Topic: Blocking spoofed emails

[Brenno]

Hi folks!

We receive a lot of spoofed email and SpamAssassin is whitelisting because it appears to come from our domain.  I have looked around the Server Manager and Googled the forums, but I can't see any obvious way to block these messages.

As an example from the mail headers (note I've changed our domain name):

Return-Path: <cummerbundlse@rock-fest.com>
From: "fax" <fax@ourdomain.com>
Received: from Unknown (HELO UXNUGVNJL) (46.222.36.74) by ourdomain.com (qpsmtpd/0.83) with ESMTP; Thu, 05 Jun 2014 09:00:29 -0400
X-Spam-Status: No, hits=-97.8 required=3.0 tests=FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,RDNS_NONE,SPF_FAIL,USER_IN_WHITELIST

Am I missing some dreadfully obvious blocking technique here?  Seems like the return-path and from mismatch would be a giveaway, no?

[Daniel B.]

The question is why did you put your own domain in the whitelist ? All your user should send either from the internal networks, or authentified through SMTPs (or both), in which case, spamassassin will not even scan the mails. So I don't see any point whitelisting your own domain

[Brenno]

You ask a good question.  From memory, we put ourselves into the whitelist many years ago because of some problem we had with remote users... I can't recall the specifics of it, but I suppose an easy test is to remove our own domain from the WBL and monitor to see if we have any issues.

I suppose this falls under the "dreadfully obvious", doesn't it?

[Daniel B.]

You should first try to remove your domain from the whitelist. Not sure it will be sufficient though, as in the example you gave, the score was -97.9, which means it'd have been only 2.2 without the whitelist test (under your 3.0 threshold)
Have you enabled DNSBL/RHSBL (they usually give great result for a very low overhead) ?

[Brenno]

Removing us from the whitelist has at least allowed SpamAssassin to score the emails accordingly.  Some are still coming through to inboxes based on scores below our threshold of 3.0.

We do have DNSBL/RHSBL enabled.

[Daniel B.]

You can try to adjust scores of some rules (see http://wiki.contribs.org/Email#Custom_Rule_Scores),based on your example, try to increase score for FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,RDNS_NONE or SPF_FAIL (check their default values first by greping in /var/lib/spamassassin/, then try to increase them a bit)

[mmccarn]

If you have Bayes filtering enabled, you should be able to train your server to recognize the offending messages.

There is a contrib for this that I have not used:
http://wiki.contribs.org/Learn

And there is a more manual procedure that I have used:
http://bugs.contribs.org/show_bug.cgi?id=1701#c36