fake "mail from"

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

fake "mail from"

Post by bladerunner » 2009-04-13 21:24

Doom, Please do a refresh to us.
Situation: a lot of incoming mail that asserts to come from an (unexistent) user of same domain of the hmailserver.
The log dialogue says:

MAIL FROM xxxx@mydomain
DNS
RCPT TO

the xxxx@mydomain does not esist. The server has been settled to have, in IP ranges,
local to local = true
local to external = true
external to local = true
external to external = false

I also putted your suggested script to check for FROM exitence in the domain users (found on forum) but no success... those nice guys are flooding my poor server.....

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: fake "mail from"

Post by ^DooM^ » 2009-04-13 21:28

SPF is the only thing that can stop those emails currently that I recall. There are feature requests with ideas on how to solve these like increase spam score on rule matching etc.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-13 21:39

SPF of course is on with a score of 3.

Yes, would be of great help something like this:

IF mailfrom says in mydomain then
if user is in mydomain list then
accept
else
do not accept

those mails are very annoying and server-time waste.. . up to 4 per second .... :(

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Re: fake "mail from"

Post by Keba » 2009-04-13 21:44

I'm guessing you are on version 5.0 or earlier - I would suggest upgrading to version 5.1, as that will enable you to select that 'local to local' emails must be authenticated. This stops the spammers in their tracks in my experience as they can't authenticate an account that doesn't exist (as if they would know the password in the first place of course!)
Keba

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-13 21:51

ah yes. 5.0-b326....let's c.....
this version in effect has

req auth:
- to local account
- to remote account

lemme check....

updated (why I didnt received a mail for the new version available....)

checked the box.... now we'll c if those guys found space to play more :)

thanks for the tip

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Re: fake "mail from"

Post by Keba » 2009-04-13 22:28

I think martin is about to send out an email in the next few days - he only mentioned that 5.1 was going stable a few days ago. The authentication option is brilliant for stopping this type of spam :)
Keba

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-13 22:51

really they don't authenticate as a domain user but they obfuscate sending, after server-server connection, a fake "MAIL FROM", different from login.
I think we can still investigate on a local users seek... like the old finger (and it has a logical path, anyway: IF I am the mydomain server, and you says are an users of mine....1st of all I'll check if this is true....if not...I'll send you to fishing in another pound....)

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-14 07:11

header of mails says:

from: a fake in the domain x
to: same fake in the domain y
return-path: a fake in the domain z

maybe a coherence check (why return to another user....) helps.....
eg. a message with this heade is passed.... and the account in the TO does not exists in user pool !

-----------------------------------------------------------------

Return-Path: unwillinglyh45@givinsfurniture.com
Received: from 89-180-94-17.net.novis.pt ([89.180.94.17])
by mail.trau.it
; Tue, 14 Apr 2009 07:18:19 +0200
Message-ID: <000d01c9bcc0$50735c10$6400a8c0@unwillinglyh45>
From: "Vilma Haynes" <unwillinglyh45@givinsfurniture.com>
To: <prezziacquistiacquisti@mydomain.com>
Subject: It's really cool to have big tool.
Date: Tue, 14 Apr 2009 06:17:32 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
----------------------------------
how can this script be enforced with an user from check in domain users pool ?
how can be sure if this script works ? I've checked in the log and the result.message does not appears at all...

If oClient.Username <> "" Then
dim authemail, authemail_value, fromemail, fromemail_value
authemail = Split ( (oClient.Username) , "@" )
authemail_value = authemail(1)

fromemail = Split ( (oMessage.FromAddress) , "@" )
fromemail_value = fromemail(1)

If LCase(authemail_value) <> LCase(fromemail_value) Then
Result.Value = 2
Result.Message = "You are only allowed to send from your domain"
End If
End If

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: fake "mail from"

Post by ^DooM^ » 2009-04-14 10:50

That script is for an authenticated user sending email out under a different name i.e. a spammer finds a compromised account with a poor password and starts sending ebay emails from your server, that script will stop that.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-14 11:02

This works.
Notice all CHANGEME to be settled for your server cfg.

This avoids incoming mail with obfuscated FROM (nice guys puts an username that should be in the domain...) to be delivered to end user.

Code: Select all


' Create COM objects to interact with hMailServer
Set obBaseApp = CreateObject("hMailServer.Application")
obBaseApp.Authenticate "Administrator","CHANGEME"

' counts server domain...
' we need just the first domain ...
' intDomainCount = obBaseApp.Domains.Count

' get first domain pointer....
   Set obDomain = obBaseApp.Domains.Item(0)

   'Step through user accounts ......
   intUserCount = obDomain.Accounts.Count

 
   DoesNotExists = True

   ' fromemail(0) ->  just the username
   ' fromemail(1) ->  domain part
    
   fromemail = Split ( (oMessage.FromAddress) , "@" )
   fromemail_value = fromemail(1)

   
   'just if the from-domain matches our domain...
   If LCase(fromemail(1)) = LCase(obBaseApp.Domains.Item(0).Name) then

     ' loop all domain users....
     For j = 0 to (intUserCount - 1)
      Set obAccount = obDomain.Accounts.Item(j)
      
     
        If LCase(oMessage.FromAddress) = LCase(obAccount.Address) then
          ' this user exists ... so dont waste more time
          DoesNotExists = False
          Exit For      
        End If      
  
     Next

      If DoesNotExists = True Then
' lets send a notification email...

	dim oMessageE 
	Set oMessageE = CreateObject("hMailServer.Message")
	oMessageE.From = "CHANGEME"
	oMessageE.FromAddress = "CHANGEME" 
	oMessageE.Subject = "false FROM user in our domain !" 
	oMessageE.AddRecipient "CHANGEME", "CHANGEME"
	oMessageE.Body = "FROM (envelope): " & LCase(fromemail(0)) 
	oMessageE.Save 

         Result.Value = 2
         ' THIS APPEARS IN THE LOG UNDER "554"
         Result.Message = "FROM user is not in this domain !"
      Else

         Result.Value = 0
      End If

  else

    Result.Value = 0
  End If


Last edited by bladerunner on 2009-04-19 08:54, edited 4 times in total.

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-15 07:54

I'll let this script on all nite long...
or bad guys dont send with fake FROM anymore or the script has not worked.

update 15/04: find an error in the IF ... .corrected

Question: is possible to send a debug message to the logfile, e.g. "script start" "script end" ?

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: fake "mail from"

Post by ^DooM^ » 2009-04-15 11:45

EventLog.Write(sMessage)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-15 12:15

a kiss ;)

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: fake "mail from"

Post by ^DooM^ » 2009-04-15 12:28

Try not to drool on me please :P
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-04-15 12:40

it works.
I was seeking in the mail logfile.....but it does another logifle named:

hmailserver_events.log

jchl118
New user
New user
Posts: 18
Joined: 2009-05-11 07:17

Re: fake "mail from"

Post by jchl118 » 2009-05-12 16:10

bladerunner wrote:header of mails says:

from: a fake in the domain x
to: same fake in the domain y
return-path: a fake in the domain z

maybe a coherence check (why return to another user....) helps.....
eg. a message with this heade is passed.... and the account in the TO does not exists in user pool !

-----------------------------------------------------------------

Return-Path: unwillinglyh45@givinsfurniture.com
Received: from 89-180-94-17.net.novis.pt ([89.180.94.17])
by mail.trau.it
; Tue, 14 Apr 2009 07:18:19 +0200
Message-ID: <000d01c9bcc0$50735c10$6400a8c0@unwillinglyh45>
From: "Vilma Haynes" <unwillinglyh45@givinsfurniture.com>
To: <prezziacquistiacquisti@mydomain.com>
Subject: It's really cool to have big tool.
Date: Tue, 14 Apr 2009 06:17:32 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
----------------------------------
how can this script be enforced with an user from check in domain users pool ?
how can be sure if this script works ? I've checked in the log and the result.message does not appears at all...

If oClient.Username <> "" Then
dim authemail, authemail_value, fromemail, fromemail_value
authemail = Split ( (oClient.Username) , "@" )
authemail_value = authemail(1)

fromemail = Split ( (oMessage.FromAddress) , "@" )
fromemail_value = fromemail(1)

If LCase(authemail_value) <> LCase(fromemail_value) Then
Result.Value = 2
Result.Message = "You are only allowed to send from your domain"
End If
End If
****If oClient.Username <> "" !!!! because oClient.Username will be away empty
check on search with client.username, posted by hophms. Posted: 2008-08-29 00:10
Martin reply
The username property is supposed to be empty. The event is sent directly after the client has connected, and at this time hMailServer does not know which user is connecting. I've updated the docs about this.

ok, If oClient.Username = "" but waste time to has this.

*****pls confirm it yourself, I might be wrong*****
from jchl118
Last edited by jchl118 on 2009-05-13 05:15, edited 1 time in total.

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-05-12 16:18

ahem.. is not sharp what your last email means.
I am running this script in a server of mine, and it stops tons of incoming mails which state a "sender" not in the domain user list... so these mails are spam, either if normal antispam procedures says "all ok"...
please explain you question, thanks.

edit:
ah I understood now. The script you're reporting is wrong one. dont take care on it. the correct script is the last one.
Last edited by bladerunner on 2009-05-12 17:05, edited 1 time in total.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: fake "mail from"

Post by ^DooM^ » 2009-05-12 16:42

jchl118 If you continue to post the same message in multiple places again I will remove them.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bladerunner
Normal user
Normal user
Posts: 102
Joined: 2008-05-25 11:15

Re: fake "mail from"

Post by bladerunner » 2009-06-06 08:18

After some months of running in a true environment, more tha 2000 fake mails has been stopped.

There are some nice guys (differents IP) sending a mail to an unexisten user of the domain stating this mail comes from the same user of the domain :)

now they get a 554 and are kicked off our yard :)

matthew1471
New user
New user
Posts: 17
Joined: 2010-06-20 21:59

Re: fake "mail from"

Post by matthew1471 » 2019-04-27 17:37

Was a bit surprised this feature wasn't already built in as some tick-box option to protect the local domain(s) (particularly as being actively exploited and the cause is quite nuanced and relies on understanding the difference between SMTP MAIL FROM and the e-mail's From header).

Here's my script. It also forces the sender to be logged in as the same user they're claiming to be (which might be an issue if using aliases) but works great for my environment.

Code: Select all

   Sub OnAcceptMessage(oClient, oMessage)
   
    '-- Prevent message "From" header spoofing. --'
    Call CheckMessageFrom(oClient, oMessage.FromAddress)
    ....
and the subroutine itself:

Code: Select all

   ' Check message "From" header is not impersonating our domains.
   Sub CheckMessageFrom(oClient, oFromAddress)

    '-- List of domains we protect. --'
    Dim Domains
    Domains = Array("YourDomain.co.uk", "YourAlias.co.uk", "AnotherOfYourDomains.co.uk")

    '-- Check each of the domains this server is responsible for. --'
    Dim Domain
    For Each Domain In Domains

     '-- Did the sender try using a protected domain in a from header and without authenticating as that user? --'
     If (InStr(1, oFromAddress, "@" + Domain, 1) > 0) AND (Instr(1, oClient.Username, oFromAddress, 1) = 0) Then

       '-- Bin the message. --'
       Result.Message = "You must be authenticated to send from a local domain."
       Result.Value = 2

       '-- Log the rejection. --'
       EventLog.Write("E-mail from IP " + oClient.IPAddress + " (authenticated as """ + oClient.Username + """) claimed protected From header address (" + oFromAddress + ") and was rejected.")

       '-- Finish the loop early as there is no point continuing. --'
       Exit For

     End If

    Next
   End Sub
It exits the loop as soon as it needs to reject and I chose not to instantiate another COM object to get the list of domains so they are hard-coded deliberately.

User avatar
mattg
Moderator
Moderator
Posts: 20024
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: fake "mail from"

Post by mattg » 2019-04-28 03:10

These are the scripts that I use
viewtopic.php?p=68117#p68117

You also need to understand how local and external addresses work in IP ranges. The default IP ranges does stop most of this fake 'mail from', and hmailserver is deliberately designed to allow a user to AUTH and then set what ever FROM that they like, which is how the big email servers were doing at the time that hMailserver was written (and even when this thread was last posted in). gMail and Office365 have gotten much stricter since 2009 about who users send from.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: fake "mail from"

Post by insomniac2k2 » 2019-04-28 06:29

Figured that I should share my script for this here. My criteria is that I use Hmail as a relay for both internal and external. From what I have seen so far, hmail is kind of an all or none for this scenario. I needed to devise a way to treat internal domains as Local when coming from an approved IP, and reject domain impersonators from non-approved IP's. Here is my solution:

Code: Select all


Sub OnSMTPData(oClient, oMessage)
ClientIp				= oClient.IpAddress
SafeDomain				= "#yourdomain.com#yourotherdomain.com#"		'fixed list of hosted domains
WhiteList				= "#127.0.0.1#10.10.5.4#10.10.6.5#"  'fixed list of approved IP's
domainSplit = Right(oMessage.FromAddress, Len(oMessage.FromAddress) - InStr(oMessage.FromAddress, "@"))
    If Instr(SafeDomain, "#" & domainSplit & "#") = 1 Then
     If Instr(WhiteList, "#" & ClientIp & "#") = 0 Then
     	EventLog.Write("Rejecting false Domain " & oClient.IPAddress & "")
     	Result.Message = "You must be authenticated to send from local domain."
     	Result.Value = 2
     End If
   End If
End Sub

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: fake "mail from"

Post by insomniac2k2 » 2019-04-28 17:41

After posting the above, i decided that it was a bit inefficient. I switched the code to allow both individual ip's and ranges, and removed the verify against the whitelist entirely, by simply exiting out if an internal range or IP is present:

Code: Select all

Sub OnSMTPData(oClient, oMessage)
ClientIp				= oClient.IpAddress
SafeDomain				= "#yourfirstdomainname.com#yourseconddomainname.com#"		'fixed list of hosted domains
domainSplit = Right(oMessage.FromAddress, Len(oMessage.FromAddress) - InStr(oMessage.FromAddress, "@"))

    	If Instr(SafeDomain, "#" & domainSplit & "#") > 0 Then
		If(Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub ' local IP
		If(Left(oClient.IPAddress, 7) = "10.4.1.") Then Exit Sub ' local range
		If(Left(oClient.IPAddress, 12) = "70.205.7.178") Then Exit Sub ' specific IP

     		EventLog.Write("Rejecting false Domain " & domainSplit & oClient.IPAddress & "")
     		'''' this will become a lifetime insta-ban after further testing
     		Result.Message = "You must be authenticated to send from local domain."
     		Result.Value = 2
   	End If
End Sub

User avatar
mattg
Moderator
Moderator
Posts: 20024
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: fake "mail from"

Post by mattg » 2019-04-29 01:18

insomniac2k2 wrote:
2019-04-28 06:29
I needed to devise a way to treat internal domains as Local when coming from an approved IP, and reject domain impersonators from non-approved IP's.
Couldn't you just do this with IP ranges
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: fake "mail from"

Post by insomniac2k2 » 2019-04-29 01:52

Nope. For my configuration, I accept mail from the outside and relay it into an internal server. I also accept email from the inside and route it according to scripted rules based on certain criteria. Needless to say, it's far from a common configuration. I just posted the scripting logic for others in case it was ever useful for other things.

User avatar
mattg
Moderator
Moderator
Posts: 20024
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: fake "mail from"

Post by mattg » 2019-04-29 09:43

couldn't you just

Internet IP range - allow only from external to local without AUTH
127.0.0.1 to 127.0.0.1 - allow with AUTH (local to local, local to external, and external to local)
10.4.1.0 to 10.4.1.255 - allow with AUTH (local to local, local to external, and external to local)
70.205.7.178 to 70.205.7.178 - allow with AUTH (local to local, local to external, and external to local)

And achieve the same thing (except for the lifetime Auto-ban bit, and the eventlog write)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: fake "mail from"

Post by SorenR » 2019-04-29 13:54

mattg wrote:
2019-04-29 09:43
couldn't you just

Internet IP range - allow only from external to local without AUTH
127.0.0.1 to 127.0.0.1 - allow with AUTH (local to local, local to external, and external to local)
10.4.1.0 to 10.4.1.255 - allow with AUTH (local to local, local to external, and external to local)
70.205.7.178 to 70.205.7.178 - allow with AUTH (local to local, local to external, and external to local)

And achieve the same thing (except for the lifetime Auto-ban bit, and the eventlog write)
When relaying all domains are external... And no one is logging on either...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: fake "mail from"

Post by insomniac2k2 » 2019-04-29 15:28

So that's exactly it. No one is logging in.This is pure relay and it handles both directions at the moment.

I am able to keep the rest of the world from using the relay to send to others. The snag I ran into was that the outside world was able to bypass built in rules when sending as an internal user to an internal user. This is very niche for sure. All the same, the code works perfectly for my needs. Where when i wasn't running it, i had an issue.

Post Reply