Postfix message restrictions

I haven't yet, however it's something I've considered doing. I'm also interested in hearing if anyone has done this.

Erric

Hey mrdky,

"We are getting a lot of forged spam coming from our own domain that isn't being picked up by Puremessage..."

Does this mean that you have spam being sent from within your organization outbound, or you are receiving inbound email that is forged to appear to be from your domain?

If PureMessage for Unix is missing samples, please send samples in to is-spam@sophos.com.  If you still see these mails coming through after a day, you can engage support who can follow-up with the labs about your sample set.  This could be a matter of having trusted-relays or internal hosts configured improperly.  You could also be seeing targetted attacks which we would be very interested in seeing and stopping!

Cheers,

MarkJD

Hi MarkJD,

Sorry wasn't being clear, we are getting a lot of messages coming inbound claming to be a user on our domain and sending to a user on our domain.  I have opened a ticket with support and the recommend upgrading to 5.5.6 to 5.5.9 and submitting more samples to is-spam.  We also had our gateway config verified from Sophos.  So I pretty much reached the end of my rope and decided on making some changes to the postifx config.  We have been thinking of adding sender checks to check if the sender for internal bound messages is originating from our own domain and reject.

MarkJD,

What do you think about the following policy.siv change:

  # attr NAME=Spoofed mail claming to be us
    if envelope :comparator "i;ascii-casemap" :all :contains ["from"] ["example.com"] {
        pmx_mark1 "inbound_spoof";
        pmx_quarantine "inbound_spoof";
    }

Planning to add this to our siv under the Inbound policy to quarantine all external messages claming to be from our domain example.com.  This would stop spoofers from claming to be us and attempting to relay to our users?

I was looking for something like this and found the following in the Admin manual:

Example: Quarantine Messages from Fake Senders

Some spammers falsify email addresses so that the message appears to originate from a sender within the recipient's own domain. For example, the recipient works for company "XYZ", and his own corporate email address is john@xyz.com. A spammer might then pose as frank@xyz.com in an attempt to evade detection.

Guard against this tactic by adding a rule to the "Mail from external hosts" section of the policy that filters incoming mail from senders pretending to be a member of the same domain. The rule tests external messages for the presence of the domain in the Envelope from and Sender parts. Any messages containing the specified domain are quarantined.
Note: This test is based on the premise that legitimate members of the domain require some form of authentication to access their email accounts externally. Therefore, it is assumed that addresses with the company's domain that originate from outside of the network are fake.

To Quarantine Messages from Fake Senders using the PureMessage Manager:

   1. Click Create beside Backups on the Policy tab sidebar. A backup of the current policy is created; a backup entry with the current date and time are displayed in the Backups section of the sidebar.
   2. Click the Policy Rules on the Policy tab sidebar to display the current policy.
   3. Click the Mail from external hosts rule.
   4. Click add rule (beside Execute actions and rules). A new rule is created.
         1. Configure the Test:
               1. Change the (New Rule) text to Check for fake senders.
               2. From the Tests drop-down list, select Sender's address.
               3. From the second drop-down list, select Matches.
               4. In the adjacent text box, enter **@xyz.com.
               5. Click add test.
               6. From the drop-down list, select Envelope from.
               7. From the second drop-down list, select Matches.
               8. In the adjacent text box, enter **@xyz.com.
               9. From the criteria drop-down list, select If ANY criteria are met.
         2. Configure the Action:
               1. Click add action. This creates the action configuration template.
               2. In the Execute actions and rules drop-down list, select Quarantine the message.
               3. In the text box on the right (Quarantine Reason), enter Fake Sender.
               4. Click add action.
               5. In the second rules drop-down list, select Stop processing.
               6. Click Save.
         3. Change the Rule Order:
               1. Click Cut. A message is displayed at the top of the page indicating that the Check for fake senders rule has been cut.
               2. Click to select the rule Clean mail containing viruses.
               3. Click Paste. The Check for fake senders rule is now displayed in its new position beneath the Check mail containing viruses rule.

         4. Click the Commit link to update the live policy script. PureMessage displays a message advising that the milter is running with a stale configuration. Do not restart the milter.
   5. Test New Policy: Because the milter has not been restarted, it is still using the original policy. Therefore, the new policy can be tested without making it "live".
         1. Click Test Current Policy on the Policy tab sidebar. The Test Current Policy page is displayed.
         2. From the Select Relay Type drop-down list, select External.
         3. In the Envelope From text box, enter: frank@xyz.com.
         4. Do not edit the default text displayed in the message source text box.
         5. Click Test. The test runs and the results are displayed. Note that the Delivery Action for the test message is "quarantine: Fake_Sender". Scroll down in the Details list box to view the test results.
   6. If satisfied with the new policy, click Restart now to restart the milter and make the new policy live. To restore the original policy, click the backup link, and select OK.

Policy Script

To Quarantine Messages from Fake Senders by manually editing the policy script:

# attr NAME=Mail from external hosts
else {
    pmx_add_header "X-PMX-Version" "%%PMX_VERSION%%";
    pmx_mark "Size" "%%MESSAGE_SIZE%%";
    # attr NAME=Clean mail containing viruses
    if pmx_virus {
        pmx_file "Virus";
        pmx_virus_clean "cantclean.tmpl";
        pmx_replace_header "Subject" "[PMX:VIRUS] %%SUBJECT%%";
        pmx_replace_header "X-PerlMx-Virus-Detected" "%%VIRUS_IDS%%";
    }
    # attr NAME=Check for fake senders
    if anyof(address :all :matches :comparator "i;ascii-casemap" ["from"]
                                                                 ["**xyz.com"],
    envelope :comparator "i;ascii-casemap" :all :matches ["from"]
                                                         ["**xyz.com"])
    {
        pmx_quarantine "Fake Sender";
        stop;
    }

See the Policy Script Tutorial for more information about modifying the policy script from the command line.
Parent topic: Customizing Policies

------------------------------------------------------------------

Do a search for Fake SMTP senders in the admin manual and you should find it.

Erric

Hey mrdky,

One thing to note, there is the "From:" and there is the "Envelope From:" that can be used in this test.  It would be best to use both of these within your test.

Erric has touched on this with the test:

    # attr NAME=Check for fake senders
    if anyof(address :all :matches :comparator "i;ascii-casemap" ["from"]                                             

               ["**xyz.com"],
    envelope :comparator "i;ascii-casemap" :all :matches ["from"]
                                                         ["**xyz.com"])
    {
        pmx_quarantine "Fake Sender";
        stop;
    }

One other thing to note is that if you have external users connecting via SMTP Auth or some other mechanism, the internal/external host test may route them to the external policy and would quarantine their mail.

You could do a dry run where you don't quarantine but simply mark the logs.  This will give you a better sense of how many of these emails are coming from outside trying to get in. 

Using the following:

pmx_mark1 "RULEHIT";

... in any tests, will populate the Policy Mark Hits report.  This is a great way to use PureMessage to custom reporting.  This is also a great way to verify your suspicions and put forward a sound and researched policy rule.

Thank you very much Erric, and MarkJD.   Your answers were extremely helpful and I will take them into consideration and might not need to mess with Postfix after all.

:smileytongue: