Stopping spam forged to as sent from my domain

[PilotMike]

Spammers are smart. :/

I've implemented TMDA lately, and am giddy with the results so far...no spam has been getting through!

However, I've noticed that the spammers have changed tactics now, and have received over 1000 spam emails that now are using my domain in the headers as the "From" address. I have, up to now, whitelisted my own domain, since there has never been much spam where my domain was being used as a forged from.

I can just blacklist my domain in TMDA, but what I'd rather do is try to stop the spam during the SMTP connection phase in sendmail instead of post-processing the mail through procmail.

So, how would I do that? What I'm seeing is random characters or common names @ my domain. There are only really 5 accounts in the domain that use email. I know if the spammers manage to guess one of those 5 accounts, they could still get through, but..

Let's say for now I just want to tell sendmail to only accept email with the local domain in the From header from only a subset of email addresses (or users). Any other, like "joefredbobspammer@domain.com" would be rejected as spam. How would I do that?

Thanks!

 

[PilotMike]

Okay, it's early, that topic made no sense. What I meant was:

Stopping spam with forged headers to my domain

 

[RhythmAce]

You might want to consider using smtpauth. It is very easy to setup but since I've explained it in recent posts, I won't bother you with another version here. How it works is very simple also. The default order of things is for your mail server to handle all smtp traffic first. Then it hands the reigns over to pop3 where a username/password must be supplied. With smtp auth, anybody sending mail through your server must have a user account. This prevents spammers from simply spoofing your address. If you want to to explain step by step, I can walk you through it but you shouldn't have to look too far back for a previous post on how it's done.

 

[PilotMike]

Thanks for the response. I do use SMTP auth to prevent relaying, but that's not stopping local delivery from bogus local accounts. Here's what I'd really like to do:

HELO spammer.com
MAIL FROM:fakeaccount@mydomain.com

*STOP* server sees this is a local domain and CHECKS if the user exists HERE. If not, don't even continue!

Right now, I can connect to my server and use any user I wish and I always get back:

Sender okay

Which it isn't.

 

[PilotMike]

Someone summed up my problem very nicely:

if a message claims to be from a local address, but isn't being relayed from a machine on your network, the message should be rejected or discarded as a forgery.

This is what I'd like to do.

 

[smah]

The refinement of that being:

If a message claims to be from a legitimate local addres....
or
If a message claims to be from a fake local addresss....

If you answer the first one, then smtp auth is not set up properly because it seems that passwords are not being required (or the user password has been comprimised). If your answer is the second one, than smtp auth is not set up properly because it's not even checking the username.

Have a look at RythmAce's excellent discission from some time ago thread14-1329684

 

[PilotMike]

Thanks, smah. With my luck lately it's both. :>