[Rspamd-Users] block fake senders?

Thu Nov 9 14:12:10 UTC 2023

Hi there,

On Thu, 9 Nov 2023, Katharina Knuth via Users wrote:

> Is there any way to block fake senders? I constantly receive emails
> that come from myself. and were sent to myself.

Yes, there are ways to do it.  Some are easy, some are less easy.

In order of complexity:

If you know the IP address(es) of servers which send your mail, you
can probably block anything which claims to be from you/your domain by
blocking anything which makes such a claim, but which does *not* come
from that address (or one of those addresses).  This solution may be
fragile if you do not have control over the IP addresses which send
your mail, because they may be changed without warning.  The fragility
is probably not terribly important, because your notice that something
has gone wrong will be the sudden re-appearance of forged mail, but it
adds to the maintenance effort.  Most likely no-one but yourself will
benefit from the work you do to implement this kind of solution.  You
can play other tricks like this, but I don't recommend it as there are
better solutions.

If you set up the Sender Policy Framework you will be able to block
mail sent with your domain forged into the 'envelope from' address by
rejecting on SPF FAIL.  You need to be able to add a DNS record or two
for your domain.  You can set this up to be robust against changes in
the IP addresses which are allowed to send your mail.  Setting up SPF
is a relatively straightforward matter but beware a lot of mistaken
information on the Web.  One of the advantages of using SPF is that
your correspondents can also easily use it to block mail to them which
is forged to appear to be from your domain; if they're using reputable
ISPs this will probably happen automatically.  There will be virtually
no maintenance effort once it's set up correctly.  I would recoommend
this to anyone.

If you set up DKIM, and sign your all your outgoing mail, you will be
able to block any mail which claims to be from you but which is not
properly signed.  This is significantly more work, and again you need
to be able to add DNS records for the domain.  Again, correspondents
can check your signatures.  The complexity means there's more room for
error, and even some large organizations still manage to get it wrong.
Monitoring tools are available (DMARC) to ease your mind, you can tell
organizations which process mail and which have automated reporting
facilities to send reports to you - and if you send large volumes of
mail you can choose a reporting rate which you can handle.  Amazon for
example sends me two daily reports.  They are almost always different
however and I haven't yet managed to find someone there who knows why!

Some reading for you:

SPF - RFC7208 - https://en.wikipedia.org/wiki/Sender_Policy_Framework
DKIM - RFC6376 - https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
DMARC - RFC7489 - https://en.wikipedia.org/wiki/DMARC

To give you a flavour of what you might need to provide for SPF, DKIM,
and DMARC, some TXT records implementing them in my sending domain are:

SPF:

jubileegroup.co.uk                      TXT     "v=spf1 ip6:2001:470:6976:44::25 ip4:83.67.166.33 exp=exp.jubileegroup.co.uk ra=postmaster -all"
jubileegroup.co.uk                      TXT     "spf2.0/pra ?all"
mail.jubileegroup.co.uk.                TXT     "v=spf1 ip6:2001:470:6976:44::25 ip4:83.67.166.33 exp=exp.jubileegroup.co.uk ra=postmaster -all"
mail.jubileegroup.co.uk.                TXT     "spf2.0/pra ?all"
www.jubileegroup.co.uk.                 TXT     "v=spf1 ra=postmaster -all"
exp.jubileegroup.co.uk.                 TXT     "The only servers permitted to send mail on behalf of the jubileegroup.co.uk domain are those listed in its SPF record."

DMARC:

_dmarc.jubileegroup.co.uk.              TXT     "v=DMARC1;p=reject;adkim=s;aspf=s;pct=100;fo=1:d:s;rua=mailto:dmarc at jubileegroup.co.uk!2m;ruf=mailto:dmarc at jubileegroup.co.uk"

DKIM:

_adsp._domainkey.jubileegroup.co.uk.    TXT     "dkim = WorkInProgress"
uk._domainkey.jubileegroup.co.uk.       TXT     ( "v=DKIM1; k=rsa; t=y:s; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtJaDD5UF9Z/AzZTMg2jXUfZkCkqp7P28G+i7oOZ7A+JCrF0ZZ0FU6yk4FRUSsnqs9JDK3amYRDDn4UHI87mfPiuITWbKe8nGXYYty/4NO+Fe7gHDgLQBl5m7yI2Dja3P9wVe8fYPRnVTSwkTmmdAvG8hIScvyMh/JimuzgME4E3KZ03umdoLynslNz6Of9yXioBBMKp1x8NNT" "6rCeiv1bX8Y76fxMuMCUFuGDW2BOl+yoSve+3X75GTZ6LIJJGT1FvkhKt0jGABuns1OM2iNeRREQZwTIXeRQu+LGddbe89NwwANwX9FmXdQBIZZ8IMzBaj1kA+DhkE/yvONKUc2wIDAQAB" )

Sorry about the long lines, type style issues, and maybe your mail
client and/or service provider (which may have made unauthorized
modifications, they almost always do, to the above TXT records).

-- 

73,
Ged.