Koozali.org: home of the SME Server

Blocking emails address' that don't match names.

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #15 on: December 06, 2019, 07:39:13 PM »
Yes. We are using rbl but not sbl. The sbl lists are too aggressive and legit email gets blocked.

Code: [Select]
RBLList=zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net
RHSBL=enabled

For the particular email I'm trying to kill now, I even changed the spamcop rule weight in an effort to push it over my spam threshold of 4. Tricky little suckers just changed where they sent the email from. Here is my header info:

Code: [Select]
* -0.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000]
*  1.4 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
* -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, *      medium trust *      [66.228.55.240 listed in list.dnswl.org]
*  3.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net *      [Blocked - see <https://www.spamcop.net/bl.shtml?190.148.209.148>]
* -0.0 SPF_PASS SPF: sender matches SPF record *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's *       domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *      valid

I can't block the normal type attachments (pdf, word doc, excel, etc) we use them in day to day business. I haven't had much luck with the attachment filtering anyways. I did the instructions to block .rtf .img and .iso and it doesn't work. I've also tried attachment filtering with the hash. When I run the commands to get the hash it comes out all A's for the .iso filtering. I digress though. I've spent so much time on this to no avail I tend to run on about it. Sorry.

devtay

Do you have RBL & SBL lists enabled in order to block email coming from mail server sources that are known spam senders. This will potentially block those "fake" senders.

Also if practical for you, I find blocking virtually ALL email attachment types especially zip (in server manager) is also a very effective way of blocking spam emails.

The above methods work best on a sme server that is in server/gateway mode, rather than server only mode.

See the email Howto for db setting details
You can't stop what's coming. It ain't all waiting on you.

Offline devtay

  • *
  • 145
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #16 on: December 06, 2019, 07:40:02 PM »
Correct. My understanding of the situation as well. That's why I was thinking if I could eliminate everything except for a proper email address in the From field, the users would be less likely to open it. Seeing adfasgasd@163.com.vn would make them less likely to open the email than seeing a name they know.

the issue is not RBL

the issue is exploit of the way the mail client will print to the user the content of the From: field


https://www.mailsploit.com/index
« Last Edit: December 06, 2019, 07:42:33 PM by devtay »
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #17 on: December 07, 2019, 09:18:15 AM »
Jean-Philippe Pialasse

Yeah I understand that,  but if the mail is coming from a "bad" source, then RBL etc should block it, whether a fake From is used or not.

Even you mentioned RBLs earlier in this thread.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Blocking emails address' that don't match names.
« Reply #18 on: December 08, 2019, 03:23:08 AM »
devtay

Quote
Yes. We are using rbl but not sbl. The sbl lists are too aggressive and legit email gets blocked.

Code: [Select]
RBLList=zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net
RHSBL=enabled

I personally find the bl.spamcop.net list too aggressive, spamhaus & barracudacentral are OK.

Re SBL lists, the default install settings are way too aggressive.
I find that the conservative list in the Email Howto is OK for me (ie not aggressive)
ie
A conservative setting for the associated DNSBL SBLList is:

config setprop qpsmtpd SBLList dbl.spamhaus.org
config setprop qpsmtpd RHSBL enabled
signal-event email-update


Quote
I can't block the normal type attachments (pdf, word doc, excel, etc) we use them in day to day business.

All the zip variants should be blocked in my opinion & experience, they are used by spammers.
You can set that in server manager without any coding needed.
Get your users to pack to the rar format, seems much less used by spammers.


Quote
I haven't had much luck with the attachment filtering anyways. I did the instructions to block .rtf .img and .iso and it doesn't work. I've also tried attachment filtering with the hash. When I run the commands to get the hash it comes out all A's for the .iso filtering.

I have followed posts here about this & also investigated extensively, it is hard to find common signatures for those formats, they change so much between sources of file creation, so yes I agree it is difficult for these types of attachments.

There is also another blocking list type that can be configured:

config setprop qpsmtpd UBLList rhsbl.sorbs.net
config setprop qpsmtpd URIBL enabled
signal-event email-update


Spam rejection is really a multi factored approach, so every little bit helps.

Can I ask is your sme server in server & gateway mode with a bridged modem in front of it, or is it in server only mode with another firewall in front of it (the former is better for spam rejection & various mechanisms employed by sme server).
I quote these comments from the Email Howto:

Server Only
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules

« Last Edit: December 08, 2019, 03:37:32 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #19 on: December 09, 2019, 01:24:48 AM »
Jean-Philippe Pialasse

Yeah I understand that,  but if the mail is coming from a "bad" source, then RBL etc should block it, whether a fake From is used or not.

Even you mentioned RBLs earlier in this thread.

I do not disagree with the fact they are useful for some kind of spam.

the issue here would be a person sending an email using e.g. @gmail.com will not get catch by  RBL.

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Blocking emails address' that don't match names.
« Reply #20 on: December 09, 2019, 01:07:41 PM »
An increasing number of the orgs we communicate with at work insert an unmistakable warning at the top of the email body.  Here are two examples I saw today - both appear just below the Subject and above the original email.

This message originated from OUTSIDE the XXXX network. Stop and think before clicking a link or opening attachments.


(Sadly, I don't know how they are doing this...)

https://www.reddit.com/r/sysadmin/comments/8m13g5/adding_warning_message_to_emails_originating/

I presume any mail going off their server that isn't going to a LOCAL address gets the message added.

I guess there must be a way of inserting it somehow.

Equally, does it really work?

https://www.reddit.com/r/sysadmin/comments/8m13g5/adding_warning_message_to_emails_originating/

Quote
Can confirm the users ignore after the first week. At least it's due diligence and we can show them they were warned on the exact email they got phished on.

So I am not sure it is worth the effort......

Using some GeoIP and blocklists and then whitelist the ones with badly configured mail servers is the best balance we have......
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Blocking emails address' that don't match names.
« Reply #21 on: December 09, 2019, 01:26:10 PM »
Modifying the body will break the dkim signature. And you might want to check it on the client to help alerting the user. I do it myself with a thunderbird plugin.

As i said i see that practice in my university. But on the other hand they do not allow the use of their own smtp when off campus, do not use dkim signing and thus it is easy to impersonate an user.

The add of a string in the subject seems a better approach.

Also creating a qpsmtpd plugin to filter out the content of the From to only show the email address without any obfuscation would be great. I might need some example of bad mail to try to do something.  If you have send them to security at koozali org.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com