Blocking email from own email addresses that fail DKIM

jaybea28309 · 26 Nov 2016, 05:21 PM

The latest wave of Locky / Zepto spam mail comes from voicemail@ with your own domain tacked on. Since I have a voicemail@***.co.uk email address, and had a [Vigor2820 Series] that appears in the subject line, this is increasing the risk of someone opening one of the messages.

Obviously, the message fails authentication, since it was not sent via the fastmail servers, but how can I filter for this in a custom rule? I currently have the following rule, which does not appear to work as the mail still gets delivered to the Inbox (although it does in the sieve tester):

Code:

if allof(
	header :contains  ["from", "X-Mail-from"] ["mydomain.co.uk"],
	header :contains ["Authentication-Results"] ["dkim=none","dkim=fail"]

Thanks!

Terry · 26 Nov 2016, 06:35 PM

Do you want to filter or discard?

{
discard;
stop;
}

jaybea28309 · 26 Nov 2016, 08:08 PM

Quote:

Originally Posted by Terry

Do you want to filter or discard?

{
discard;
stop;
}

I didn't include the action lines, but it filters into a spam folder: I like to keep track of what is being caught by the sieve filters, so I don't discard anything.

BritTim · 27 Nov 2016, 09:42 AM

I cannot figure out from your posts what your full sieve script looks like, and thus how the conditions you specify relate to the overall logic. It is tempting to conclude that either (i) the block of code is never reached; or (ii) script execution continues and overrides whatever processing was in your local code block.

jhollington · 28 Nov 2016, 05:05 AM

As a bit of an aside, do you have SPF and DMARC records published for your domain? Since FastMail respects DMARC, I find just having the appropriate records in place (with "-ALL" in the SPF record and "p=reject" in the DMARC record) gives any bogus messages like this a pretty high spam score (which in my case still tosses them into my spam folder).

The upside to publishing these records, of course, is that you'd also prevent bogus messages from your domain landing on other mail servers as well — assuming of course that they respect DMARC.

It wouldn't even really be a DKIM issue at this point, as those messages would be originating from a server that's not listed in your SPF record.

26 Nov 2016, 05:21 PM	#1
jaybea28309 Junior Member Join Date: Jul 2009 Posts: 19	Blocking email from own email addresses that fail DKIM The latest wave of Locky / Zepto spam mail comes from voicemail@ with your own domain tacked on. Since I have a voicemail@***.co.uk email address, and had a [Vigor2820 Series] that appears in the subject line, this is increasing the risk of someone opening one of the messages. Obviously, the message fails authentication, since it was not sent via the fastmail servers, but how can I filter for this in a custom rule? I currently have the following rule, which does not appear to work as the mail still gets delivered to the Inbox (although it does in the sieve tester): Code: if allof( header :contains ["from", "X-Mail-from"] ["mydomain.co.uk"], header :contains ["Authentication-Results"] ["dkim=none","dkim=fail"] Thanks!

26 Nov 2016, 06:35 PM	#2
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,028	Do you want to filter or discard? { discard; stop; }

27 Nov 2016, 09:42 AM	#4
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,095	I cannot figure out from your posts what your full sieve script looks like, and thus how the conditions you specify relate to the overall logic. It is tempting to conclude that either (i) the block of code is never reached; or (ii) script execution continues and overrides whatever processing was in your local code block.

28 Nov 2016, 05:05 AM	#5
jhollington Essential Contributor Join Date: Apr 2008 Posts: 371	As a bit of an aside, do you have SPF and DMARC records published for your domain? Since FastMail respects DMARC, I find just having the appropriate records in place (with "-ALL" in the SPF record and "p=reject" in the DMARC record) gives any bogus messages like this a pretty high spam score (which in my case still tosses them into my spam folder). The upside to publishing these records, of course, is that you'd also prevent bogus messages from your domain landing on other mail servers as well — assuming of course that they respect DMARC. It wouldn't even really be a DKIM issue at this point, as those messages would be originating from a server that's not listed in your SPF record.