How to stop emails with fraudulent From header

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
wodel
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 12:24 am

How to stop emails with fraudulent From header

Post by wodel »

Hi,

Recently some of our users received emails pretending coming from the admin account, the FROM header was modified to look like it was sent from the admin account, but looking into the source of the email we found that the return-path contains the real sender which is from a different domain.
How can we check the FROM and RETURN-PATH header to see if the domain is the same then accept the mail, if the domain is different discard the email?
Return-Path: <tal.ros@mathazzar.com> <------------------------------------------------------------------------ This is the real spammer

Received: from mail.ourdomain.com (LHLO mail.ourdomain.com)
 (10.10.1.10) by mail.ourdomain.com with LMTP; Wed, 9 Nov 2022 03:29:21
 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
        by mail.ourdomain.com (Postfix) with ESMTP id EB39A81C63F83
        for <support@ourdomain.com>; Wed, 9 Nov 2022 03:29:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at ourdomain.com
X-Spam-Flag: NO
X-Spam-Score: 3.272
X-Spam-Level: ***
X-Spam-Status: No, score=3.272 required=6.4 tests=[BAYES_50=0.8,
        CUSTOM_LOOKUP_17=0.5, CUSTOM_LOOKUP_18=0.5, CUSTOM_LOOKUP_2=0.5,
        HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001,
        SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TO_IN_SUBJ=0.1,
        T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001,
        URIBL_PH_SURBL=0.61] autolearn=no autolearn_force=no
Received: from mail.ourdomain.com ([127.0.0.1])
        by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id W1Wo86rSak02 for <safinez.gacem@ourdomain.com>;
        Wed, 9 Nov 2022 03:29:17 +0100 (CET)

Received: from ofwaqqsj.mathazzar.com (ofwaqqsj.mathazzar.com [92.52.217.146]) <------------------------- This is the real server

        by mail.ourdomain.com (Postfix) with ESMTPS id E75608001ECFB
        for <support@ourdomain.com>; Wed, 9 Nov 2022 03:29:16 +0100 (CET)

From: ourdomain.com <admin@ourdomain.com> <------------------------------------------------- This is the fraudulent and modified From header

To: support@ourdomain.com <----------------------------------------------------------------------------- This is our targeted local user
Subject: support@ourdomain.com Pending mails Error

Date: 8 Nov 2022 18:30:37 -0800
Regards.
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: How to stop emails with fraudulent From header

Post by Klug »

Setup SPF for your domain, such mails will be marked as spam (SPF soft fail) or discarded (SPF hard fail).

You will also protect the whole internet from such emails (coming from fraudulent senders).
wodel
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 12:24 am

Re: How to stop emails with fraudulent From header

Post by wodel »

Hi;

Thanks for your help.

For @Gabrieles, I already did those configurations.

For Klug, we have an spf entry for our mail service in the public dns, but I thought that it was for email delivery not for email reception!!!?

Code: Select all

v=spf1 mx a ip4:xx.yy.zz.ww/32 a:mail.ourdomain.com ~all
If I send a mail from my server to you, your mail server will check my spf to verify that my server is the correct one. How my spf can help me avoid receiving these fraudulent emails?

PS : my mail server is behind a firewall, my mail server does not use the public dns which contains the spf entry, it uses a local dns server which does not contain the sfp entry.



Regards.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: How to stop emails with fraudulent From header

Post by JDunphy »

This won't block it at time of incoming reception; but can allow amavisd to move it to junk or discard if you are using SA. Here are 2 SA rules to accomplish this. If you want the email gone and not in your junk folder, increase the score from 7 to something over 15. One drawback is you need to explicitly list your domains that you expect to be signed by your zimbra servers. I have used example.com and example.net below as placeholders.

Code: Select all

#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && (!(DKIM_VALID_AU || ALL_TRUSTED)))
score  SPOOFED_FROM 7
describe SPOOFED_FROM Our Domain in From header and not signed by us

header __RETURNPATH_FROM Return-Path =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM_1 (__RETURNPATH_FROM && (!(DKIM_VALID_AU || ALL_TRUSTED)))
score  SPOOFED_FROM_1 7
describe SPOOFED_FROM_1 Our Domain in Return-Path and not signed by us

It works by verifying that if they claim to be your domain that they have DKIM signed it (author of that domain provided in From: or Return-Path: ). It handles both domain spoofing methods (envelope and data).

Fairly easy to test... add this to your SA rules and save an email that you know is spoofed ('right mouse click and show original then save that as a file like /tmp/spoof-email.txt).
Then run SA in debug mode... I have a script that does this or you can do it manually with spamassassin -D ...
Ref: https://raw.githubusercontent.com/JimDu ... heck_sa.sh

Code: Select all

% check_sa.sh --lint    #(show if you introduced any syntax problems with the cut/paste of the rules)
% check_sa.sh /tmp/spoof-email.txt
% cat /tmp/spoof-email.txt.out
spoof-email.txt.out will contain the score and all the rules fired. If this looks good, you can wait for tomorrow when updated SA rules happen or restart amavisd to make the rules valid immediately.

HTH,

Jim
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: How to stop emails with fraudulent From header

Post by Klug »

wodel wrote:we have an spf entry for our mail service in the public dns, but I thought that it was for email delivery not for email reception!!!?
SPF was designed to avoir email reception from fraudulent senders.
If the mail is coming from a server that is not in your SPF, it should be marked as spam or discarded, by any MTA receiving (including yours).
wodel wrote:If I send a mail from my server to you, your mail server will check my spf to verify that my server is the correct one. How my spf can help me avoid receiving these fraudulent emails?
Exactly the same way.
wodel wrote:PS : my mail server is behind a firewall, my mail server does not use the public dns which contains the spf entry, it uses a local dns server which does not contain the sfp entry.
Then add some SPF enty in your split-DNS because currently your own server doesn't check the full DNS records for the domain it handles.
Post Reply