[Rspamd-Users] Fwd: Prevent sender address spoofing envelope/header FROM

Fri Feb 9 12:19:36 UTC 2024

Coming back to this question, instead of rejecting, perhaps we can correct
the user's mistake? I've noticed the DMARC munging module and it would
perhaps be a good idea to use (something like that) instead.

Reformulating the problem for outbound authenticated users: we have a user
that sends a mail using an envelope from address of noreply at domain.com but
specifies a header from address of someone at gmail.com (spoofing!). This
happened with a client that has a contact form that sets the header from
address to the e-mail address specified in the form, so that the client
receives mails as if they came from the person filling out the form (bad
configuration). This mail will succeed SPF and DKIM checks at the
recipient, but will fail DMARC since the header from address is not aligned
with SPF/DKIM (gmail.com != domain.com).

Can I use Rspamd to rewrite the header from address to be:
[header-from-address] via [envelope-from-address], only for outbound mail
and only when both domains differ?

Or should this be done in Postfix? I'm a little surprised it isn't a more
common problem to prevent spoofing on outbound mail...! How is everybody
else handling this?

Kind regards,
Taco de Wolff

PS: resending as I sent the original while unsubscribed

On Mon, Jan 22, 2024 at 3:57 PM Gerald Galster <list+rspamd at gcore.biz>
wrote:

> > Thanks Gerald, that's worth a try. I had another idea that might work and
> > wanted to check.
> >
> > While SPF verifies the envelope FROM address, and DKIM signs the message,
> > it is DMARC that enforces the header FROM address which makes it sent to
> > spam at the destination server. By default, Rspamd disables DMARC for
> > outgoing messages, what if we enable it so that it verifies DMARC locally
> > before sending out. This prevents it from getting to spam on the
> > destination server as it isn't sent out in the first place. Would that
> work?
>
> I don't think that will work. Dkim-signing means you trust the sender
> because of its ip or sasl authentification. That way you would revoke
> that trust. If a legitimate sender, that enforces dmarc for its domain,
> undergoes dmarc-checks before signing, that unsigned / to-be-signed mail
> would be rejected.
>
> Moreover checking dmarc in rspamd does not mean enforcing that policy,
> e.g. DMARC_POLICY_REJECT could just add to the spamlevel, not rejecting
> the mail immediately. To enforce that, something like
>
> actions = {
>   qarantine = "add_header";
>   reject = "reject";
> }
>
> had to be added to local.d/dmarc.conf.
>
> I would go with the lua example, extracting and comparing the
> lowercase envelope-sender/from domains for authenticated submitters.
>
> Best regards
> Gerald
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>