Re: [courier-users] SPAM over SMTP

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri 27/Jan/2023 01:44:01 +0100 Sam Varshavchik wrote:
> Alexey Ivanov via courier-users writes:
> 
>> Assuming I do have a server mail.mydomain.com 
>> I wish that ONLY that server may send emails with FROM 
>> address like <URL:mailto:na...@my...>na...@my...
>
> RFC 821 carries a date of August 1982. Since 1982, SMTP never worked this way. 
> For better or for worse SMTP is completely unauthenticated, and any mail server 
> in the world can attempt to send an email to any other email server in the 
> world using any FROM address.
> 
> Not only that, but each E-mail has not one or two addresses that are often 
> described as "From" address, the SMTP MAIL FROM address, and whatever appears 
> in the E-mail's actual From: header.
> 
> And this applies to both of them. There is no authentication, whatsoever. Back 
> when SMTP first came about it was a different world and everyone trusted each 
> other, and SMTP works exactly the same right now as it did back then.
> 
> What you describe, simply, is impossible.
> 
> Various techniques, over many years, were proposed to address this naive 
> trust-by-default nature of SMTP. The results have been quite lackluster. You 
> may try to see if some of those approaches work for you, anything ranging from 
> simple SPF checking (which Courier supports natively) to DKIM, which requires 
> some extra stuff to be set up.

Specifically, SPF can block the envelope FROM, a.k.a. bounce address, which 
usually —but not always— equals the header From: address.  If your users all 
post from known IP addresses, defining an SPF record that rejects different 
addresses (i.e. ending in -all) is quite effective in eliminating messages 
claiming to originate from your domain.  However, a few addresses are set up to 
forward from third parties without actually whitelistening them.  An SPF 
mechanism like ?exists:%{ir}.list.dnswl.org may attenuate —but not eliminate— 
that risk.

DKIM delivers domain authentication only.  Since spammers are good at putting 
DKIM signatures, zdkimfilters has a shoot-on-sight feature of dubious efficacy, 
as it relies on a whack-a-mole game.

DMARC associates the From: address domain with DKIM signatures, with the known 
consequences.

>> If I ban based on IP. They can move it to another IP.
>> That ways they can jump over and over unlimited period of time.
>> I cannot even imagine what will happen if we all move to IPV6.
> 
> Welcome to SMTP. That's just the way it is.
> 
>> I never ban a single IP. Always like «192.168.0.0/24»

There is lots of honest servers foolishly placed in low-cost farms who are 
unable to send mail because of that generalization.  Increased costs are 
another element in favor of the big guys takeover.

>> Well, I got your point. But frankly I was expecting a special
>> solution can be found in that very particular case.
> 
> Everyone has been looking for a solution for more than 30 years. One is yet to 
> be found.

A classic list of failed attempts can be found here:
https://www.rhyolite.com/anti-spam/you-might-be.html

>> Well it is sad. Thanks anyway.
> 
> This why the big guys, like Google and Microsoft, has been taking over E-mail. 
> Their spam filters, based on AI-like algorithms and trained on tremendous 
> amounts of E-mail, offer pretty much the only effective generic spam filtered 
> E-mail that's available to the masses.

Isn't there some eschatological meaning in that?  Let's keep fighting.

Best
Ale
-- 