Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 7.x
  4. Topic: Obviously spoofed email getting through
« previous next »
Pages: [1]   Go Down

Obviously spoofed email getting through

  • 2 Replies
  • 1628 Views

Offline Elliott

  • ****
  • 150
  • +0/-0
Obviously spoofed email getting through
« on: November 20, 2009, 04:39:03 PM »
My users have been getting email to them with titles like "please update your user@domain.com mailbox" or "your mailbox has been deactivated" types.

Now I have a relatively small user base and have done a good job of making them know how to ferret these baddies out. But the thing that gets me about these latest ones is that the from address is a valid internal address but the Received: lines are all external SNMP servers.

I only have IMAPS turned on for external networks so unless I'm missing something does this mean they've successfully guessed a legit password?

-Elliott
Logged
Elliott

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Obviously spoofed email getting through
« Reply #1 on: November 20, 2009, 05:22:38 PM »
Quote from: Elliott on November 20, 2009, 04:39:03 PM
My users have been getting email to them with titles like "please update your user@domain.com mailbox" or "your mailbox has been deactivated" types.

Now I have a relatively small user base and have done a good job of making them know how to ferret these baddies out. But the thing that gets me about these latest ones is that the from address is a valid internal address but the Received: lines are all external SNMP servers.

You mean SMTP, I'm sure.

Quote
I only have IMAPS turned on for external networks so unless I'm missing something does this mean they've successfully guessed a legit password?

No. Mail would have arrived via non-authenticated SMTP (just like any other mail to your local domains). You can check the logs and verify.

SME server doesn't block messages with From: address from a local domain. Many people send via external mail services (e.g. gmail) with From: address set to their "home" domain. So it is sometimes legitimate for messages to come from outside with a local domain From: address.

If you want to block such inbound messages, you'd need to make custom changes, or sponsor development of a new feature.
Logged

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Re: Obviously spoofed email getting through
« Reply #2 on: November 21, 2009, 07:32:37 PM »
Many of the spam filtering tools included with SME server are disabled by default in order to keep new SME admins from getting complaints about missing emails.

If you haven't already done so, read through the Sonoracomm howto for configuring the spam filters on SME server.

At a minimum, I recommend enabling:
- DNSBL
- RHSBL
- Spamassassin bayesian autolearning

If you continue to have problems, configure the 'LearnAsSpam' tools (described in the Sonoracomm HowTo) to allow users to specify spam and ham for their own email.

Usually the type of bogus email you are describing should be picked up by the DNSBL plugin.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 7.x
  4. Topic: Obviously spoofed email getting through