Rule to filter "true" From: address....?
Mariano Absatz
mailscanner at LISTS.COM.AR
Wed May 5 13:30:12 IST 2004
Hi Brooks,
there's no such thing as 'the real from address' in plain smtp world :-(
As you probably know, there are two 'from addresses' in a message that are
often confused.
One is the one you see in the headers as:
From: Brooks Weisblat <mailscanner at ISLANDB.COM>
In this case, 'mailscanner at islandb.com' is the 'header from' or 'RFC 822
from'.
This is, "in theory", the human responsible for this message. The message
transmision system, including MailScanner, ignore this address.
Then you have the 'envelope from' address. This is the one used by the
message transmission system in their SMTP protocol dialogs.
Usually, the mail server responsible for final disposal of the message (e.g.
your own mail server that puts the message in your mailbox for you to pick
via POP3, IMAP, webmail or whatever) is kind enough to put this address in a
header you can see: 'Return-Path:'.
In the case of your message, it arrived with:
Return-Path: owner-mailscanner at jiscmail.ac.uk
That is, I suppose that, when you originated the message, the envelope from
was also 'mailscanner at islandb.com', however, the list server at
jiscmail.ac.uk replaced it, probably so it can handle bounces and be able to
unsubscribe or suspend bouncing addresses, and you don't have to receive
them.
The point is that there's no guarantee that NONE of these two 'from's isn't
fake.
I can _very_ easily send you a message where BOTH froms are fake (e.g. your
own)... I can even send that to the list and the list server wouldn't be able
to tell that I'm not you.
You could use SMTP AUTHentication, but then, you can only trust users
authenticated thru your mail servers or mail servers that authenticate into
yours (hardly any).
We've developed a patch that allows us to identify our users authenticated
via SMTP AUTH into our MailScanner server and automatically bounce them
things, but it only works for OUR own users authenticated into OUR own
servers, and only with ZMailer (no Sendmail, Exim or Postfix).
We're trying this thing out and will send it to Julian so that if someone is
able to do the same with the other MTAs, it come become a part of the
standard MailScanner... but I don't think this would solve your problem.
Regards.
El 4 May 2004 a las 20:46, Brooks Weisblat escribió:
> I have a ruleset that alerts admins if a person from a certain domain name
> sends an email with a virus....
>
> the problem is that some of these rampant email viruses forge the "From:"
> addresses..... causing the admins to get alerted when they shouldn't....
>
> Is there any way to create a ruleset that would be used based on the real
> From address?
>
> am I better off using an IP based rule? the problem with an IP based
> rule, is that it wouldn't apply to users on the road, logging in from the
> outside...
>
> thanks for any guidance....
--
Mariano Absatz
El Baby
----------------------------------------------------------
I don't care to belong to a club that accepts people like me as members.
-- Groucho Marx
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list