Print Page | Close Window

spam appeared to come from my domain are getting

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6614
Printed Date: 13 December 2017 at 2:20am


Topic: spam appeared to come from my domain are getting
Posted By: Stupid
Subject: spam appeared to come from my domain are getting
Date Posted: 19 February 2009 at 9:37am
I had Reject if "From Domain" = "To Domain" turned on, but some of them still coming through and i had to spend time answering users questions and doing research on what happened.

is there anything i can do?



Replies:
Posted By: LogSat
Date Posted: 20 February 2009 at 7:54am
When checking an email to see why the "From Domain=To Domain" did not work, please note the following:
The sender's email address is the one used int he so called "envelope" or the "Return Path", which is the "real" address of the sender that was specified in the "MAIL TO" command. SpamFilter logs this address by adding it to the "X-SF-Return-Path" header. This can be sometimes different that then one specified in the "From" header of an email address. This latter (the one in the header) is what email clients use to display the "From" in an email, but again, this may not be the "real" sender.

In addition, you may also want to make sure the email was not whitelisted for some reason. if an email is whitelisted, besides being logged as such in SpamFilter's logfile, the header "X-SF-WhiteListedReason:" is added to the email itself.

All this said, if you want to zip and email us the activity logfile for the day this happened (along with the to/from email addresses involved), we'll be glad to take a look. If the zip is over 5MB in size, please let us know so I can provide you with our FTP information to give us the file.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 23 February 2009 at 2:50pm
I looked up the autowhitelistforcedelivery.txt, I see many entries like:
MyEmailAddress@mydomain.com|MyEmailAddress@mydomain.com
AnotherCoworkeremailaddress@mydomain.com|myemailaddress@mydomain.com

How did this even happen? My SMTP (Spamfilter ISP) is a receiving only server. Internal emails are routed by my Exchange server internally.


Posted By: LogSat
Date Posted: 23 February 2009 at 5:45pm
Sometimes users may send emails to other users via tools external to your network. For example, Joe@mydomain.com may go to CNN.com, read an article, and then use the (poorly thought out, as this email will get blocked if an ISP is using SPF...!) CNN.com website to email the article to his buddy Mike@mydomain.com. If both Joe and Mike are using your services for email, CNN will be "spoofing" the email address from Joe to send the email to Mike, and will thus likely be blocked. When Mike goes to his quarantine to force the delivery of the email from Joe, the entry will be added to your autowhitelist file.

If only CNN's admins realized that they shouldn't spoof Joe's email... this problem would not occur. Unfortunately even with large companies the webmasters do not talk enough with their postmasters.... and thus these problems will occurr...

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 24 February 2009 at 10:45am
so basically, there's no solution?


Posted By: LogSat
Date Posted: 24 February 2009 at 4:25pm
SPF (Sender Policy Framework) is a standard that was created specifically from preventing email spoofing, and unfortunately this is the very same thing CNN and others are doing.
We recommend implementing SPF on your domains (it's basically a TXT record entry in the DNS for the domains protected by SPF), rather than using the "From Domain=To Domain", because unlike the latter, SPF allows admins to publish via DNS which servers/IPs are authorized to send emails using your domain name.

However, unless all the known "offenders" are added in the SPF DNS record manually, or their admins realize the mistake they're making, CNN and others will continue to have their emails rejected by antispam software that uses SPF (or the "From Domain=To Domain"

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 04 March 2009 at 1:08pm
so this will be an ongoing problem since I enabled SPF on SFI? I mean users will always release those From=To emails and add that to whitelist, then they get spammers' emails?


Posted By: LogSat
Date Posted: 04 March 2009 at 6:08pm
Actually, a few weeks ago we released a new version of SpamFilter, which has, among other improvements, the following

// New to VersionNumber = '4.1.2.803';
{TODO -cNew : Skipping the addition to the AutoWhiteListForceDelivery of entries where the mail_from = rcpt_to emails to reduce the chance of inadvertently whielisting all emails with a fake "from" address matching the recipient}

Prior to this release, some admins were running scripts that would identify such entries in the AutoWhiteListForcedelivery file so they could be removed. Please see this post by one of our users (Ed_K):

http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6593#12559 - www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6593#12559

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window