Can't block spammers when 'RCPT' To doesn't match 'To'

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DemonIT
New user
New user
Posts: 3
Joined: 2016-04-26 10:53

Can't block spammers when 'RCPT' To doesn't match 'To'

Post by DemonIT » 2016-04-26 11:09

Hi,

I'm hoping someone can help me with this, because I'm out of ideas!

I have a domain that I use for email 'mydomain.com'.

I have a single account on that domain, with 'Plus addressing' enabled.

I give each website I register with their own email address (e.g. me-google@mydomain.com, me-spotify@mydomain.com etc.). Some unscrupulous websites have given my email to spammers and so now I receive spam email those email addresses (e.g. me-somedodgywebsite@mydomain.com). I want to block those addresses once I discover that they've given my emial address to others.

To do this, I've created a rule on my account called 'SPAM if blocked'. Inside there I have:

Name = SPAM if Blocked
Enabled = Yes
Criteria = Use OR
Field=To
Comparison=Contains
Value=me-somedodgywebsite

This works fine, but it does not work if the spammer does this:

CLIENT: MAIL FROM:<somespammer@somedomain.com>
SERVER: 250 2.1.0 OK
CLIENT: RCPT TO:<me-somedodgywebsite@mydomain.com>
SERVER: 250 2.1.5 OK
CLIENT: DATA
SERVER: 354 Go ahead
CLIENT: Subject: Have some SPAM email
CLIENT: From:'Mr ABC'<somespammer@somedomain.com>
CLIENT: To:'John Doe'<fakeaccount@gmail.com>
CLIENT: This is a test...
CLIENT: .

This is because the To field does not match my filter (even though the email address it was actually sent to (RCPT TO) matches.

I can't possibly fix this using the Rule method, because the spammer can use any value he likes in the To field.

Can anybody provide a solution?

Alternatively is there a better way to be working to allow me to:

1) Give an email address to each site
2) Be able to simply 'kill' that email address once I discover it's been shared.

Many thanks!

James.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8953
Joined: 2011-09-08 17:48

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by jimimaseye » 2016-04-26 11:34

Alternatively is there a better way to be working to allow me to:

1) Give an email address to each site
2) Be able to simply 'kill' that email address once I discover it's been shared.
Thank you thank you thank you, James. I have been waiting for someone to come along with a story like this.

Why?

Because I have long been a fan of 'disposable addresses' but recognised how 'plus addressing' has a potential flaw in that it advertises itself as a plus address ("name-randomword@..."). As plus addressing is a well known method it doesnt take too long to realise you could drop the "-randomword" part and hit your main account every time. So I wrote a script that enables a true 'disposable address' where the email address you give out is a "real" address ("user@") where user can be anything you want (making it look real) yet in reality it is a disposable one. Then, when it ends up being abused, you simply add it to a blacklist. And the beauty is you dont have to 'set it up' like you would with an Alias.

I use this function on our systems and it works beautifully.

If you are interested in this then you can implement it here: viewtopic.php?f=20&t=29306.

If you implement this then you can simply turn off plus addressing and all existing addresses you have already given out well still be received. (Then add your abused address to the blacklist).

The only downside is that you effectively are using one single real address to receive all the disposable addresses given (like a 'catchall address' function). If you need to share the function with different users then you would still then need rules to distribute the relevant disposable address incoming emails out to the relevant real user inboxes (this removes the 'on-the-fly without setup' part but still gives you the disposable address function without being obvious).

I think the above answers your latter part of your post.

if you still want to answer:
This is because the To field does not match my filter (even though the email address it was actually sent to (RCPT TO) matches.

I can't possibly fix this using the Rule method, because the spammer can use any value he likes in the To field.

Can anybody provide a solution?
.... then change the rule to RECIPIENTS LIST instead of TO. (See if that works). Personally I would go with the above if possible.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

DemonIT
New user
New user
Posts: 3
Joined: 2016-04-26 10:53

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by DemonIT » 2016-04-26 13:23

Hi,

Thanks so much for your reply - that's very useful, especially as the email is rejected at RCPT TO stage, which as you say may reduce the future use of the email address once blacklisted. I'm implementing this as we 'speak'.

As an alternative to this, which I'm also considering, what would be involved in creating a webservice to add an alias (I'm thinking if I set up a web page with a single field on it for "Add Alias"), as it wouldn't be too much bother to just open another tab to this page just before signing up to a new site. This means that I avoid any of the risks of using a catch-all, for not much effort. Would I just write directly to the DB or is there an API call available for this?

Thanks again for your complete response!

James.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8953
Joined: 2011-09-08 17:48

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by jimimaseye » 2016-04-26 13:55

DemonIT wrote: As an alternative to this, which I'm also considering, what would be involved in creating a webservice to add an alias...
Yes it would use the API but Im afraid I personally simply cannot advise you on this as I have no experience. We do have a PHP web interface that you can download and use as a base https://www.hmailserver.com/documentati ... hpwebadmin or maybe you can read and find the necessary 'workings' from that.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

DemonIT
New user
New user
Posts: 3
Joined: 2016-04-26 10:53

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by DemonIT » 2016-04-26 15:03

jimimaseye wrote:
DemonIT wrote: As an alternative to this, which I'm also considering, what would be involved in creating a webservice to add an alias...
Yes it would use the API but Im afraid I personally simply cannot advise you on this as I have no experience. We do have a PHP web interface that you can download and use as a base https://www.hmailserver.com/documentati ... hpwebadmin or maybe you can read and find the necessary 'workings' from that.
Thanks again - I've implemented your disposable method and it's working great.

Cheers!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8953
Joined: 2011-09-08 17:48

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by jimimaseye » 2016-04-26 16:14

Thanks for the feedback. Youre welcome. (Perhaps you could leave some feedback on the thread itself for others to read/refer to?)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

pik256
New user
New user
Posts: 16
Joined: 2016-05-18 11:25
Location: Poland

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by pik256 » 2016-10-03 09:51

I am quite new user of hmailserver. I migrated to it from xmailserver I used for years because of lack of IMAP on xmail.
I have used similar concept on xmail, albeit plus addressing was implemented slightly different on it - with wildcard aliases. Well, I used a wildcarded alias me-*@mydomain.
But I had 2 accounts for this purpose: me@mydomain and me-disabled@mydomain. The second one was disabled account so all emails addressed to it were bounced at SMTP level.
I distribuded hundreds of me-*@mydomain aliases for years. When I wanted to disable any of them then I simply added me-specific@mydomain alias to me-disabled@mydomain account.

It worked, because xmail finds specific accounts first, then checks aliases, and the most general wildcard rules applies on the end of resolve process. But it does not work on hmail. Setting plus addressing on mydomain account assigned all aliases to the first account.
Even worse: it evectively killed all existing accounts with '-' sign in user name. I had some other accounts with '-' sign in name. They were resolved to the part before '-', e.q. one-two@mydomain was bounced because one@mydomain does not exists. Thats why I had to find all of my wildcard aliases in logs and add hundreds of them as specific aliases to hmail database. Me-disabled@mydomain account and all of its aliases are not needed anymore.

I think it would be better if hmail checked existing accounts before applying plus addressing. It would be more intuitive way of address resolving process and a nice extension of current logic that would not break anything: up to date nobody use specific accounts with plus addressing sign because they are unreachable.

I looked at sources. It seems to be easy: move one call to PlusAddressing::ExtractAccountAddress() in RecipientParser.cpp a few lines down - after GetAccount, GetAlias and GetDistributionList, call ExtractAccountAddress() only if no real address was found before, and check the existence of actually plus-addressed account once more with GetAccount(). But I am quite new and feel not enough experienced yet to request the feature.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8953
Joined: 2011-09-08 17:48

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by jimimaseye » 2016-10-03 10:08

@pik256

If you implement my disposable address script and disable plus addressing you will then allow all the existing plus addresses in again whilst disabling the unwanted ones in the BLOCKLIST.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

pik256
New user
New user
Posts: 16
Joined: 2016-05-18 11:25
Location: Poland

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by pik256 » 2016-10-03 14:26

You mean that one from HOW TO: On-the-fly Disposable/Catchall Addresses with Blacklisting?

It is not good for me. It uses catch-all account instead. My domain is 20 years old and maybe that is why it receives several thousands spam emails everyday, sometimes more (currently registered maximum was 2 million spam attempts per one day of May 2012). Of course most of them are stopped on the first line by ZEN Spamhaus RBL but each day 100-300 messages are rejected because of non existent recipient address and after that next ~1000 messages are filtered as spam with other methods (with external onSMTPData and onAcceptMessage scripts). These non-existent addresses are random (Freddie9@mydomain, Marisa0@, Deena59, Kasey640, etc.). They never existed and I don't know who and why tries to spam them. I cannot say how many of these messages would be filtered after reception to catch-all account by onSMTPData script, but anyway, I do not want catch-all account. I want to reject all non-existent email addresses as quick as possible.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8953
Joined: 2011-09-08 17:48

Re: Can't block spammers when 'RCPT' To doesn't match 'To'

Post by jimimaseye » 2016-10-04 10:04

Fair enough.
but each day 100-300 messages are rejected because of non existent recipient address and after that next ~1000 messages are filtered as spam with other methods (with external onSMTPData and onAcceptMessage scripts). These non-existent addresses are random (Freddie9@mydomain, Marisa0@, Deena59, Kasey640, etc.)
Too many random addresses to blacklist might be a good reason of it really is too many - I guess it's down to an opinion of what quantity is acceptable. (I must be lucky. In 5 years we have just 5 randoms. Any others have an identifiable origin. I would think 50 addresses or more is acceptable to block given its a 'once added, always forgotten' scenario. )
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply