Is there a way to reject messages if...
A very common spammers practice is to send a mails hiding the real senders and recipients, let me explain:
First example: They send spam/scam/phishing mails from
but in the FROM: field on the email client (webmail or any other app) it shows like is coming from
Second example: Spammers send mails from
that in the FROM field on the email client (webmail or any other app) shows like is coming from
AND they send scam mails to any valid mail like
BUT on the TO: field on the email client (webmail or any other app) it shows that the mail is TO any other fake user like
On the first example the spammers/scammers wants to make people think that it comes from a legitimate account
when it actually comes from
On the second example, the spammers/scammers wants to make people think that it comes from a legitimate account
when it actually comes from
, but also, they wants to make people think that the mail arrived on its mailbox by mistake because the TO: field says
when the mail actually was targeted to
The problem with this emails is that they actually comes from a real accounts/domains, the domains have correct spf, rdn and dkim records, and the accounts actually exists, so all dkim, spf and rdn and other checks pass and this mails goes directly to inbox. There is no way to see at naked eye that the emails really comes from other accounts or they are targeted to real accounts only if you see the headers or see the real sender making some taps or clicks on the "FROM" field on the email client, and this is a very big problem and security issue. My clients and i receive dozens of this mails everyday... so my question: Is there a way to reject mails that the FROM: AND/OR TO: fields do not match on the real sender/recipient that are on the headers?
slkajfsdflks@alksdjalksd.com
but in the FROM: field on the email client (webmail or any other app) it shows like is coming from
security@apple.com
Second example: Spammers send mails from
llsdjflsjdf@lskdjflskdf.com
that in the FROM field on the email client (webmail or any other app) shows like is coming from
director@bank.com
AND they send scam mails to any valid mail like
tui@mydomain.com
BUT on the TO: field on the email client (webmail or any other app) it shows that the mail is TO any other fake user like
cprex@cpanel.net
On the first example the spammers/scammers wants to make people think that it comes from a legitimate account
security@apple.com
when it actually comes from
slkajfsdflks@alksdjalksd.com
On the second example, the spammers/scammers wants to make people think that it comes from a legitimate account
director@bank.com
when it actually comes from
llsdjflsjdf@lskdjflskdf.com
, but also, they wants to make people think that the mail arrived on its mailbox by mistake because the TO: field says
cprex@cpanel.net
when the mail actually was targeted to
tui@mydomain.com
The problem with this emails is that they actually comes from a real accounts/domains, the domains have correct spf, rdn and dkim records, and the accounts actually exists, so all dkim, spf and rdn and other checks pass and this mails goes directly to inbox. There is no way to see at naked eye that the emails really comes from other accounts or they are targeted to real accounts only if you see the headers or see the real sender making some taps or clicks on the "FROM" field on the email client, and this is a very big problem and security issue. My clients and i receive dozens of this mails everyday... so my question: Is there a way to reject mails that the FROM: AND/OR TO: fields do not match on the real sender/recipient that are on the headers?
-
Hey there! The short answer is no, not really, because if it were that easy everyone would already be doing it and these types of spam and phishing messages would quickly die out. They specifically send these types of messages because they are hard to block. I'm sure there are Exim tricks that could be used for specific situations, but I don't have a general cure available for this issue. 0 -
To bad :( i was looking a way on exim website and github to make a request on something that could help to mitigate this mails but i could not find any, i do not think it would be difficult to implement something that could help on this but idk... :rolleyes: Is there a way we can make requests like this to exim devs? Or a way we can make some rules or something? im thinking only on something like if ("to:" != "for") {reject} if ("to:" != "envelope-to") {reject} if ("envelope-from" != ""from:"){reject} 0 -
Joining the Exim users list Exim-dev is likely the best way to get in touch with the correct people. You're also always able to submit a feature request using the link in my signature and I can bring it up with the team. 0
Please sign in to leave a comment.
Comments
3 comments