Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Block outgoing mail with spoofed from address
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Block outgoing mail with spoofed from address

DrukpaDrukpa Member
edited January 2020 in Help

How do you guys block outgoing mail that uses a spoofed FROM address?

I tried the following exim acl, for acl_not_smtp:

discard
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+hosted_domains : +local_domains}}
message = Sorry, you don't have permission to send email from this server with a header that states the email is from ${lc:${address:$h_From:}}.

But this one blocks both incoming and outgoing mails if the FROM address domain is not in the list of hosted_domains and local_domains. For outgoing it is ok, but for incoming, obviously the FROM address domain will not be in the list.

Comments

  • Spf record and dmarc should suffice.

  • ClouviderClouvider Member, Patron Provider

    @LTniger said:
    Spf record and dmarc should suffice.

    I guess the question here is how to block say [email protected] account from sending emails as [email protected] using particular exim mail server. SPF nor demarc will help in this case.

  • DrukpaDrukpa Member
    edited January 2020

    Ok, looks like I found my solution. I check for FROM address for the outgoing mail and TO address for the incoming mail. If both are not in the list of local domains, I reject the mail.

  • FalzoFalzo Member
    edited January 2020

    @Drupke care to share your solution? esp. the places where you put your rules in. acl_not_smtp afaik is definitely applied to incoming mail, so either you do another inline check on the direction or placed your rules somewhere else?

    would be interesting to see... I use some rules on forwarded mails, which happens in the routers section not the main acls

  • edited January 2020

    Glad you found a solution. This is good to know when DNS is not helping.

  • DrukpaDrukpa Member
    edited January 2020

    @Falzo said:
    @Drupke care to share your solution? esp. the places where you put your rules in. acl_not_smtp afaik is definitely applied to incoming mail, so either you do another inline check on the direction or placed your rules somewhere else?

    would be interesting to see... I use some rules on forwarded mails, which happens in the routers section not the main acls

    Below is the condition I used. I checked for $h_to only at the beginning, but noticed that the incoming mails with a CC/BCC address of a local domain was also being rejected. So, had to change the rule so it checks for all TO/CC/BCC as well. This rule was placed in the acl_not_smtp section. Seems to be working for now.

    discard
    condition = ${if and {\
    {! match_domain{${domain:${address:$h_from:}}}{+local_domains}}\
    {! match_domain{${domain:${address:$h_to:}}}{+local_domains}}\
    {! match_domain{${domain:${address:$h_cc:}}}{+local_domains}}\
    {! match_domain{${domain:${address:$h_bcc:}}}{+local_domains}}\
    }}
    message = Sorry, spoofed mail denied
    

    Rejecting mails based on SPF records seem like over strict rule. Most domains do not have correct SPF records set.

    Thanked by 1Falzo
  • illyhostingillyhosting Member, Host Rep

    If you're using Cpanel, you can use Tweak Settings to block these emails.

Sign In or Register to comment.