Rules, and Envelope header forging

Glenn Steen glenn.steen at gmail.com
Thu May 18 16:10:40 IST 2006 

On 18/05/06, Alex Laslavic (Lenox) <Alex.Laslavic at bcdtravel.com> wrote:
> Currently at one of my sites, we are only using MailScanner to block
> spam / phishing for certain domains.  My plan is to eventually scan
> globally, as I have been using MailScanner for years, and have lots of
> faith in it, but the exchange admins are scared, so we are taking it
> slowly.
>
> One of rules we have, that sets off SpamAssassin is:
> # We want to block fraudulent email from paypal
> From:   @paypal.com                             yes
> # paypal wildcard 1
> From:   paypal                          yes
> # paypal wildcard 2
> From:   @*.paypal.com                           yes
> # paypal wildcard 3
> From:   *paypal*                                yes
>
>
> I was being overly careful specifying the syntax, so I'm sure thats
> unnecessary.
>
> The current problem, is that we received a message, where the Envelope
> from was some random domain, but the actual From: header showed
> service at paypal.com.
>
> This snuck by the rule, because I guess it checks the Envelope from, not
> the From: header.
>
> Any idea how I can get past that?
>
> Can I specify a header check in the Rules, or just Envelope To/From?
>
> Headers below:
> --------------------------
>
> +------------------------------+-------------------------------------------------+
> | from_address                 | subject
> |
> +------------------------------+-------------------------------------------------+
> | anonymous at mail.dumbonion.com | PayPal Notification : Your account is
> suspended |
> +------------------------------+-------------------------------------------------+
>
>
> Received: from mail.dumbonion.com (unknown [64.8.111.2])
>         by mail3.worldtravel.com (Postfix) with SMTP id 613201A4D35
>         for <sanitized at worldtravel.com>; Wed, 17 May 2006 23:26:35 -0400
> (EDT)
> Received: (qmail 26668 invoked by uid 398); 17 May 2006 18:03:04 -0000
> Date: 17 May 2006 18:03:04 -0000
> To: sanitized at worldtravel.com
> Subject: PayPal Notification : Your account is suspended
> Message-ID: <1147888984.175046.qmail at paypal.com>
> From: "Customer Support" <support at paypal.com>
> Content-Type: text/html
>
>
I find that most/all of these are picked up by clamav... and the rest
tend to attract a lot of points from SA... And none seem to carry the
actual paypal string anywhere in the envelope sender (which is what
the rules operate on), so those rules look to be a bit pointless, IMO.

If you use postfix, you could make that a header check, but ... I
suppose there are loads of SA rules to handle exactly this... Not to
mention the MS phishing net being able to help with these, in all
probability;).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list