OT: Question related to From: field in x-headers vs who the message actually came from.

Martin Hepworth maxsec at gmail.com
Fri Sep 4 15:36:12 IST 2009

2009/9/4 Duncan, Brian M. <brian.duncan at kattenlaw.com>

>  First, our sendmail servers are either incoming or outgoing for my
> company. The incoming sendmail servers REJECT any messages coming in from
> any of our domains.  To help keep spoofed messages out of our environment,
> we reject around 35,000 spoofed messages combined per day at the edge.
> So I have started to see what I show in the headers below occasionally
> now.  Can someone explain to me what is happening that knows?  And does
> anyone know how to remove this possibility from occurring? I can't replicate
> the behavior below with a mail client externally, so I am guessing it has to
> be specifically manipulated in a non RFC compliant manner.
> I don't understand how Mailscanner has the proper From: listed in the
> x-header that this message came from, but there is an x-header with the
> wrong From: that outlook then displays on a users client when they open the
> message. (And any local Outlook rules act upon)  If I check the sendmail
> logs on the message below, it shows the message coming from
> whereforeji09 at maycruz.com.
> Thanks for any help!
> Brian
> Received: from host-92-11-178-251.as43234.net (
> host-92-11-178-251.as43234.net [] (may be forged))
>  by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297;
>  Fri, 4 Sep 2009 07:16:01 -0400
> Received: from by; Fri, 4 Sep 2009 12:14:59
> +0000
> Message-ID: <000d01ca2d50$f124e100$6400a8c0 at whereforeji09>
> From: Juliana Rollins <caren.rabinowitz at kattenlaw.com>
> To: <caren.rabinowitz at kattenlaw.com>
> Subject: Lose 12lbs in 1 month :.
> Date: Fri, 4 Sep 2009 12:14:59 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary="----=_NextPart_000_0007_01CA2D50.F124E100"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1506
> X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506
> X-Kattenlaw-MailScanner-Information:
> X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl,
> X-MailScanner-From: whereforeji09 at maycruz.com
> X-MailScanner-SPAM: yes
> Return-Path: whereforeji09 at maycruz.com
> X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC)
> FILETIME=[1D03F540:01CA2D51
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before
> the Internal Revenue Service, any tax advice contained herein is not
> intended or written to be used and cannot be used by a taxpayer for the
> purpose of avoiding tax penalties that may be imposed on the taxpayer.
> ===========================================================
> This electronic mail message and any attached files contain information
> intended for the exclusive use of the individual or entity to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not the intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender, by electronic mail
> or telephone, of any unintended recipients and delete the original message
> without making any copies.
> ===========================================================
> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability
> partnership that has elected to be governed by the Illinois Uniform
> Partnership Act (1997).
> ===========================================================
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
> Duncan

the X-MailScanner-From: header is showing the envelope-from and not the
From: header. It does this so you can see what 'from' header the mailscanner
rules operate on.

FYI you may wish to populate the 'org-name' field in the MailScanner.conf so
the X-MailScanner headers are reasonably unique. This addition was
introduced as a virus came out a few years that targetted mailscanner hosts
and the work around was to make the X-Mailscanner headers less predictable.

Martin Hepworth
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/21c97283/attachment.html

More information about the MailScanner mailing list