Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Incoming spam with fake sender
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
I'm encountering a lot of spam destined for my domain that is managing to get past both SpamAssassin' and various IP black lists.

What is common about this spam is that it is claiming to be "from" my own domain... something that will NEVER occur from an external connection that is not authenticated. In theory I could create a custom spam rule that blocks email received via unauthenticated SMTP if it claims to be from my own domain but in practice this doesn't seem possible. Can I do this or do I need to setup a sendmail box in between Kerio and the internet?

Cheers,
J

[Updated on: Wed, 16 February 2011 12:25]

  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
I dealt with this problem a while back and the problem was not SpamAssassin, but the custom whitelist in the particular user's webmail client. By default it adds anyone you send email to to your whitelist, which in turn allows all the spoofed domain email to bypass the mail filters.
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
This problem is still happening a lot. The fake sender addresses are normally not even real addresses on my server (so certainly not in any whitelists).

How can I prevent incoming emails from a sender address that is purporting to be from my own domain but it's not possible for it to be because it's come via unauthenticated SMTP.

Surely it's possible to create a mail filter that blocks incoming email that claims to be from my domain if it's not autenticated?
  •  
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
I use both to check incoming email, and I use SPF for my own domain stating that email can ONLY be accepted by the known mail servers. I assume that Kerio doesn't check SPF for a domain it thinks it owns though, so I'm continuing to get spam spoofing my OWN domain (not others).
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
See the following threads in this forum that deal with the same problem:

http://forums.kerio.com/index.php?t=msg&goto=64936

http://forums.kerio.com/index.php?t=msg&goto=61986

SPF should work.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
Thanks for your suggestions freakinvibe.

Unfortunately neither of the links relate to the issue I'm having (I don't have an open relay, nor do I have a rule automatically approving a domain) and I do have SPF enabled (I assume it simply doesn't fire for email that claims to be local but maybe this is a bug).
  •  
Tomislav

Messages: 61
Karma: 1
Send a private message to this user
I had the same problem last night.
The thing is the Return-To is ok (not spoofed) it's the From part of the header is spoofed (not the envelope-sender that SPF checks) so the mails pass SPF.

My colleague fixed this by putting up a greylist on our external mail server.

This could however, in my opinion, be fixed in Kerio if custom rules were made with Sieve filters.
Example:
if allof(
address :all :contains "From" "<_at_>mydomain.com",
not header "Return-Path" "<_at_>mydomain.com")
{
fileinto "Spam"
}

It's not a perfect fix, but it would stop you from getting spam from yourself by means of From header spoofing...
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
Hi Tomislav,

I agree. I could fix this 100% by putting a sendmail server between the internet and Kerio... but that defeats half of the purpose of Kerio.

I wonder if part of the problem is the newly introduced SMTP Submission port not applying SPF to those connections? (this is a total guess)

Cheers,
J
  •  
Tomislav

Messages: 61
Karma: 1
Send a private message to this user
@jfitzell - i don't think you understood my message. SPF is working perfectly, it's just not designed to check if the Return-To address is the same as the From address, or even from the same domain. It only checks if the Return-To domain matches the domain of the mail server.

It's a simple but very smart spoof (if you ask me). The sender sets up a fake domain with no SPF and sends mails with a Return-To of the same domain. Later in the header the From attribute is set to the victims domain. Since the sending domain has no SPF set up, SPF passes the mail by default. SPF should really be expanded to check if the Return-To and From domains match, but until it does, this sort of thing will keep happening =[
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Tomislav wrote on Mon, 28 March 2011 08:05
<_at_>jfitzell - i don't think you understood my message. SPF is working perfectly, it's just not designed to check if the Return-To address is the same as the From address, or even from the same domain. It only checks if the Return-To domain matches the domain of the mail server.

It's a simple but very smart spoof (if you ask me). The sender sets up a fake domain with no SPF and sends mails with a Return-To of the same domain. Later in the header the From attribute is set to the victims domain. Since the sending domain has no SPF set up, SPF passes the mail by default. SPF should really be expanded to check if the Return-To and From domains match, but until it does, this sort of thing will keep happening =[


Well, that's what Caller-ID is supposed to do - check From (or Sender) email domain in the email headers.
  •  
Tomislav

Messages: 61
Karma: 1
Send a private message to this user
@Kerio_pdobry - no offence, but I actually thought CallerID was a dead protocol since the only info on it was written my Microsoft back in 2004...
I'm going to see if I can't get a CallerID record set up for sake of the people that use Connect and get "our" SPAM (doesn't work for POP3 download from external server, so I'm going to keep greylisting).
  •  
hbianchi

Messages: 121
Karma: 8
Send a private message to this user
I have also this problem and think that to setup an dditional SMTP in from of Kerio is nonsense. I have some other post in where I ask not to forget SMTP module of Kerio. During last updates, Kerio worked most in user insterface facilities and forgot SMTP delivery and SPAM control.
It would be very easy to kerio, to add some additional choices in SMTP confoguratrion and/or AntiSpam configuration, to block mails that appear coming from own domains but do not come from local addresses. This is clean and easy. Kerio can also add a configuration to choice if Return-Path should be checked against CallerId andor SPF even in case the From is a local domain.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
hbianchi wrote on Sun, 31 July 2011 01:32
It would be very easy to kerio, to add some additional choices in SMTP confoguratrion and/or AntiSpam configuration, to block mails that appear coming from own domains but do not come from local addresses.


It's already in there by means of SPF-checking, but you will have to carefully consider each and every scenario on how mails having an envelope sender in your own domain reaches your server. It's not as clean-cut a scenario as one might think. If e.g. a user is allowed to relay anything through an outside server (for example his home ISP's mail server via SMTP AUTH), a simple check like the above will fail.

SPF has mechanisms to allow for things like "legitimate mails will come from this particular server, BUT ALSO from this other particular server". If the SPF checks aren't blocking mail, chances are the SPF record syntax in the DNS is wrong. It happens a lot and will show up in KC's logs. On the other hand, legitimate mail will be blocked if you failed to include your user's ISP mail relay. That happens a lot too.

Then you have forwarding, autoreplies, mailing lists and whatnot. I'm not even going to get into that ...

Also, doing any type of checking on the From: field is dangerous. The field is transmitted during the SMTP DATA phase and can (and will) contain anything the sender wants it to. It is not to be trusted in any way and should be disregarded when filtering is performed.

[Updated on: Wed, 03 August 2011 13:46]

jfitzell

Messages: 60
Karma: 0
Send a private message to this user
TorW wrote on Wed, 03 August 2011 21:42
Also, doing any type of checking on the From: field is dangerous. The field is transmitted during the SMTP DATA phase and can (and will) contain anything the sender wants it to. It is not to be trusted in any way and should be disregarded when filtering is performed.


I don't agree. The whole point is that SPF does nothing to prevent someone spoofing the from address because it can contain "anything the sender wants". Unfortunately the Kerio anti-spam rules then seem to use this From address to say "oh that's not spam, it's from me" when it clearly is not.

The spam rules should be smart enough to reject ALL email that claims to be from internal.domain unless it comes from an authenticated SMTP session. The only other way I can think of handling it is by putting a sendmail server in front of Kerio with access rules... but that kinda defeats the point of having Kerio doesn't it.
Previous Topic: Outlook 2007 Reminders not working - SOLUTION
Next Topic: iPhone / iPad deleted messages coming back
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Sep 19 21:03:20 CEST 2017

Total time taken to generate the page: 0.00602 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.