As part of our ongoing attempt to combat spam within our email systems, on Monday Feb 26th we will be changing our postfix configuration settings to prohibit email being sent from addresses with domains which don’t match the account logging in. Our previous practice of allowing an authenticated account to specify whatever “from” headers they wish has been exploited by spammers and cannot be continued at this point. If you are currently in the habit of logging into one account to send email for multiple domains you will want to create easymail accounts within each domain you use for sending email.
As part of this clients will no longer be able to send through subdomains of their domain, so an account for example.com would no longer be able to send email for addresses within sub.example.com. In order to be able to send from an address @sub.example.com, clients will now need to create an MX record for sub.example.com and then go to the easymail link on the email tab for the parent domain, example.com. You will see you have the ability to enable and create email accounts under the sub.example.com hostname, and you will need to create at least one email account for sub.example.com to authenticate through in order to be able to send for addresses within that level of the domain.
Couldn’t you have found a better solution that doesn’t completely eliminate all legitimate use of the old behaviour? I get that allowing “whatever” From headers is a problem, but do you really need to go to the full extreme of allowing “no other” From headers? Why not allow me to send From headers using other domains as long as those domains belong to my EasyDNS account? Especially for subdomains – what an asinine restriction that one is! How does blocking people from sending from subdomains of the same domain accomplish anything useful towards combating spam? I think you need to go back to the drawing board on this one and keep in mind that security vs usability is a spectrum not just two absolutes.
I have other domains where I have not enabled EasyMail and am just using mailmaps to forward incoming mail to an EasyMail account at my main domain. So what you are saying is that now I have to enable EasyMail on those domains, redo the mailmaps as EasyMail mailmaps, and create an unneeded EasyMail account at each domain. Then, when I’m logged in to webmail for my main account and want to reply to an incoming message using the original email address, I’ll have to logout of webmail, sign back in to webmail using the unneeded EasyMail account at the original domain, and then somehow send my reply from there, even though the message I want to reply to is back in the main account that I’m now logged out of? This is so stupid.
I’m of a similar opinion to the above two commenters.
This change unnecessarily impacts your good users. You have known, authenticated users who abuse your system: deal with them directly! The planned approach indicates a poor overall grasp on the issue and will only lead to a behavior change by the spammers (you spell out above how they need to change to have their spam continue to go through: send mail from the actual disposable domains they registered with a bad credit cards).
I don’t use easyMail, I have MX pointing to my own server but sporadically use easySMTP, for example while on the road. It’s not clear from the description how the above would even work for situations like mine.
Random thoughts: Spam-filter outbound mail: check if you are a listed in the SPF of the given sender domain, look at deliverability metrics (receipt-time remote spam filter rejections, rejections for unknown accounts, etc), Bayeserian logic to learn source domains you can trust and perhaps tie domains seen to accounts, include account age as an indication of trust, then build a score and freeze questionable email and/or suspend the offenders.
I’m glad to see this was cancelled or at least delayed until you come up with something with less collateral damage.
I’m in the same boat as the second poster.
I’d configured the default “from” field in my mail client to be my main forwarder in my primary domain because that’s the address I want people to contact me at (unless I change it on a per message basis to communicate with someone that I want to use a different forwarder) and not the direct mailbox, so I can change the main mailbox without missing any mail. (Being able to change the main mailbox username at will if spam starts showing up there directly at least enables me the advantage of being able to turn off the “duplicate copy” of said spam.)
I had over time accumulated a lot of forwarders under my first domain (mostly so I could better monitor where messages were coming from by giving different places different E-mails) So when I decided to move my main mailbox to EasyDNS (from my original dial up provider) I saw I couldn’t have that many forwarders under Easymail as I’d been able to do with the original forwarder only option. (Which I had since before Easymail existed.) The solution was that I upgraded my second domain to the higher package so I could set up E-mail boxes there and leave the forwarders in my primary domain alone.
It would take a huge amount of time to go through, change contact info various places before I could turn some of the forwarders off, some are used by friends who I’d have to ask which one I can wind down without being disruptive to them, etc. so even after that I probably still wouldn’t have it down enough to what would be an allowed number of forwarders under Easymail.
Of course most people note what’s in the “From” field if they are writing it down or copying the address to a file/contact list or if they just hit “reply” in their E-mail client or webmail it will go to whatever is in the “from” field. So for this reason I prefer to not put the direct mailbox address in the from field because then I couldn’t change the main mailbox without risking missing mail. The ability to control the “from” address is incredibly helpful for managing default human behavior.
Also anyone who looks at the “X-Sender:” header can still tell where the message was really from so changing the regular “From” field doesn’t really help a spammer hide anything. Just as noted above that “X-Sender:” header won’t affect where replies come to if someone just hits reply on their mail client or webmail. (Of course most people won’t poke that far through the headers to put the address from the “X-Sender:” header in their contact list so it still keeps people/organizations using the E-mail address I want them to when they reply. ^_-)