How to implement anti-spoof of key employee email addresses

Discussion in 'Installation/Configuration' started by Richard Goode, Feb 6, 2019.

  1. Richard Goode

    Richard Goode New Member

    Hi all,

    I'm trying to implement a scheme in ISPConfig to protect specific high-value email addresses from being spoofed. This is where a malicious actor is sending an email from their own account but spoofing the "From" header to be the name of the CEO, CFO, some high ranking company official.

    The way in which I've implemented this on other systems before is to do a regex match on the From field to see if it contains elements of the CEO's proper name (e.g. /joe.*smith/i). If it does, then check that the Reply-To and From contain only known valid email addresses for Joe Smith (e.g. /^([email protected]|[email protected])$/i. If it fails this test, then I normally strip out the From header (so to expose the envelope sender to the recipient) and tag the subject with a warning.

    I'm struggling to figure out how this can be done in ISPConfig.

    Anyone have any advice please?

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can't accomplish that using ISPConfig's filters/settings, but the underlying postfix server can be configured however you need to.

    Postfix has simple header checks but they cannot accomplish that, as they apply to only one header at a time, and you're wanting to utilize information from several. A policy daemon will not suit you, as it does not see the actual message content (including headers). You need a content filter, which leaves 2 options: a content_filter or a milter. Or I suppose you could tie in at message delivery time and run whatever custom program you wish, but your changes/results could be fed into spamassassin to help it identify those better if you do your changes earlier on.

    As far as what is the best route, how have you accomplished this in the past? Was it on a postfix server or something else? Ie. I'm wondering what code/tools you may already have that could be utilized and save time re-inventing things again. What languages do you use/prefer? If it's useful as a starting point, here is a content filter written in perl which performs a single header check, it shouldn't be too hard to modify it if you're comfortable with perl:
    till likes this.
  3. Richard Goode

    Richard Goode New Member

    Hi Jesse. Thanks for the excellent response.

    In the past I've done it with commercial solutions. Cisco Ironport ESA gives me a few options - content filters can have multiple match conditions and multiple action conditions; it also has the concept of "dictionaries", which are basically tables of strings/regex's you can match against which makes modifying the list of names/emails more dynamic. It also has a built-in feature specifically for this use case, but I've not tried it yet. Also been using FortiMail which has impersonation policies which effectively do something similar (not had much experience on this though).

    As for rolling my own solution - happy to do that. I typically script in either bash (and the various linux tools) or php [cli], but comfortable hacking around with existing perl code, so I'll have a look at your loopprevent script and maybe take it from there.

    I've recently been running a POC of a [reasonably] cost effective commercial product but have found that my ISPConfig (3.1.11) installation was giving me a better block rate. So I'm now evaluating whether I would be better off with an ISPConfig/Postfix solution and writing my own filters to implement similar features to the commercial solutions.

    Kind regards,
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As @Jesse Norell pointed out, ISPConfig is using postfix and postfix is a very versatile software and widely used, so it should not be too complicated to adapt the setup for your needs.

    Here a short example of some general anti spoofing config which works fine on ISPConfig servers and will be added in ISPConfig 3.1.14:

    In Postfix

    smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/, check_sender_access mysql:/etc/postfix/

    New file: /etc/postfix/

    user = ispconfig
    password = xvvcvxcvvxvxvx
    dbname = dbispconfig
    hosts =
    query = SELECT 'REJECT' FROM mail_domain WHERE domain = '%d' AND
    active = 'y'
    require_result_set = no

Share This Page