[Rspamd-Users] Fwd: Prevent sender address spoofing envelope/header FROM

Taco de Wolff tacodewolff at gmail.com
Fri Feb 9 15:47:22 UTC 2024 

Thanks for the in-depth response. Looks like I lack understanding as I'm
not sure how I can make this work correctly.

I see your point in that the contact form is filled out by a customer and
is thus the appropriate header from address. The envelope from address is
the mail server, or the noreply at domain.com I created for this, since that
is where the mail is first sent from (the customer did not send a mail to
the website I could forward, it fills out a form which creates an email).

SPF checks out because the mail server's IP is allowed to send for the
given envelope from domain. DKIM checks out since it is signed using the
key for the envelope from domain and not altered on the way (if all is
well). DMARC will not check out since the header from address does not
align with neither SPF nor DKIM.

I don't see how I can make DMARC pass other than altering the header from
address. Does the sender address field help in passing DMARC? What am I
missing?

Kind regards,
Taco de Wolff


On Fri, Feb 9, 2024 at 10:27 AM G.W. Haywood <rspamd at jubileegroup.co.uk>
wrote:

> Hi there,
>
> On Fri, 9 Feb 2024, Taco de Wolff wrote:
>
> > Coming back to this question, instead of rejecting, perhaps we can
> correct
> > the user's mistake? I've noticed the DMARC munging module and it would
> > perhaps be a good idea to use (something like that) instead.
> >
> > Reformulating the problem for outbound authenticated users: we have a
> user
> > that sends a mail using an envelope from address of noreply at domain.com
> but
> > specifies a header from address of someone at gmail.com (spoofing!). This
> > happened with a client that has a contact form that sets the header from
> > address to the e-mail address specified in the form, so that the client
> > receives mails as if they came from the person filling out the form (bad
> > configuration). ...
>
> The 'From' field is intended to identify the author of the message.
>
> https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2
>
> The RFC doesn't specify what mechanisms will be used by the author to
> create the message, only that the author is given in the 'From' field.
>
> The way I read it, if somebody uses a Website to create an email and
> that site causes this person's email address to appear in the 'From'
> field of the email which it then sends, that is correct behaviour and
> not 'spoofing'.
>
> Whether it's sensible behaviour is another question.  If they can,
> malicious users *will* deliberately use Web forms to send mail which
> appears to be from addresses which they are not entitled to use.  This
> is usually handled by a challenge-response mechanism in the Website;
> before it sends mail FROM the user, the Website first sends mail TO
> the user, and expects a response.  Absent the expected response, no
> other mail is sent.  In this way malicious parties can't use random
> email addresses for which they can't receive mail.
>
> This may be a case for use of the 'Sender' field, where the Website is
> in effect acting as the author's agent or secretary, and needs to have
> its own mailbox - for example that of the Website's owner.
>
> I understand that SPF/DKIM/DMARC are layered on top of all this, but
> there's no point building on top of dodgy foundations.
>
> --
>
> 73,
> Ged.
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

More information about the Users mailing list