How to Filter Emails with Forged Headers

This article describes how to filter messages with "From" header forged.

Issue cause

Emails are received with headers "From" and "To" forged.

Solution

When messages are received and they appear to be sent from local users or even from your own address they are most probably spam messages with forged headers. Solving this issue doesn't have a straight forward solution. However, below is a solution which will reduce the number of such messages.

Here are the steps in order to solve this issue:

  1. Request authentication for local deliveries when the sender (MAIL FROM) claims to be a local account
  2. Remove "Return-Path" message headers. This is just a safety measurement for use with the next step
  3. Add an incoming message rule to discard messages that contain the local domain as "From" and different domain as "Return-Path".

 

  1. WebAdmin → Security & Filtering → Acceptance & Routing → Advanced Settings tab → Add Acceptance / Routing rule:
    • in the Conditions area, select: Sender - Domain - IS - type the name of your local domain
    • in the Actions area, select: Delivery - Local - Allow delivery for authenticated users
    • save configuration

  2. WebAdmin → Security & Filtering → Acceptance & Routing → Advanced Settings tab → Add Acceptance / Routing rule:
    • in the Conditions area, delete all conditions in order to "Match any email message"
    • in the Actions area, select: Header - Remove Header - Custom - type "Return-Path" (without quotes)
    • save configuration

  3. WebAdmin → Security & Filtering → Incoming Message Rules → Add message rule:
    • in the Conditions area, select:
      1. For incoming messages that match: ALL of the conditions below
      2. Custom - "Return-Path" - Does not contain - type the name of your domain
      3. From - Contains - type the name of your domain
    • in the Actions area, select: Change Subject - prepend - type a string which will tag the subject of the message, for example: [spam]
    • save configuration

 

Note:

This rule can and should be adapted to your configuration and to the pattern of spam messages you receive most often.

Adjusting the antispam policies you should not receive these kind of messages very often if the local domain is not whitelisted and the antispam solution used, can properly identify such messages.

OS: LinuxWindowsFreeBSDNetBSDOpenBSDSolaris
Distros: WindowsDEB based distros amd64FreeBSD 7.x