Spoofed Addresses

From Roaring Penguin
Jump to: navigation, search

A common way for spammers to trick CanIt is to spoof the address that they claim to be sending from. However, there are two different sender fields and spammers only generally change the cosmetic one that is seen by the mail reader. This means that there is a mismatch between the Header From and the Envelope Sender addresses that we can use to detect this behaviour.

 Note: If the mail has been spoofed from your own domain, we have another article discussing exactly this.

Increase score for messages spoofed from any domain (Caution)

There is an existing SpamAssassin rule (HEADER_FROM_DIFFERENT_DOMAIN) that does just this but we only allow it to add a trivial score of 0.001 by default. This is because there are other reasons that this same behaviour might occur. For instance, mail that is sent through a relay or legitimate mail which disguises itself to limit user confusion. An administrator has the power to increase the score of this rule as follows:

  • In the WebUI ensure that you are viewing the 'default' stream so that all changes will be inherited by all users.
  • Navigate to Rules->Score Overrides.
  • Paste the name of the rule - HEADER_FROM_DIFFERENT_DOMAIN - into the Test Name box.
  • Define a new score.
  • Submit the changes.

Prevent spoofing on a domain-by-domain basis (Recommended)

Since the above method has a high chance of false-positives it is advisable that you create a rule similar to the following to target individual domains. The most common domain to do this for is your own, but it will work for any domain. As an example, we have an existing rules on Hosted CanIt for Dropbox.com.

  • As an administrator, ensure that you are viewing the 'default' stream.
  • Navigate to Rules->Custom Rules (Compound Rules prior to version 10.1.0).
  • Create a new rule based off of the following.
    • (Domain of Header From) is example.com AND (Domain of Envelope Sender) Is not example.com
  • Apply a score at least as high as your S-300 threshold (5 by default)
  • Submit the changes.

You may choose to make it score as highly as your S-100 threshold (default is 2000), which will cause the messages to be placed directly into the spam quarantine (instead of the pending quarantine). You will have to use caution, however, since some legitimate senders will spoof the envelope sender address. This can even be the case for your own domain especially for external services such as newsletters (eg. mailchimp). If you know of, or notice any domains that cause false-positives as a result of one of these rules you can append it as an exception to the existing rule:

    AND (Domain of Envelope Sender) Is not exception.com