OT: Question related to From: field in x-headers vs who the
message actually came from.
maxsec at gmail.com
Fri Sep 4 15:36:12 IST 2009
2009/9/4 Duncan, Brian M. <brian.duncan at kattenlaw.com>
> First, our sendmail servers are either incoming or outgoing for my
> company. The incoming sendmail servers REJECT any messages coming in from
> any of our domains. To help keep spoofed messages out of our environment,
> we reject around 35,000 spoofed messages combined per day at the edge.
> So I have started to see what I show in the headers below occasionally
> now. Can someone explain to me what is happening that knows? And does
> anyone know how to remove this possibility from occurring? I can't replicate
> the behavior below with a mail client externally, so I am guessing it has to
> be specifically manipulated in a non RFC compliant manner.
> I don't understand how Mailscanner has the proper From: listed in the
> x-header that this message came from, but there is an x-header with the
> wrong From: that outlook then displays on a users client when they open the
> message. (And any local Outlook rules act upon) If I check the sendmail
> logs on the message below, it shows the message coming from
> whereforeji09 at maycruz.com.
> Thanks for any help!
> Received: from host-92-11-178-251.as43234.net (
> host-92-11-178-251.as43234.net [22.214.171.124] (may be forged))
> by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297;
> Fri, 4 Sep 2009 07:16:01 -0400
> Received: from 126.96.36.199 by 188.8.131.52; Fri, 4 Sep 2009 12:14:59
> Message-ID: <000d01ca2d50$f124e100$6400a8c0 at whereforeji09>
> From: Juliana Rollins <caren.rabinowitz at kattenlaw.com>
> To: <caren.rabinowitz at kattenlaw.com>
> Subject: Lose 12lbs in 1 month :.
> Date: Fri, 4 Sep 2009 12:14:59 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1506
> X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506
> X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl,
> X-MailScanner-From: whereforeji09 at maycruz.com
> X-MailScanner-SPAM: yes
> Return-Path: whereforeji09 at maycruz.com
> X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC)
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before
> the Internal Revenue Service, any tax advice contained herein is not
> intended or written to be used and cannot be used by a taxpayer for the
> purpose of avoiding tax penalties that may be imposed on the taxpayer.
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain information
> intended for the exclusive use of the individual or entity to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not the intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender, by electronic mail
> or telephone, of any unintended recipients and delete the original message
> without making any copies.
> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability
> partnership that has elected to be governed by the Illinois Uniform
> Partnership Act (1997).
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
the X-MailScanner-From: header is showing the envelope-from and not the
From: header. It does this so you can see what 'from' header the mailscanner
rules operate on.
FYI you may wish to populate the 'org-name' field in the MailScanner.conf so
the X-MailScanner headers are reasonably unique. This addition was
introduced as a virus came out a few years that targetted mailscanner hosts
and the work around was to make the X-Mailscanner headers less predictable.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MailScanner