HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8721
Joined: 2011-09-08 17:48

HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

Post by jimimaseye » 2016-02-29 13:19

(Take Note: This script is tested on 5.6.x but untested on version Hmailserver 5.7. Although I dont envisage any compatibility problems, pending modifications to 5.7 regarding 'routes' may alter the functional effectiveness and need script modification. https://github.com/hmailserver/hmailserver/issues/74. 2 May 2016.)

INTRODUCTION

On-the-fly Disposable Addresses

"On-the-fly" disposable addresses allow you to use disposable addresses without the need to *set up* these addresses on Hmailserver first. This means that users simply register the chosen new address with the company/website just by supplying it to them as your preferred email address.

Disposable addresses allow you to have individual email addresses for your individual contacts. They are linked to your main email address but this main address remains secret from those contacts. It's similar to setting up a separate address to give to a particular contact/website/company and then using a filter to redirect it to your main account when you receive an email from them. Unlike regular email addresses, however, they are 'disposable' and can be terminated without fear of affecting your main email address.

This script provides the function of 'On-the-fly Disposable and Catchall Addresses with Blacklisting' for Hmailserver. They are 'disposable' by placing the unwanted/disposed address on a Blacklist. Any emails sent to the blacklisted addresses will be REJECTED at SMTP point of delivery. By rejecting at delivery, it might even serve to help remove the addresses of lists further helping their reduction in frequency. A further benefit is that no rules are needed to handle such emails.

Benefits

Disposable addresses are specifically beneficial in that:
  • * You are able to use the address for individual contacts

    * You can identify from who the email is from purely from the incoming address as it appears in your email client without the need to read the email contact first.

    * If the disposable address begins to get abused (due to uncontrollable marketing or spam) you can immediately 'dispose' (delete) of it without affecting any of your other contacts/registrations, and also you are able to identify with which company/contact the address got abused or compromised with.

    * Unlike 'plus-addressing' the format of the email does not advertise it as 'write anything you want' address as it is in standard format 'words@domain.com'.
They are similar to 'plus-addressing' addresses (already available if enabled in Hmailserver) which normally take the form "mainaccount+randomword@mydomain.com" (where the '+' sign is defined by your choice in setup). However, 'plus-addressing' is obvious as a well known email industry format (used by Gmail and others) being "word+word@..." and effectively broadcasts that the address is likely to be a 'free-for-all' as:

a, it reveals your real 'main account' (which gives you problems if it gets compromised or on the 'wrong type of list')
b, the format means that abusers can send in anything they want knowing it is likely to be received.

Further information can be found by simply Googling "disposable addresses" and "plus addressing".

Examples of using Disposable Addresses

Imagine you are registering your contact details to a new company website or contact (and your business domain is 'mycompany.com'):

DHL Ltd: you could register with 'dhl@mycompany.com'
Pens Office Stationery Ltd: you could register with 'pens@mycompany.com'
Acme Ltd: you could give them your contact address as 'acme@mycompany.com'

In all cases, those contacts would contact you on the addresses given but you will receive their emails in to your main user account that you nominate as the 'catchall' account (eg, "purchasing@mydomain.com") but the email contact doesnt get to see this main account address.

Attention:
By it's nature (and also similar to 'plus-addressing'), the feature uses a 'Catchall' account. This means that all emails that is not addressed to a valid 'main account' in the specific domain in Hmailserver will be still accepted and placed in to the nominated 'catchall' account. Some have reservations about using 'catchall' accounts and believe that they may attract unwanted spam. The good news is my system below utilises a 'blacklist' so that you can add any email addresses that you frequently receive unwanted mail from and prevent them from being received. In the interest of balance, I can tell you I have been using this system for 4 years and have only had to blacklist 3 non-declared addresses.

Note to CATCHALL account users

If you currently already use a CATCHALL account, then this script gives you the additional benefit of applying a blacklist of chosen addresses.

IMPLEMENTATION

Note that the setup is on a 'per DOMAIN' basis and that only ONE account can be nominated as the receiving account for all disposable addresses coming in to that domain. However, with the addition of RULES you can further filter and distribute the emails to different users. You can also nominate a PUBLIC mode distribution list as the nominated receiving main account address which in turn will distribute the email to its nominated members.

The feature utilises the 'distribution list' facility to maintain the blacklist thereby allowing administrator control of blocking addresses. The 'Members' tab will contain the blacklist of addresses. (The distribution list is not actually used as a sendout 'distribution list' - you must keep its name secret from users to avoid it being referred to).

Three easy steps to set up
:

1, Set up a Distribution List (which ultimately will contain the blacklist of addresses):
  • a, Under the chosen domain, choose "Distribution Lists"

    b, Create a new list called "DisposableBlacklist"

    c, Tick "ANNOUNCEMENTS - only allow messages from the following:"

    d, Enter your chosen real main receiving account address in the email address box (ie, your chosen 'catchall' account that will be receiving the emails). Note this can also be a valid PUBLIC 'mode' distribution list address (for multiple copies delivered to several main accounts listed as its members).

    e, Ensure that 'ENABLED' is ticked.

    f, Save

    g, if you already have a CATCHALL account enabled (in "DOMAINS - Advanced tab") then REMOVE it.
2, Create the script. Copy and paste the code (below) in to the end of your EVENTHANDLERS.VBS script, along with the additions to the SUB section calls detailed below it. Note that they are placed in the "OnSMTPData(oClient, oMessage)" and "OnDeliveryStart(oMessage)" sub sections. (The second script is designed to handle 'delivery failure' messages that are returning after being originally sent out by a disposable address). Ensure you follow the normal HMS Script enabling and reload procedure.

IMPORTANT: On line 3 of the script, you must change your Hmailserver administrator password accordingly.

3, Set up a dummy ROUTE. (This is required to avoid certain 'quirks' of Hmailserver and allows the script to work. Note that the route will not actually be used or route any email anywhere). Actions:
  • a, in SETTINGS - PROTOCOLS - SMTP - Routes, click 'Add' (to add a new route).

    b, Enter the following values:
    • "Domain": enter your actual domain this applies to (eg, "yourdomain.com"). This is essential to match your domain.

      "Target SMTP host": you can enter dummy information here. Recommendation: "127.0.0.1". Note: an entry is NEEDED but will never be used. (Entering 127.0.0.1 or 'localhost' will help in avoiding errors in the case of incorrect configuration due to an absent 'Announcement Address' in 1d above.)
    c, Save

    IMPORTANT: If you operate an 'alias' domain (as found in the NAMES tab of your real domain), and you choose to accept disposable addresses to this alias domain then you must also create a dummy route for the Alias domain too. Remember that the 'user@' part is what is tested and will be checked against the main domain address BlackList.

INSTRUCTIONS TO USE

Once in place and all enabled, users can simply state anything they choose as their choice of email address for that contact (without the need for it to be set up first). Remember that all disposable addresses issued will be received in to the real main account specified as your catchall account (in 1d above).

Any email address that is no longer required and you wish to stop receiving under can be blacklisted by entering the address under the DisposableBlacklist 'Members' tab. Any disposable address entered in here will be REJECTED from delivery. Note: this also applies to local users attempting to send to a blacklisted address (their 'send' will be rejected at the email client connection stage). All addresses entered must be in the form "user@maindomain.com". Do NOT enter addresses to any alias addresses such as "user@aliasdomain.com" and expect it to work.

In order to keep a track or 'hit rate' of blacklisted addresses being sent in, the script writes an entry in to the 'Hmailserver_EVENTS.log' (headed as "SMTP - DISPOSABLE BLACKLIST......)"

If you would like the emails to be further filtered and distributed to various internal users based on the incoming email address (so that they don't all appear in the single nominated main 'catchall' account), then you can use RULES within HMS to forward the emails accordingly. You may find this thread here with useful tips on using REGEXP to manage this easily.

It should be noted that there are a number of usernames for email addresses that spambots regularly attempt to send spam in to as they think they are most likely to exist on a domain. For example, "contact@yourdomain.com" or "info@yourdomain.com". Unless you are a user of these addresses within your business/domain, I recommend you start by adding these addresses to the blacklist from the outset. These words include: 'contact', 'sales', 'info', 'webmaster', 'enquiry', 'office', 'admin', 'fax' and 'test'. There may be others that become apparent as you go on. (I have results on confirming the limited risk of using catchall here: https://www.hmailserver.com/forum/viewt ... 64#p185264 - in short: Over 28 days I received only 23 spam emails in total coming in on invalid addresses (being caught by catchall), and they all came in to the same five email addresses; five is nothing compared to the benefits of using this routine).

The code

Add this to the bottom of EVENTHANDLERS.VBS

Code: Select all

Function DisposableBlackList(oMessage)
   Dim k, i, j, D, A, R, E, aUsername, oApp, oDomain, oDistributionList, cBlacklisted, DomainFound, RecipientDomain, DisposableBLExists
   Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate("Administrator", "secretpassword")

   R = oMessage.recipients.count
   E = 0
   For j = 0 To R -1   
      If oMessage.Recipients(j).IsLocalUser = false Then
         aUsername = Split(oMessage.Recipients(j).Address,"@")
         DomainFound = 0
         RecipientDomain = lcase(aUsername(1))
         For D = 0 to oApp.Domains.count-1
            For A = 0 To oApp.Domains.item(D).DomainAliases.Count -1
               If lcase(oApp.Domains.item(D).DomainAliases.Item(A).Aliasname) = RecipientDomain Then
                  RecipientDomain = lcase(oApp.Domains.Item(D).name)
               End if
            Next
            if lcase(oApp.Domains.item(D).name) = RecipientDomain then
               DomainFound = 1
               Set oDomain = oApp.Domains.ItemByName(RecipientDomain)
               DisposableBLExists = 0
               For k = 0 To oDomain.DistributionLists.Count -1
                  If lcase(oDomain.DistributionLists.Item(k).Address) = lcase("DisposableBlacklist@" & RecipientDomain) Then
                     Set oDistributionList = oDomain.DistributionLists.Item(k)
                     if oDistributionList.Active and not oDistributionList.RequireSenderAddress = "" then
                        DisposableBLExists = 1
                        cBlacklisted = 0
                        For i = 0 To oDistributionList.Recipients.Count -1
                           If lcase(oDistributionList.Recipients.Item(i).RecipientAddress) = lcase(replace(oMessage.Recipients(j).Address,aUsername(1),RecipientDomain)) Then
                              Result.Value = 1
                              cBlacklisted = 1
                              R=R-1
                              eventlog.write(now() & " SMTP - CATCHALL BLACKLIST mail blocked to " & oMessage.recipients.item(j).address & " from " & oMessage.fromaddress )
                           End If
                        Next
                        if cBlacklisted = 0 then
                           ReDim preserve RecordedRecipients(E)
                           RecordedRecipients(E) = oDistributionList.RequireSenderAddress
                           E=E+1
                        End If
                     else
                        DisposableBLExists = 0
                     End If
                  End If
               Next
               If DisposableBLExists = 0 then
                  ReDim preserve RecordedRecipients(E)
                  RecordedRecipients(E) = oMessage.recipients.item(j).address
                  E=E+1
               End if
            End If
         Next
         if DomainFound = 0 then
            ReDim preserve RecordedRecipients(E)
            RecordedRecipients(E) = oMessage.recipients.item(j).address
            E=E+1
         End if
      Else
         ReDim preserve RecordedRecipients(E)
         RecordedRecipients(E) = oMessage.recipients.item(j).address
         E=E+1
      End If
   Next
   if R > 0 then
      oMessage.clearRecipients
      For j = 0 to ubound(RecordedRecipients)
         oMessage.AddRecipient "", RecordedRecipients(j)
      Next
   End if
End Function
Now add the call "DisposableBlacklist(oMessage)" to the "OnSMTPData" and "OnDeliveryStart" subsections with EVENTHANDLERS.VBS:

eg,
Sub OnSMTPData(oClient, oMessage)
   DisposableBlacklist(oMessage)
End Sub


Sub OnDeliveryStart(oMessage)
   DisposableBlacklist(oMessage)
End Sub
Enjoy.

v3.1
Last edited by jimimaseye on 2016-04-27 20:50, edited 1 time in total.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8721
Joined: 2011-09-08 17:48

HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

Post by jimimaseye » 2016-05-12 18:22

v2.2 Updated to allow disposable address to refer to ALIAS domains too.

Note: Enter the blacklisted addresses under the MAIN domain name:
eg

unwanted1@maindomain.com

then any emails sent to unwanted1@aliasdomain.com (ie the the same user) on an alias will also be rejected (where 'aliasdomain' is setup in the NAMES tab of the main domain).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8721
Joined: 2011-09-08 17:48

Re: HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

Post by jimimaseye » 2016-06-01 11:53

v 2.4

a, Code changed to handle a varying array size (instead of hard-fixing upper value potentially leading to out-of-range' problem.)
b, relabelling of a variable to 'RecipientDomain' for reading clarity.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8721
Joined: 2011-09-08 17:48

Re: HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

Post by jimimaseye » 2016-06-04 15:29

v3.0 Redesigned to use by means of a FUNCTION call (instead hard-coded in to the SUB routines) to prevent errors when sending to disposable address via a direct script.

Reimplenting the script is recommended if updating.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8721
Joined: 2011-09-08 17:48

Re: HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting

Post by jimimaseye » 2016-06-14 11:59

v3.1 Minor mod to avoid error in the case of missing 'announcement address' (incorrect implementation configuration).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply