SMTP AUTH match sender address

Discussion forum for Enterprise Edition.
Post Reply
metalik
Posts: 2
Joined: Sat Mar 29, 2014 7:11 am

SMTP AUTH match sender address

Post by metalik »

Is there any way to force the SMTP-AUTH username to be used as the "from" address on MailEnable?

I'm asking because we've been seeing more and more customers with compromised accounts sending emails with a from address of yahoo.com, gmail.com, etc. Sometimes it's all one username, sometimes they randomly generate the username. In any event, our mailservers are fast enough that they can puke messages in at an alarming rate, and without any easy way to filter the bogus emails, looking through a list of 40,000 messages to try and delete the SPAM before it gets sent sucks.

If I can force the SMTP AUTH username to be the "from" address, it'd at least be a little easier to clean up the crap afterwards.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: SMTP AUTH match sender address

Post by MailEnable-Ian »

Hi,

The setting you are looking for resides under the SMTP "Security" tab named "Authenticated senders must use a valid email address". This will force the authenticated mailbox to send from an email address mapped to their mailbox.
Regards,

Ian Margarone
MailEnable Support

mwhatley
Posts: 19
Joined: Tue May 02, 2006 2:57 pm

Re: SMTP AUTH match sender address

Post by mwhatley »

Ian, I am afraid that does NOT work! We are dealing with this now and I am looking for some way to match the SENDER with the FROM in the headers. I have had this checked forever and I see the same issue where the user account became compromised and launch tons of SPAM with the FROM being someone address @yahoo.com or some other like aol or gmail.

Mike

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: SMTP AUTH match sender address

Post by MailEnable-Ian »

Hi,

The option will only work for the SMTP envelope sender address used during the SMTP conversation. It does not look at the sender address in the from header for a message.
Regards,

Ian Margarone
MailEnable Support

mwhatley
Posts: 19
Joined: Tue May 02, 2006 2:57 pm

Re: SMTP AUTH match sender address

Post by mwhatley »

Ian,
I think metalik and I both thought you meant the FROM in the header. This is a tool we really NEED in this fight against the spammers.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: SMTP AUTH match sender address

Post by MailEnable-Ian »

Hi,
I think metalik and I both thought you meant the FROM in the header.
In order to stop spammers that are using valid sender addresses mapped to the mailbox that is used to authenticate during the SMTP conversation and spoofing the from address in the message headers is to create a script filter to perform the check of both envelope sender and from address (within the message headers) and use an action to delete the message when the filter is triggered. This will execute after the message has been accepted by the SMTP service when the MTA routes the message to the SMTP outbound queue which will stop the message from being placed in the outbound queue.

How to create the script filter:

1. Navigate within the administration console to: Messaging Manager > Filters
2. Right click on "Filters" and select to create anew filter.
3. Name the filter: Where FROM envelope sender address does not match message From header.
4. Double click the new filter to open the criteria window and select the option: use a criteria script.
5. Click the "Edit Script.. button and add:

Code: Select all

FilterResult=0
If Not CriteriaMet([ME_FROM],"*[ME_SENDER]*") Then
    FilterResult=1
End If
6. Check that the syntax passes and then click save and exit
7. Next click the "Add Action" button and add the action to "Delete Message".
8.Click Close and then test.

To test, first stop the MTA agent. Next send a message from an email client (Outlook). Once sent navigate to the Mail Enable\Queues\SMTP\Inbound\Messages folder. Open the message that you just sent in Windows Notepad and modify the From address to be different to the envelope sender address. Save and then restart the MTA. The filter should execute and the message deleted. You can check the filtering log files under: Servers > localhost > Extensions > Message Filter > Logs > Filters.

While the above will help stop the messages from being sent it is not a solution to your problems with mailboxes being compromised. If machines are infected with Trojans or viruses and are key logging mailbox passwords then you really to stop this and provide best practices to the client to make the machines more secure. You also need to ensure that your mailbox passwords are secure and are complex as spammers will easily guess or crack simple passwords.
Regards,

Ian Margarone
MailEnable Support

Post Reply