Linux/Sendmail - block mail by the senders "display name"

What is "display name"?  Would that be the un-careted section of, e.g.

BadSender <badsender@nowhere.com>

Right, in the example below, the Display name is "John Doe"

John Doe <jdoe@email1.com>
John Doe <publicworkshop@email2.com>
John Doe <invoices@email3.com>

John Doe is a legitimate person, but not affiliated with the offending emails other than by display name (John Doe)

Once I figure out a way to block, I should be able to work out a way allow his legitimate email address through

Though I am wondering if maybe quarantining for manual review might not be a smarter option over flat out blocking

Sounds like the problem might be your incoming MTA could treat SPF Breakage with higher priority.

All these email will have breakage of SPF or DKIM or both.

Likely best to just setup a policy to block incoming messages with SPF Breakage or at least flag them as SPAM.

This will be far more robust than pattern scanning.

A quick review of what's available on the net did not turn up anything useful.

If this is a linux box, you can use string matching in iptables, going right down into the arriving packets and looking for the offending name.  This is rather brute force, but does work.  (In the example below I match on the email address, but there is no reason you can't match on the display name preceding it.)  It corrupts the SMTP handshake no end, though, and causes the handshake to time out.

# email target: ryhinsxr@mysite
$iptloc -t filter -A $chname -m string --string "ryhinsxr@mysite" --algo bm -p tcp -j DROP

# email target: tbsrtv159@mysite
$iptloc -t filter -A $chname -m string --string "tbsrtv159@mysite" --algo bm -p tcp -j DROP

# email target: zxc13221@mysite
$iptloc -t filter -A $chname -m string --string "zxc13221@mysite" --algo bm -p tcp -j DROP

# spameri@tiscali.it
$iptloc -t filter -A $chname -m string --string "spameri@tiscali.it" --algo bm -p tcp -j DROP

Select allOpen in new window

The regex would look something like "BadSpammer\s<"

Do you have spamassassin installed? Anti-spam, filtering process that can be incorporated into the email handling process

Feed the message as spam and it should capture similar future messages as spam
Blocking by recipient will require.........


Look at sendmail, spamassassin, RBL and possibly, clamav to combat spam, virus...

@ David Favor

All these email will have breakage of SPF or DKIM or both

40 messages a week each from a different network, IP range used only one time with no SPF or DKIM
If they were at least sending from the same IP range I could list them in our RBL but so far they've been one and done

at least flag them as SPAM

I tried tagging email from networks with no tags and breaks but it turns out there are way too many mail servers sending legitimate mail that aren't even remotely configured properly

@ Arnold

Spamassassin, ClamAV, 4 RBLs (not including our own), DKIM/DMARC verification have been setup for years

Spamassassin - The messages come through as a pricing request, or invoice (The display name used is a legitimate name of someone from one of their suppliers) usually containing an xls attachment

The messages don't score high enough to trigger, and most of the customer profiles have it disabled (don't ask), but in this case it wouldn't do them much good.

ClamAV - Quarantines the messages fine, however as of 3 days ago the attachments in the messages must be using a new signature as ClamAV no longer detects them. Avast on the receiving PC's do which is how I was made aware of the signature change.

Feed the message as spam and it should capture similar future messages as spam

Wouldn't do any good as most of the accounts have their spamassassin profile disabled (again, don't ask)

These people (customer receiving the messages) do not pay attention and are click happy, so it's just a matter of time before someone gets zapped.

RBL - Each sending IP checked against 100+ RBL's via mxtoolbox and each one passed

@ DR Klahn

Interesting idea, but I don't know that It'll work against only a "Display Name".
It's not even logged so I doubt it, but will play with it some to see what happens.

When it is missed, rescan them as spam.

Do you white list sender email, domains. That would be counter productive. Trust no one.

Potentially, requests from quotes originate on your own webserver. Make sure that form is not being abused.

Check headers to make sure that they are not originating on your own equipment with the spammer using the mechanism ..
Does request quote form use captcha type of process?

Potentially, requests from quotes originate on your own webserver. Make sure that form is not being abused.

Not the problem

These emails are being sent to customer email accounts who is a plumbing supplier (fittings, etc) masquerading as responses to pricing requests or as invoices (depending on who the message was sent to)

The display name used (john doe) is a legitimate name for a person they deal with at one of their vendors (I'm thinking her email got hacked)

Marking them up as spam won't work because each account has their own Spamassassin profile which is turned off for most of the accounts because nobody can be bothered to train their accounts

Avast deletes the attachment with the messages are received so they don't have anything to send to me for training or to create a custom signature on.

I am however in the process of changing their email clients to leave messages on the server so I can retrieve the message upon receiving notification from Avast if the attachment wasn't stopped server side

Still, marking it up as spam would require it to be received before it can be marked. It would be much better if it never even made it that far.

Have you considered that they might have been compromised?
Check the received headers of the messages of this type to see where they originate.

They may have or were and the mailing is part of their address book ...

Not sure how you set things up, but you can have spamassassin perform company wide generic filter before the more customized one.
The users could be advised to move spam messages into a folder that can be processed on their behalf.

Much depends on your setup.


See if IMAP is an option for you based on your comment your current setup uses pop.

rspamd is in the receiving line of the mailserver or works together with the MTA during RECEIPT of the message by the MTA or even before it. 

same for AMAVIS, then spamassin is trained by the mailsystem (assisted by the option i mentioned as #9 for anything that get through), or anything that get into a spam mail account and should be marked as legitimate.

Spam scanning by the MUA (outlook, pine, kontact et. etc. is far too late in the process).

@Arnold

See if IMAP is an option for you based on your comment your current setup uses pop

It is, but this particular group of users are particularly difficult

There are a group that wanted/needed to view sent/received messages regardless of their device (Desk / on the road, etc) so I started to migrate some of their POP3 accounts to IMAP and ended up stopping. It's done case by case at the moment

You see these clowns don't delete anything, nor do they archive or move to folders. Everything stays in their inbox, and once the IMAP inbox on the server hits around 8k messages they're calling because they can't check their mail.

@noci

Spam scanning by the MUA (outlook, pine, kontact et. etc. is far too late in the process).

Agreed,

Procmail handles spamassassin at the moment "IF" spamassassin is enabled for the particular email account. It's not handled client side.

At one time it was enabled by default marking messages identified as spam with a score of 7 or above. I got complaints so modified it to messages with a score of "25" and above and still got complaints so I investigated the messages.

It turns out spamassassin got it right, but the users were expecting the messages. So for those who requested it, I disabled spamassassin for their POP accounts.

With the accounts moved to IMAP I tried something different. 3 months ago I created spam and not-spam folders in their profiles and re-activated spamassassin to mark messages with a score of 10 and above as spam and send it to their "Junk" folder

I explained the should move "false negatives" to the spam folder and copy "false positives" to the not-spam folder
Messages in the spam folder would be trained as spam and deleted. Messages in the not-spam folder would be trained and deleted

The users in question have been tested and retrained as necessary several times in two weeks with test emails to ensure they understood the process.

To date not one message has been marked for training but I have received calls to disable spamassassin on their accounts.

IMHO, referring to your users as "clowns" does not provide for a ...


As the administrator of your server you have limited options if your sendmail uses mbox style.

if you use procmail, as the MTA, you can processes a general system wide spamasssasin filter before you drop privilege to handle the user delivery

The issue with pop is that it is a one way trip. there are no folders .. the loss of emails would then require that you have some backup process on the user/workstation side .....

with sendmail, aging messages in the inbox through relocation to another folder accessible by IMAP is a way to go but the implementation on your side could get complex.

there are alternatives that offer more flexibility Maildir/ formatted mailbox, you can then use different mechanism to access the message from web based access, to imap using courier-imap, dovecot, etc. that are more robust less memory intensive....

Instead of disabling, you can change the behavior to add to the Subject: ---SPAM ---

But as noted, pop does not offer interactive mechanism for the reprocessing/learning/teaching

I see auto-classify as potentially compounding an error,as well as adding processing unnecessarily.


Who sets policy? Do you provide a mechanism by which they can turn on or off their settings?
That might be a way to simplify things allowing the user to handle.

IMHO, referring to your users as "clowns" does not provide for a ...

Normally true, but in some cases you get one or two that seem determined to set themselves apart :\

The issue with pop is that it is a one way trip. there are no folders .. the loss of emails would then require that you have some backup process on the user/workstation side

All PC's have user documents (including emails profiles) backed up on a daily bases.

if you use procmail, as the MTA, you can processes a general system wide spamasssasin filter before you drop privilege to handle the user delivery

I'm aware of that, but I've been reluctant to do a system wide spamassassin filter due to the site not wanting spamassassin on their accounts.

Instead of disabling, you can change the behavior to add to the Subject: ---SPAM ---

I did, as a last resort that's all it did was mark it....

Who sets policy? Do you provide a mechanism by which they can turn on or off their settings?
That might be a way to simplify things allowing the user to handle.

They've got no control on anything server side. If they need something changed they call or send a request (E-Mail)
(We handle their internal network needs, so I'd be making any changes that needed to be made anyway)

Steps:

1st Clear description for your mail system what it Should do , should not do etc. from MANAGEMENT. (And point out up fron the policy should APPLY to ALL personell) get it in written form.    NO exceptions... not even for management!

2nd Build your environment around this together with guidelines for use

3rd Train the people in proper use those that don't want to live up to their part should suffer from the consequences of their own choices.  If they are carpenters and only want to handle 400g hammers and now need a 1000g hammer to handle a big nail they should not try stubbornly the 400g hammers but use the tools needed. If they reject you HAVE TO BE ABLE to point to the description from management. 

If management rejects this way of working then create a setup that should be capable to handle all cruft and leave it at that, any more effort will be futile... it is either organized or it is wild west there is no in between way. 

Ransomware/Phishing/Spam  by mail will happen even with filtering  there is a difference if you belong to the low hanging fruit or are higher up the tree.

Ransomware/Phishing can be very hard to detect anyway.., it's just the stakes get higher.

Please provide more info on your mailsetup...

or consider a slightly different setup....

EXIM/Postfix mailreceiver  (MTA)   DKIM + DMARC can be processed here...

  - IP address against RBL's on connect, connection rate / IP source if you want.    this will prevent most.

  - HELO/EHLO packet for validity w.r.t. IP address    - this is a 2nd large winner

  - FROM address check (SPF) / blacklists / whitelists here or in RSPAMD

  - TO address check if you want the mail anyway

   Here greylisting can help if the source/destaddress are seen before from this server  Unknowns are temporary blocked to be retried later (mostly 1 hour by SMTP standard).

      if retried within minutes is must be a spammer, and thus either be rejected ad nauseam, or even get blacklisted. 

   DATA:

       DKIM & DMARC processing

      Then the data part can be passed on to RSPAMD for a verdict on content

  Final delivery to MUA... or IMAP database. 

RSPAMD configured with it

   Validates Receiver, sender, (can do greylistin advise, dkim etc. also) does spamassassin check,  virusscans, URBL ..... (mostly content.)

DOVECOT/ CYRUS - Imap / pop servers

   They can handle massive amounts of mail effectively.

   Make it possible to create subfolders etc. and use archiving.

   (using sieve scipts some handling can be automated).

btw, if you follow all guidlines you will also find Microsoft is one of the big offenders in how mail should be handled and how they do it....

I almost have no more spam... and anything above 5 points is considered spammy any thing > 7 is not deliverd to the enduser.

There is 1 or 2 / month spam coming through, most sent to a mail address that used to be used on LinkedIn and was leaked years ago. 

Roughly 70K spam  mail / month blocked by the various methods. Not a lot of people complain i do not respond to mail or 

system wide deals with the most general criteria, i.e. filter incoming mesasges for virus, ransomweware, etc.

a web based interface that allows for a specific set of ruiles, options. it is not an open ended mechanism where they have to know what they are doing...

To everything there is more than one approach.
either way you will spend time on each issue, one approach has a possibility of being finite where the user understands.

In a case where they do not want filtering, making it clear that filtering is the only way to curb/reduce the amount of fake things they are receiving.

You can try integrating  postgrey with sendmail.  This way you can  prevent lot of spammers

You said, "40 messages a week each from a different network, IP range used only one time with no SPF or DKIM".

Then the solution is simple.

Reject any incoming message which fails to pass checks - IPRev + SPF + DKIM.

Do this + you're done. Problem solved.