Fake mail prevention (using local domain as sender)

M

M-SK

Member
Oct 11, 2016
46
4
13
52
Hello,

We've been recently (and this has been an issue in the past) hit with a wave of spam using fake FROM: header which is the same as TO:, meaning the inbound mail to be relayed is seemingly from the same domain/user as the recipient.

Is there a quick/dirty setting to prevent this or the only way is to tweak the postfix config?
Inbound mail should not be coming from local domain unless authenticated or from a trusted relay.
An increasing volume of spam is using this as a scare tactic for phishing and extortion.

Thanks,
MS
 
First - keep in mind that such configs (denying mail with a From header seemingly from your domain, coming in from the internet) can lead to false positives! (one prominent example are mailing-lists - where you post a legitimate mail (with your e-mail address in the from header), which then gets sent to you as subscriber.

That being said - you could try to create a rule:
* Direction 'In'
* Who Object - your domain(s)
* Action Object - Quarantine/Block

This assumes that you've correctly setup your systems, so that outbound mail gets relayed only on the outbound port (defaults to 26)

if you try this - keep your eye on the logs for false positives

I hope this helps!
 
Thanks.

The only legitimate hosts that are able to send as local senders from outside are already in the trusted networks (trusted relays). Will this override the rule you suggested or will the rule override trusted relays? Not all mail is being sent through PMG so it's possible that some mails end up being submitted on port 25 - that's why we have whitelisted trusted relays.

Anyway, you might consider implementing such a feature (I had to do it on postfix manually on Zimbra via only permitting whitelisted and permit_sasl_authenticated IIRC) because it's becoming a common tactics with phishing campaigns. I have a lot of questions from users who are scared because they see their own address in from field so they think their account has been hacked. Little do they know how easy it is to fake it.


Thanks again,
Marko
 
M-SK said:
Not all mail is being sent through PMG so it's possible that some mails end up being submitted on port 25 - that's why we have whitelisted trusted relays.
Click to expand...
* if mail is received on the external port (25) it is treated as 'incoming' mail and all rules with direction 'in' are applied.
* the trusted relays is a setting for postfix (a.k.a. mail proxy) - the Rule System comes afterwards and does not use the information

* you can create one rule with higher priority - with a who object containing your trusted relays and action accept

* keep in mind that the Who objects match the SMTP envelope from address - if you want to match a From header create a 'Match Field' What Object and use that instead.

M-SK said:
Anyway, you might consider implementing such a feature (I had to do it on postfix manually on Zimbra via only permitting whitelisted and permit_sasl_authenticated IIRC) because it's becoming a common tactics with phishing campaigns. I have a lot of questions from users who are scared because they see their own address in from field so they think their account has been hacked. Little do they know how easy it is to fake it.
Click to expand...
As said above - a from header containing my own address in the From field is not an solid indicator of SPAM/Phishing/malicous behaviour - Mailing-lists are the prime example - and such a filter would lead to many false positives in most environments (there might be specific circumstances where it works for a particular setup - but then admins easily set it up via adapting the postfix config via the templateing system [0])


[0] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
 
All our mail servers only allow senders from local domains if they use auth or if they are on a trusted relay list, which means anyone actually using local domain as a sender from unknown source (no auth, not known relay) is a spammer. We use only self-hosted mailing list servers (meaning well-known addresses) so I can see how that would be an issue for someone using cloud services (not having a fixed IP MTA list).

I'll try implementing rules as suggested, thanks.
 
Last edited:
  • Like
Reactions: Stoiko Ivanov
M-SK said:
Hello,

We've been recently (and this has been an issue in the past) hit with a wave of spam using fake FROM: header which is the same as TO:, meaning the inbound mail to be relayed is seemingly from the same domain/user as the recipient.

Is there a quick/dirty setting to prevent this or the only way is to tweak the postfix config?
Inbound mail should not be coming from local domain unless authenticated or from a trusted relay.
An increasing volume of spam is using this as a scare tactic for phishing and extortion.

Thanks,
MS
Click to expand...

Pls show us the raw email source.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom