Email & Spam

[Bruce Dawson]

See injection below.

--Bruce

On 3/12/23 13:39, Joshua Judson Rosen wrote:
>   > On 3/10/23 12:43, Bruce Labitt wrote:
>   >> In email headers, are there any fields which are not spoof-able?  Or is email simply a morass that is totally unsolvable and broken?  Simply impossible to filter spam?  Now I am getting spam that is passing all the dmarc, spf, and dkim checks.  Volume is relatively low at the
>   >> moment, 6 in 12 hours, but I am sure the bad guys are working on increasing the volume.
>   >>
>   >> In particular, is
>   >>
>   >> X-Origin-Country reliable?  Or is this data field unsuitable for filtering as well?
>   >>
>   >> Are there any mail client pre-filtering packages that can be added?  Or is this a game best left to?
>
> On 3/10/23 17:02, Bruce Dawson wrote:
>> Essentially, no - all email headers are spoofable except the ones put on by your server. > Your server should insert a Received-by header that indicates who sent that message to you.
> Though in the case of the headers providing DKIM signatures, those are "unspoofable" to the extent that they're used,
> since that's a cryptographic signature that you can verify.
>
> There are caveats there, basically that the DKIM signatures are only for select _parts_ of the message...,
> but _generally_ if you have a valid DKIM signature then you at least know where the message
> actually came from.
>
> And if you've got "spam that is passing all the dmarc, spf, and dkim checks", then
> you know even more assuredly who's sending you spam.
>
> So, at least in theory, that gets you past the `detecting spoofs' point,
> so now you just have to worry about the spam coming in from new
> domains that you haven't blocked yet....

Except when an intervening server deletes all the DKIM (and other) 
envelope information. Of course, that's a bad actor/server, but isn't 
that what most SPAM servers are?