OT: Question related to From: field in x-headers vs who the
message actually came from.
MailScanner at ecs.soton.ac.uk
Fri Sep 4 15:44:51 IST 2009
On 04/09/2009 15:06, Duncan, Brian M. wrote:
> First, our sendmail servers are either incoming or outgoing for my
> company. The incoming sendmail servers REJECT any messages coming in
> from any of our domains. To help keep spoofed messages out of our
> environment, we reject around 35,000 spoofed messages combined per day
> at the edge.
> So I have started to see what I show in the headers below occasionally
> now. Can someone explain to me what is happening that knows? And
> does anyone know how to remove this possibility from occurring? I
> can't replicate the behavior below with a mail client externally, so I
> am guessing it has to be specifically manipulated in a non RFC
> compliant manner.
> I don't understand how Mailscanner has the proper From: listed in the
> x-header that this message came from, but there is an x-header with
> the wrong From:
Where is this wrong x-header? The only headers I can see are the
Return-Path (which shows the real envelope sender address) and the
X-MailScanner-From (which also shows the real envelope sender address).
The "From:" header can contain any random string the sender wants it to
contain, there's no protection on the value of that header at all.
Which is why email apps are the wrong place to do sender filtering,
unless you have a header (such as X-MailScanner-From) which you know
will contain the real sender address. But that can still be any value
they want, so it doesn't help enormously.
Fundamentally, there is no protection applied to either the contents of
the headers (which aren't used for mail routing at all), nor the sender
(which is also not used, but may be checked for validity); it is only
the envelope recipient that actually counts (as that determines the
destination of the message).
Many moons ago I wrote up how mail delivery actually works, but I doubt
I can find it. There's quite a good description, written by someone
else, in the back of my book. It's another great reason for you to buy
the book! :-)
> that outlook then displays on a users client when they open the
> message. (And any local Outlook rules act upon) If I check the
> sendmail logs on the message below, it shows the message coming from
> whereforeji09 at maycruz.com <mailto:whereforeji09 at maycruz.com>.
> Thanks for any help!
> Received: from host-92-11-178-251.as43234.net
> (host-92-11-178-251.as43234.net [22.214.171.124] (may be forged))
> by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297;
> Fri, 4 Sep 2009 07:16:01 -0400
> Received: from 126.96.36.199 by 188.8.131.52; Fri, 4 Sep 2009 12:14:59
> Message-ID: <000d01ca2d50$f124e100$6400a8c0 at whereforeji09
> <mailto:000d01ca2d50$f124e100$6400a8c0 at whereforeji09>>
> From: Juliana Rollins <caren.rabinowitz at kattenlaw.com
> <mailto:caren.rabinowitz at kattenlaw.com>>
> To: <caren.rabinowitz at kattenlaw.com
> <mailto:caren.rabinowitz at kattenlaw.com>>
> Subject: Lose 12lbs in 1 month :.
> Date: Fri, 4 Sep 2009 12:14:59 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1506
> X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506
> X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl,
> X-MailScanner-From: whereforeji09 at maycruz.com
> <mailto:whereforeji09 at maycruz.com>
> X-MailScanner-SPAM: yes
> Return-Path: whereforeji09 at maycruz.com <mailto:whereforeji09 at maycruz.com>
> X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC)
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice
> Before the Internal Revenue Service, any tax advice contained herein
> is not intended or written to be used and cannot be used by a taxpayer
> for the purpose of avoiding tax penalties that may be imposed on the
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain
> information intended for the exclusive use of the individual or entity
> to whom it is addressed and may contain information that is
> proprietary, privileged, confidential and/or exempt from disclosure
> under applicable law. If you are not the intended recipient, you are
> hereby notified that any viewing, copying, disclosure or distribution
> of this information may be subject to legal restriction or sanction.
> Please notify the sender, by electronic mail or telephone, of any
> unintended recipients and delete the original message without making
> any copies.
> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited
> liability partnership that has elected to be governed by the Illinois
> Uniform Partnership Act (1997).
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner