Discard emails where envelope-from does not match from

adam.sage

Member
Feb 8, 2019
32
0
11
34
I'd like to discard emails that have a envelope-from that does not match the from email. It's pretty common for us to receive emails like this that pass SPF and appear to come from internal email addresses. Is there a mail filter rule that I can set up for this, or does it have to be something in a spamassassin rule? Here's an example from this morning:

...
Received-SPF: pass (geesysindia.com: 198.1.95.225 is authorized to use 'sales.apts@geesysindia.com' in 'mfrom' identity (mechanism 'a' matched)) receiver=pmg.domain.com; identity=mailfrom; envelope-from="sales.apts@geesysindia.com"; helo=198-1-95-225.webhostbox.net; client-ip=198.1.95.225
...
Received: from [148.255.135.103] (port=62794 helo=[192.3.16.44])
by 198-1-95-225.webhostbox.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <sales.apts@geesysindia.com>)
id 1gxIPv-00014C-A8
for purchasing@domain.com; Sat, 23 Feb 2019 03:01:35 +0530
Date: Fri, 22 Feb 2019 17:31:44 -0400
From: a@pmg.domain.com,
b@pmg.domain.com, c@pmg.domain.com,
d <sales.apts@geesysindia.com>
To: purchasing@domain.com
...
 
So what you're saying is the thing that I'm searching for but can't find is here somewhere? That's helpful, thanks.
 
So what you're saying is the thing that I'm searching for but can't find is here somewhere? That's helpful, thanks.

Sorry, but on questions here, I sometimes just tell, that I saw sth. similar in the forum or bring users together, which seem to share the same problem, but I won’t search for everyone as the search is integrated here. If you look for RegEx from in the search and limit to PMG forums, you will e.g. find https://forum.proxmox.com/threads/spam-getting-through.49322/#post-231882 as a good entry point. He just want to filter double froms, but his solution would be close to what you’re searching for.
 
Thanks, but I did find that link earlier and already implemented it. This will work for this specific email I posted and probably some/most others, but sometimes the spammers use just one envelope-from and just one from. The link you provided will not cover a single envelope-from and single from unless I am not understanding what it does correctly. Does anyone have an ideas on matching the 2 fields?
 
Please consider that there are quite a few legitimate use cases for the envelop-from to be different from the from-header (e.g. mailing-lists, to name just one example)! : https://serverfault.com/questions/5...-mail-from-will-not-match-from-header-in-data

Implementing this will lead to quite some falsly dropped mails.

You can try to create a custom spamassassin rule (described in the admin guide) to handle this case (but again consider the implications)
 
Thanks Stoiko, I can see your point as to why this is a tricky issue. As a edit to my original request, I guess what I am really after is a envelope-from and from domain match. Any legitimate emails should match on the domain.

Taking a simpler approach, I may be able to just create a incoming rule for who: mydomain.com and send those emails to quarantine. All our email servers are internal so nothing should be coming in from our domain. Will this work? Does the who rule use the from, or envelope-from for the check?
 
AFAIR the Who Objects in the rule-system match the envelop-from, you can match the from-header field as a What object (match field 'From')

In any case - test the new rules and keep an eye on the logs.

Hope this helps!
 
  • Like
Reactions: adam.sage
Thanks, but I did find that link earlier and already implemented it. This will work for this specific email I posted and probably some/most others, but sometimes the spammers use just one envelope-from and just one from. The link you provided will not cover a single envelope-from and single from unless I am not understanding what it does correctly. Does anyone have an ideas on matching the 2 fields?

Ok, I then misunderstood. I‘m afraid, if you don’t want to reject any newsletter, this check won’t work as any E-Mail Service Provider like Amazon SES, Mailchimp and many more use different addresses, so that’s why I added Header Checks in my setup to see the body from. Many other mails as well use a syntax like address-bounce@domain.tld to get informed on bounces. So you would reject all of these.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!