the issue is not RBL

the issue is exploit of the way the mail client will print to the user the content of the From: field


https://www.mailsploit.com/index