I know most people on this list are busy with implementation of filtering
stuff, but I was wondering: suppose I have a filter, would it be possible to
filter on spoofing of internal e-mail addresses in the From: header?
The From: header is a good candidate for some kind of filtering. But what
if spammers put my own e-mail address in the From: header (and thus spam by
sending one message per SMTP job)?
What if they do? We all know that mail headers are easily forged.
Would there be some way for me to
recognize that this is an outside message, even if it says it is internal?
Generally speaking the answer is no, it is not possible. For example, I assume
you are on the mta-filtering list. This then means that when you posted a
message to the list you then received a message from the list -- from outside
your domain -- with your address in the From: field. But this is perfectly
legitimate mail you want to receive.
And in any case, this is not within scope of the task at hand. The task
at hand is to define a filtering language. And yes, this language acts
on material which, in general, cannot be trusted to be reliable. And
yes, this means that filters, once established, can, once spammers understand
how they work, be circumvented in most if not all cases. It is a simple
question of entropy, really, and nothing ever wins against entropy.
But this doesn't mean filters aren't useful. They are. For one thing, they can
be used to lots of things other than blocking spam. And for another, most
spammers do leave telltales (perhaps not in the From: header but somewhere)
that can be used as triggers to block spam reception. Such schemes have
to be revised regularly to be effective, but one of the goals here is to
provide a language that makes such revisision convenient.
Message-ID can be spoofed also. So I am currently left with the idea that
only the Received: headers added by intermediaries are a possible source for
detecting spoofing.
Even this doesn't work, as my example above shows.
If you want to detect other people using your address to send messages you did
not write you should be signing all your messages.
But how would I write rules for filtering that out? What kind of
combination of internal addresses (consider a complete domain) and Received:
headers would do the job?
It's a pointless question since route-based checks rarely, if ever, work all
that well.
And supposed I have such a rule, how would I prevent messages that I resend
(from my domain to another and back, those get a load of extra Received
headers but keep the original From:)?
Well, you can simply avoid doing this sort of resending if you want. But
mailing lists and their characteristics cannot be avoided.
Ned