1

Topic: How to block Self-Spam?

How can I block incoming emails where the "from" and "to" headers contain the same email address, from what I can see 99.99% of the time these emails are spam.

Thanks in advance for your help.

2

Re: How to block Self-Spam?

I have a SpamAssasin rule for this that adds a score of 1.  You can make this number as high as you like.  Also, the rule only works if the TO and FROM are exactly the same, for example, if the FROM is "wendy@example.com" and the TO is "Wendy Smith <wendy@example.com" it will not match.  Though, this does mark a lot of the spam.  I didn't write this rule, I found it somewhere.

For RHEL & Centos

Add to :
/etc/mail/spamassassin/local.cf

#Email messages that are TO and FROM the same address
header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+?<?(.+@.+)>?(\s|$)[^\0]*^To:.*\1/m
header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+?<?(.+@.+)>?(\s|$)[^\0]*^From:.*\1/m
meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb
score TOM_TO_EQ_FR 1
describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery


Then restart amavisd
service amavisd restart

3

Re: How to block Self-Spam?

copart wrote:

I have a SpamAssasin rule for this that adds a score of 1.  You can make this number as high as you like.  Also, the rule only works if the TO and FROM are exactly the same, for example, if the FROM is "wendy@example.com" and the TO is "Wendy Smith <wendy@example.com" it will not match.  Though, this does mark a lot of the spam.  I didn't write this rule, I found it somewhere.

For RHEL & Centos

Add to :
/etc/mail/spamassassin/local.cf


Thanks man, I made the change and restarted amavisd, however I'm not sure if it only applies to email coming in from the outside because I logged in to my webmail interface and sent an email from user@domain to user@domain and still received it...
I also increased the score to 5 and tried a second time and still received it, any thoughts?

4

Re: How to block Self-Spam?

Most likely your spamassassin is getting a -10 score because your sending FROM a TRUSTED server.  So, it will not be flagged as spam unless you have your settings different then the default.  Two ways to test this, change the score to a huge number, say 25, or follow the directions below.

I made the following change to /etc/amavisd.conf

$sa_tag_level_deflt  = -9000;

This will add spamassassin header information to all emails, not just the ones that it thinks may be spam.  After you make this change, restart amavisd again.  Send yourself an email again, this time look at the all the headers.  You should see TOM_TO_EQ_FR mentioned in the spamaassasin area.

5

Re: How to block Self-Spam?

Thank you, it worked! I increased the score number in /etc/mail/spamassassin/local.cf to 25 and it worked!

Thank you again.

6

Re: How to block Self-Spam?

I don't think this is such a good idea, some of your users might actually want to send mail to themselves... I think the proper way to do this is to increase the score on SPF fail (and add SPF to your domain, that is...).

7

Re: How to block Self-Spam?

I'm confused. Since iRedMail has sender login check by default, why self-spam still exist. sad

If sender ("From" address) is one of your virtual account, it should be rejected immediately because he was not authorized by smtp. I will test it later.

8

Re: How to block Self-Spam?

ZhangHuangbin wrote:

I'm confused. Since iRedMail has sender login check by default, why self-spam still exist. sad

If sender ("From" address) is one of your virtual account, it should be rejected immediately because he was not authorized by smtp. I will test it later.

I'm not sure about that. Maybe because you can have the same domain on more than one mail server (multiple MXs)? For example, send mail from myself@domain, connected to mx1, and the mail will be delivered to mx2? Or at least this is what postfix will think, not being sure that it has direct local delivery enabled?

9

Re: How to block Self-Spam?

maxie_ro wrote:

I'm not sure about that. Maybe because you can have the same domain on more than one mail server (multiple MXs)? For example, send mail from myself@domain, connected to mx1, and the mail will be delivered to mx2? Or at least this is what postfix will think, not being sure that it has direct local delivery enabled?

If virtual account exists on both MXs, mail won't leave localhost, because postfix will know it's a local account.

10 (edited by maxie_ro 2010-08-09 17:35:25)

Re: How to block Self-Spam?

Zhang, when you are saying that "iRedMail has sender login check by default", are you talking about reject_unauth_destination? Or which rule?

LE:

ZhangHuangbin wrote:

If virtual account exists on both MXs, mail won't leave localhost, because postfix will know it's a local account.

I get it about this part. smile

11

Re: How to block Self-Spam?

@maxie_ro, yes i mean 'smtpd_recipient_restrictions = ..., reject_unauth_destination, ...'. And it should work as expected, rejects self-spam.

12

Re: How to block Self-Spam?

Maybe I found the problem, at least in my configuration:

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated

Shouldn't it also contain one of?:

reject_sender_login_mismatch
    Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

reject_authenticated_sender_login_mismatch
    Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later.

reject_unauthenticated_sender_login_mismatch
    Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.
reject_unknown_sender_domain

?

13

Re: How to block Self-Spam?

Sorry, i edited my last post.

i mean 'smtpd_recipient_restrictions = ..., reject_unauth_destination, ...'. And it should work as expected, rejects self-spam.

14 (edited by maxie_ro 2010-08-09 21:57:11)

Re: How to block Self-Spam?

Zhang, I don't think reject_unauth_destination does what we think.

According to the manual:

reject_unauth_destination
    Reject the request unless one of the following is true:
        * Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
        * Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).

Unfortunately, we are in the second case, because it matches virtual_alias_domains/virtual_mailbox_domains.

So I guess we also need to add reject_sender_login_mismatch to smtpd_sender_restrictions.

Are any of you willing to test it? I can't for a day or two...


LE:

* Added the rule with warn_if_reject to test it for some time.
* I see that I get in the maillog:

Aug  9 16:53:58 mx2 postfix/smtpd[13555]: NOQUEUE: reject: RCPT from unknown[65.211.56.xx]: 554 5.7.1 <xxx@xxx.com>: Relay access denied; from=<xxx@xxx.com> to=<xxx@xxx.com> proto=ESMTP helo=<[65.211.56.xx]>

So at least the relay rule is working (To and From are identical), but it doesn't protect entirely. I still don't get it why.

15

Re: How to block Self-Spam?

Update: I think that solves most of the problems:

Aug 11 04:03:07 mx2 postfix/smtpd[25169]: NOQUEUE: reject_warning: RCPT from unknown[186.123.87.xx]: 553 5.7.1 <same@same.ro>: Sender address rejected: not logged in; from=<same@same.ro> to=<same@same.ro> proto=ESMTP helo=<[186.123.35.xx]>

16

Re: How to block Self-Spam?

Hi,

Came across an article on spf. 

http://www.thetlog.net/2009/11/26/spf-p … ving-mail/

Thought it may solve this type of spam.

17

Re: How to block Self-Spam?

maxie_ro wrote:

Update: I think that solves most of the problems:

What did you change?

18

Re: How to block Self-Spam?

ZhangHuangbin wrote:

What did you change?

I added reject_sender_login_mismatch to smtpd_sender_restrictions. I don't know if this setting is already included in iRedMail, I might have accidentally deleted it.

smtpd_sender_restrictions = [...], reject_sender_login_mismatch

ze wrote:

Hi,
Came across an article on spf. 
http://www.thetlog.net/2009/11/26/spf-p … ving-mail/
Thought it may solve this type of spam.

Unfortunately that article is using postfix-policyd-spf-perl. According to the OpenSPF software page, you are strongly recommended to use the python version, python-postfix-policyd-spf. I'm testing it for some time, but I'm still having some problems with it.

19

Re: How to block Self-Spam?

just wonder about the age of the topic.
Its seems i have the same problem with the 0.8.3.

20

Re: How to block Self-Spam?

Hi Frankstar,

Please create a new forum topic and clearly explain what your issue/question is, and show related log to help troubleshoot.
Don't hijack other's topic, especially a OLD topic.