Rules, and Envelope header forging

Alex Neuman alex at nkpanama.com
Thu May 18 16:17:12 IST 2006 

How about checking at the MTA level?

Glenn Steen escribió:
> On 18/05/06, Alex Laslavic (Lenox) <Alex.Laslavic at bcdtravel.com> wrote:
>> Currently at one of my sites, we are only using MailScanner to block
>> spam / phishing for certain domains.  My plan is to eventually scan
>> globally, as I have been using MailScanner for years, and have lots of
>> faith in it, but the exchange admins are scared, so we are taking it
>> slowly.
>>
>> One of rules we have, that sets off SpamAssassin is:
>> # We want to block fraudulent email from paypal
>> From:   @paypal.com                             yes
>> # paypal wildcard 1
>> From:   paypal                          yes
>> # paypal wildcard 2
>> From:   @*.paypal.com                           yes
>> # paypal wildcard 3
>> From:   *paypal*                                yes
>>
>>
>> I was being overly careful specifying the syntax, so I'm sure thats
>> unnecessary.
>>
>> The current problem, is that we received a message, where the Envelope
>> from was some random domain, but the actual From: header showed
>> service at paypal.com.
>>
>> This snuck by the rule, because I guess it checks the Envelope from, not
>> the From: header.
>>
>> Any idea how I can get past that?
>>
>> Can I specify a header check in the Rules, or just Envelope To/From?
>>
>> Headers below:
>> --------------------------
>>
>> +------------------------------+-------------------------------------------------+ 
>>
>> | from_address                 | subject
>> |
>> +------------------------------+-------------------------------------------------+ 
>>
>> | anonymous at mail.dumbonion.com | PayPal Notification : Your account is
>> suspended |
>> +------------------------------+-------------------------------------------------+ 
>>
>>
>>
>> Received: from mail.dumbonion.com (unknown [64.8.111.2])
>>         by mail3.worldtravel.com (Postfix) with SMTP id 613201A4D35
>>         for <sanitized at worldtravel.com>; Wed, 17 May 2006 23:26:35 -0400
>> (EDT)
>> Received: (qmail 26668 invoked by uid 398); 17 May 2006 18:03:04 -0000
>> Date: 17 May 2006 18:03:04 -0000
>> To: sanitized at worldtravel.com
>> Subject: PayPal Notification : Your account is suspended
>> Message-ID: <1147888984.175046.qmail at paypal.com>
>> From: "Customer Support" <support at paypal.com>
>> Content-Type: text/html
>>
>>
> I find that most/all of these are picked up by clamav... and the rest
> tend to attract a lot of points from SA... And none seem to carry the
> actual paypal string anywhere in the envelope sender (which is what
> the rules operate on), so those rules look to be a bit pointless, IMO.
>
> If you use postfix, you could make that a header check, but ... I
> suppose there are loads of SA rules to handle exactly this... Not to
> mention the MS phishing net being able to help with these, in all
> probability;).
>

More information about the MailScanner mailing list