[Rspamd-Users] Prevent sender address spoofing envelope/header FROM

Taco de Wolff tacodewolff at gmail.com
Sat Feb 10 22:01:00 UTC 2024


Thanks for tuning in Gerald.

I agree that it is debatable from whom the mail is. The customer is not
sending an email after all, it is filling out a form. I can see your train
of thought Gerald and it is what I had in mind initially. Or see it this
way, the user supplies his email address in the contact form not to
indicate where he is sending _from_, but rather where he'd like to receive
follow-ups, e.g. a Reply-To address.

Additionally, I don't want to set the from address to whatever the user
supplies (such as yahoo or gmail) and pretend to be sending from that
domain. Beside it being easily abused, it is unfeasible to add all domains
on the internet to my SPF record. Other mail servers rightfully reject that
mail and I shouldn't add any of those domains to my SPF records anyways, as
I don't want to allow those servers to send email on my domain's behalf.

Not sure what you mean with a legitimate address though. I can create a
legitimate address such as noreply@ that only allows sending and not
receiving (and comply with spf/dkim/dmarc). I mean, it's a computer that is
sending the email, not a human that will check the inbox (much like the
emails generated by cron). Right?

I fully agree that helping to configure the software correctly is the first
step. However, I can only do so much as they can individually install other
WordPress plugins that override the defaults. Since clients will make it my
problem anyways, I was hoping to either reject sending (so to inform the
user quickly and to reduce sending invalid mail to keep up my IP
reputation) or correct it for them (change the header from address to
comply with spf).

Kind regards,
Taco de Wolff


On Fri, Feb 9, 2024 at 3:57 PM Gerald Galster <list+rspamd at gcore.biz> wrote:

> > I see your point in that the contact form is filled out by a customer and
> > is thus the appropriate header from address. The envelope from address is
>
> From my point of view the "author" is the contact form software, not the
> customer. See it this way: you call a company and explain your problem.
> The support agent opens a ticket and enters your request, including your
> email address to keep you updated. In this case the support agent is the
> author, respectively the contact form software.
>
> In the long run you will attract spammers if you send emails/copies to
> unverified addresses, even with captchas. Therefore, personally, I just
> say thanks and that this request will be processed as soon as possible.
>
> You provide a contact form so that others can contact you. A response
> should originate from a legitimate address like "support at company.com",
> not "noreply@". This way the contact form software can set legitimate
> envelope/rfc5322 from addresses and eliminate all dmarc/dkim/spf problems.
>
> [...]
>
> > I don't see how I can make DMARC pass other than altering the header from
> > address. Does the sender address field help in passing DMARC? What am I
> > missing?
>
> Just help your users to configure or choose a capable contact form
> software.
>
> Best regards,
> Gerald
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>


More information about the Users mailing list