Home » Kerio User Forums » Kerio Connect » eMail Name fakers
  •  
Spacey

Messages: 129
Karma: -7
Send a private message to this user
Hi,

since several time we're getting spammed by outside spammers: The emails come from external servers & accounts but only the sender Names are faked to our own employee ones. Of course the spam text itself is obvious but it annoys many people here. The problem: We got the whole company team incl. eMails on our website and I guess the spammers just grabbed that information and now send's spam with our own names.

Is there any way to block external sender names matching our own employee names?! Some cross name database check or whatever?!

So if an eMail comes in from "Eric Price" <whatever<_at_>external-spam-domain.com> to some existing eMail receipent where "Eric Price" for example is a real existing person in our kerio?!

Thx!

  •  
j.a.duke

Messages: 186
Karma: 14
Send a private message to this user
@Spacey:

You didn't list what you have enabled to combat the spam. Or what version of Connect.

Are you using any blacklists?
SpamAssassin?
Kerio Anti-Spam?
Custom rules?
What's your tag setting? Block setting?
I'm sure there's more, but those answers will be a good start.

Thanks.

Cheers,
Jon
  •  
Spacey

Messages: 129
Karma: -7
Send a private message to this user
Hi...

General Settings: Spam-Tag: 5 / Block: 9
Kerio Anti-Spam: Enabled (Add 6 points)
SpamAssassin: Enabled
RBL's: SpamCop (add 5), SpamHaus ZEN (add 5), SORBS DNSBL (add 2.5), NiX Spam Manitu (add 5), Barracuda Networks (add 3.5), GBUdb (add 2.5), PSBL (add 2.5)
Caller ID: Enabled (add 4)
SPF: Enabled (add 4)
Spam-Repellent: Enabled (22 seconds)

Some own allowed foreign domains which aren't involved in these cases.
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user

Brian Carmichael
Instructional Content Architect
  •  
Spacey

Messages: 129
Karma: -7
Send a private message to this user
Thanks Brian,

this is already enabled in general and for our main domain but matches only the sender-eMail-Adresses - not the names.

The problem here is that the "name" (which appears in the eMail client, the direct (unknown) address is only visible when you hover over the sender name or click it.

If someone sends with a faked address our Kerio already denies it. This is just about name fakers! :/
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
Ok I see now. In this case you can create Message Filter rules like this:
- All of the conditions are met
- Condition 1 = where from contains "Eric Price"
- Condition 2 = where sender does not contain "your.domain.com"
- Action = reject message

The caveat is that your users won't be able to send/receive email with anyone who happens to share the same name as them. Otherwise you should investigate these spam messages further and optimize your spam filter based on other characteristics than the from name.

Brian Carmichael
Instructional Content Architect
  •  
Spacey

Messages: 129
Karma: -7
Send a private message to this user
OK, that's a manual solution - yes.
You mean a personal filter for every user, eh?!

I tried the following - see screenshot. But unfortunately this doesn't work... The eMail is still in the inbox.


Other spam filters: Problem is that the sender-email-adresses & domains follow no rule, these are hacked normal accounts or whatever. No idea where to start here.

[Updated on: Thu, 29 March 2018 11:14]

  •  
blackbox

Messages: 14
Karma: 0
Send a private message to this user
This approach seems a bit limited in scope (configured within an individual user's account).

Would you have a recommendation for the same equivalent on a more global scale (something that could be applied at the server vs the client)?

Quick update, while diving in, it looks like server side rules now many be possible starting with version 9.

https://manuals.gfi.com/en/kerio/connect/content/server-conf iguration/filtering-messages-on-the-server-1831.html

[Updated on: Tue, 28 August 2018 22:04]

  •  
freakinvibe

Messages: 491
Karma: 70
Send a private message to this user
You would have to work somehow with variables to match your user's names. I don't know if that is possible. In addition, if you have a John Miller in your company and a John Miller whats to write to you, he can't because you block him.

I'd rather look at the headers and contents of those messages and find something in common that you could block via global rule.

If you could post the header of such a message, I could have a quick look.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
blackbox

Messages: 14
Karma: 0
Send a private message to this user
I haven't had any success testing with the method described, as the message arrives without issue.

Quote:
Wed, 28 March 2018 11:49
Kerio/GFI Brian
Ok I see now. In this case you can create Message Filter rules like this:
- All of the conditions are met
- Condition 1 = where from contains "Eric Price"
- Condition 2 = where sender does not contain "your.domain.com"
- Action = reject message


I also tried altering condition 2 a bit, using the "From" header instead of "Sender".

- All of the conditions are met
- Condition 1 = where from contains "Display Name"
- Condition 2 = where from does not contain "domain.com"
- Action = reject message


No luck with this approach either, test message arrives without issue.
  •  
blackbox

Messages: 14
Karma: 0
Send a private message to this user
I dove in a bit more to the suggested course of action.

My results match those of Spacey.

Passing the header information into a notification message via: perform the following action, send notification, displaying the following:

from: $from$
subject: $subject$
text: $text$


suggests the display name is not picked up within the from value, providing only the email address when output.

Example incoming message:

From: Joe User <bad<_at_>guy.com>
Subject: Trust me, I'm legit.
Body of email

Sends a notification containing the following:
from: <bad<_at_>guy.com>
subject: Trust me, I'm legit.
text: Body of email

If I alter the rule to look for a specific from:email address, the rule does work, but basing the rule on a specific from:display name value, as was the main focal point, doesn't seem to work.
  •  
blackbox

Messages: 14
Karma: 0
Send a private message to this user
Post http://forums.kerio.com/m/125940/7359/2bb237f42e204728b0b328 9a29fb5145/?srch=sieve#msg_125940 and http://forums.kerio.com/m/130192/7359/2bb237f42e204728b0b328 9a29fb5145/?srch=filter.siv#msg_130192 seem to suggest Kerio follows the Sieve specs discussed within RFC3028. https://www.ietf.org/rfc/rfc3028.txt

The suggested rule created within the admin console seems to use the "address" Sieve test and not the "header" Sieve test.

The difference being, the header Sieve test compares the complete header text contents (allowing check for everything after From: on the header line, in this case "Display Name" <bad@guy.com>, while the address Sieve test compares only the actual address (everything inside the angle brackets < > on the header line, in this case bad<_at_>guy.com.

Web admin GUI produces something like the following:
if allof (address :all :contains "From" "Joe User", not envelope :all :contains "From" "mydomain.com") {discard; stop;}


Perhaps the rule may work as intended if altered to:
if allof (header :all :contains "From" "Joe User", not envelope :all :contains "From" "mydomain.com") {discard; stop;}

[Updated on: Wed, 29 August 2018 20:11]

Previous Topic: Outlook one user, multiple accounts
Next Topic: CentOS 7 + Kerio Connect + Fail2Ban
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 17 20:27:08 CET 2018

Total time taken to generate the page: 0.79499 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.