I am seeing a few emails slip through the anti-spam filter that have the from email address of a legit user. The email is also addressed to the legit user.
The email server that it comes through is randomized each time, and the content is definitely SPAM.
I am trying to figure out if there is a way that zimbra looks to see if the from address is a local user account and block the message if the sender has not authenticated.
Is this possible?
Thanks,
David
How to protect from backscatter?
-
davidkillingsworth
- Outstanding Member
- Posts: 251
- Joined: Sat Sep 13, 2014 2:26 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Re: How to protect from backscatter?
This should suit your needs: viewtopic.php?t=61702
You could also consider using rspamd instead of the ZCS inbuilt anti-spam solutions.
You could also consider using rspamd instead of the ZCS inbuilt anti-spam solutions.
-
JDunphy
- Outstanding Member
- Posts: 899
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: How to protect from backscatter?
Hi David,
There are a few ways of doing this as Bill points out including enabling the postscreen feature... if you are digitally signing your email or using anything in front of your MTA here is a general solution that works for most cases... Even for an incoming MX that does additional spam tagging, balancing, etc. Add this rule in your /opt/zimbra/data/spamassassin/localrules/sauser.cf and then zmantispamctl restart
DKIM_VALID_AU means that it has a legal digital signature so that could be any signed domain ... but they can't sign with your domains because that would fail given they don't have your private key. This method doesn't scale for too many domains because it is a manual rule but it works fairly well for its intended purpose for a small list of domains and doesn't require additional postfix directives if your environment is slightly non standard and/or you don't have control of the front end MTA or a few other odd edge cases that can lead to FP's.
If you want to discard/drop the forged email, just change the score to 15 or whatever you have your discard limit set to. Initially, I had this rule a little more general but more complex with SPF but that fails a few edge conditions so this simpler form works well for spam detection but did require the list of domains you control to be hard-coded.
Note: if you have users at home or remote offices that don't use your zimbra server to send outgoing email then this rule is going to be a problem because their email will not be digitally signed by your zimbra server. ie. personas come to mind for example. That is the trade off... We score it at 7 so they can whitelist should that be a user requirement. Think gmail users who also have zimbra accounts, etc.
There are a few ways of doing this as Bill points out including enabling the postscreen feature... if you are digitally signing your email or using anything in front of your MTA here is a general solution that works for most cases... Even for an incoming MX that does additional spam tagging, balancing, etc. Add this rule in your /opt/zimbra/data/spamassassin/localrules/sauser.cf and then zmantispamctl restart
DKIM_VALID_AU means that it has a legal digital signature so that could be any signed domain ... but they can't sign with your domains because that would fail given they don't have your private key. This method doesn't scale for too many domains because it is a manual rule but it works fairly well for its intended purpose for a small list of domains and doesn't require additional postfix directives if your environment is slightly non standard and/or you don't have control of the front end MTA or a few other odd edge cases that can lead to FP's.
If you want to discard/drop the forged email, just change the score to 15 or whatever you have your discard limit set to. Initially, I had this rule a little more general but more complex with SPF but that fails a few edge conditions so this simpler form works well for spam detection but did require the list of domains you control to be hard-coded.
Code: Select all
#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed