Email body prepend

Discussion in 'General' started by dmgeurts, May 21, 2019.

Thread Status:
Not open for further replies.
  1. dmgeurts

    dmgeurts Member

    Given the recent increase in email sender spoofing I've been working on a Sieve filter to deal with emails that pass SPF, DKIM and thus DMARC filters but are clearly trying to fool users. My draft filter is listed below, the logic works according to https://www.fastmail.com/cgi-bin/sievetest.pl. I'm looking to drop hidden sender in spam if the domain is different from the receiver, if the same it should just discard.

    What I'd like to do next is to add a bit of html/text to emails that are to be dropped in the spam folder to warn users. I can't find a way using Sieve to do this. I see procmail mentioned but a quick search of this forum for procmail doesn't fill me with confidence. Are there any people out there who are doing this already? What options/tools would you use to modify email body/subject? Sieve can edit the email header so it should be easy to add a flag for another tool. For excample Spamassassin prepends potential spam emails.
    Code:
    require ["reject","fileinto","variables","regex"];
    
    # Test if the display name contains a spoofed email address
    if header :matches "from" "*@* <*@*>" {
        # ${1} spoofed name
        # ${2} spoofed domain
        # ${3} actual name
        # ${4} actual domain
        set :lower "fr_spoof_dn"  "${2}";
        set :lower "fr_spoof_fq"  "${1}@${2}";
        set :lower "fr_actual_fq" "${3}@${4}";
        # Match spoofed vanity sender email addresses
        if not string "${fr_actual_fq}" "${fr_spoof_fq}" {
            if address :domain ["to","cc","bcc"] "${fr_spoof_dn}" {
                # Sender is impersonating target domain.
                #set "warning" "Impersonating";
                #reject "BLOCKED - Impersonating the receiving domain.";
                #discard;
                fileinto "trash";
            } else {
                # Sender is hiding the real source domain.
                #set "warning" "HidingSource";
                #reject "WARNING - Hiding the true sender.";
                fileinto "spam";
            }
        } else {
            # Do nothing, no Spoofing detected.
        }
    }
    If my coding stinks, please feel free to point out improments.
     
    Last edited: May 26, 2019
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You have to enable the editheader extension in your dovecot config for that.
     
    dmgeurts likes this.
  3. dmgeurts

    dmgeurts Member

  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That seems unrelated to the original issue you were addressing? Note that altering message bodies (and signed headers) breaks DKIM signatures, so if you implement that to add signatures (in footer, not dkim) on your outgoing mail, make sure it's only for outgoing mail and hook it in before your DKIM signing. Notably, any mail forwarded through your server should not alter messages like that, or you will have rejections on the recipient end (eg. if you forward to a gmail address, and a message comes in that is DKIM signed and DMARC requires dkim, google would reject the message if you alter it).

    If you're looking for other solutions to address your original issue, you might take a look at the
    FromNameSpoof plugin for SpamAssassin.
     
    dmgeurts likes this.
  5. dmgeurts

    dmgeurts Member

    Absolutely, I agree the link points to an article dealing with sent emails. I was more interested in seeing if it could be used to prepend to the body of a received email, after DKIM had been checked.

    Your editheader suggestion seems to cater to subject line modification, for which my gratitude. I'm (actually) looking for something similar to what Gmail has started doing for suspect emails. O365 has similar abilities. I only want to implement this for received email. If editheaders can do this too then I've not yet spent enough time Googling.
     
    Last edited: May 21, 2019
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'm not familiar with anything gmail has done different recently .. I just see suspected spam show up in a spam folder (I primarily use imap to access gmail, maybe that's why).

    editheaders lets you edit (add/remove) headers, and runs in your sieve script - ie. when mail is being delivered to a mailbox. You could use it to alter the subject (which breaks most any DKIM signature if you happen to later forward that message externally later in your sieve script), or add another header of your liking.
     
    dmgeurts likes this.
  7. dmgeurts

    dmgeurts Member

    I use both, the website shows the warning. Which may well just be in response to a flag set in the header or as a meta tag outside the email.

    That is something I hadn't considered, (again I find I need to read better) you explicitly mention DKIM issues when using sieve to forward emails with altered subject. I'm not planning to forward email using sieve so I should be safe there.

    I think I'll settle on just blocking directed phishing when a sender tries to impersonate the receiving domain. Other spoofed sources using the vanity name will get marked as spam and put int he spam folder. I may add a marker in the subject line, I definetely would not want to forward these emails anywhere.
     
    Last edited: May 22, 2019
  8. Paul Webb

    Paul Webb New Member

    I'm adding to this OLD thread to say that this needs to be revisited.

    Perhaps MailSieve isn't the answer, but altermime doesn't do it either.

    Basically as spammers become bigger a**holes and try to loop unsuspecting users into scams, a header at the top of the email after it's been delivered to the mail server stating "This is from the outside world!" is becoming increasingly necessary. It can be done in Exchange, but we're looking for some way to do it in ISPConfig.

    If this were a MailSieve rule, it would look like "if origin header does not contain [internal IP subnet], bodyprepend "WarningMessage". If you do it AFTER the message is validated by postfix, then it doesn't break DKIM.

    And before someone retorts about it - Yes, we have training from KnowBefore.... but users are still occasionally fooled.

    Thoughts?
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please open a new thread instead of hijacking a old thread.
     
Thread Status:
Not open for further replies.

Share This Page