New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Block outgoing mail with spoofed from address
How do you guys block outgoing mail that uses a spoofed FROM address?
I tried the following exim acl, for acl_not_smtp:
discard
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+hosted_domains : +local_domains}}
message = Sorry, you don't have permission to send email from this server with a header that states the email is from ${lc:${address:$h_From:}}.
But this one blocks both incoming and outgoing mails if the FROM address domain is not in the list of hosted_domains and local_domains. For outgoing it is ok, but for incoming, obviously the FROM address domain will not be in the list.
Comments
Spf record and dmarc should suffice.
I guess the question here is how to block say [email protected] account from sending emails as [email protected] using particular exim mail server. SPF nor demarc will help in this case.
Ok, looks like I found my solution. I check for FROM address for the outgoing mail and TO address for the incoming mail. If both are not in the list of local domains, I reject the mail.
@Drupke care to share your solution? esp. the places where you put your rules in. acl_not_smtp afaik is definitely applied to incoming mail, so either you do another inline check on the direction or placed your rules somewhere else?
would be interesting to see... I use some rules on forwarded mails, which happens in the routers section not the main acls
Glad you found a solution. This is good to know when DNS is not helping.
Below is the condition I used. I checked for $h_to only at the beginning, but noticed that the incoming mails with a CC/BCC address of a local domain was also being rejected. So, had to change the rule so it checks for all TO/CC/BCC as well. This rule was placed in the acl_not_smtp section. Seems to be working for now.
Rejecting mails based on SPF records seem like over strict rule. Most domains do not have correct SPF records set.
If you're using Cpanel, you can use Tweak Settings to block these emails.