OT: Question related to From: field in x-headers vs who the message actually came from.

Julian Field MailScanner at ecs.soton.ac.uk
Fri Sep 4 15:44:51 IST 2009

On 04/09/2009 15:06, Duncan, Brian M. wrote:
> First, our sendmail servers are either incoming or outgoing for my 
> company. The incoming sendmail servers REJECT any messages coming in 
> from any of our domains.  To help keep spoofed messages out of our 
> environment, we reject around 35,000 spoofed messages combined per day 
> at the edge.
> So I have started to see what I show in the headers below occasionally 
> now.  Can someone explain to me what is happening that knows?  And 
> does anyone know how to remove this possibility from occurring? I 
> can't replicate the behavior below with a mail client externally, so I 
> am guessing it has to be specifically manipulated in a non RFC 
> compliant manner.
> I don't understand how Mailscanner has the proper From: listed in the 
> x-header that this message came from, but there is an x-header with 
> the wrong From:
Where is this wrong x-header? The only headers I can see are the 
Return-Path (which shows the real envelope sender address) and the 
X-MailScanner-From (which also shows the real envelope sender address). 
The "From:" header can contain any random string the sender wants it to 
contain, there's no protection on the value of that header at all.

Which is why email apps are the wrong place to do sender filtering, 
unless you have a header (such as X-MailScanner-From) which you know 
will contain the real sender address. But that can still be any value 
they want, so it doesn't help enormously.

Fundamentally, there is no protection applied to either the contents of 
the headers (which aren't used for mail routing at all), nor the sender 
(which is also not used, but may be checked for validity); it is only 
the envelope recipient that actually counts (as that determines the 
destination of the message).

Many moons ago I wrote up how mail delivery actually works, but I doubt 
I can find it. There's quite a good description, written by someone 
else, in the back of my book. It's another great reason for you to buy 
the book! :-)

> that outlook then displays on a users client when they open the 
> message. (And any local Outlook rules act upon)  If I check the 
> sendmail logs on the message below, it shows the message coming from 
> whereforeji09 at maycruz.com <mailto:whereforeji09 at maycruz.com>.
> Thanks for any help!
> Brian
> Received: from host-92-11-178-251.as43234.net 
> (host-92-11-178-251.as43234.net [] (may be forged))
>  by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297;
>  Fri, 4 Sep 2009 07:16:01 -0400
> Received: from by; Fri, 4 Sep 2009 12:14:59 
> +0000
> Message-ID: <000d01ca2d50$f124e100$6400a8c0 at whereforeji09 
> <mailto:000d01ca2d50$f124e100$6400a8c0 at whereforeji09>>
> From: Juliana Rollins <caren.rabinowitz at kattenlaw.com 
> <mailto:caren.rabinowitz at kattenlaw.com>>
> To: <caren.rabinowitz at kattenlaw.com 
> <mailto:caren.rabinowitz at kattenlaw.com>>
> Subject: Lose 12lbs in 1 month :.
> Date: Fri, 4 Sep 2009 12:14:59 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary="----=_NextPart_000_0007_01CA2D50.F124E100"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1506
> X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506
> X-Kattenlaw-MailScanner-Information:
> X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl, 
> X-MailScanner-From: whereforeji09 at maycruz.com 
> <mailto:whereforeji09 at maycruz.com>
> X-MailScanner-SPAM: yes
> Return-Path: whereforeji09 at maycruz.com <mailto:whereforeji09 at maycruz.com>
> X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC) 
> FILETIME=[1D03F540:01CA2D51
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice 
> Before the Internal Revenue Service, any tax advice contained herein 
> is not intended or written to be used and cannot be used by a taxpayer 
> for the purpose of avoiding tax penalties that may be imposed on the 
> taxpayer.
> ===========================================================
> This electronic mail message and any attached files contain 
> information intended for the exclusive use of the individual or entity 
> to whom it is addressed and may contain information that is 
> proprietary, privileged, confidential and/or exempt from disclosure 
> under applicable law. If you are not the intended recipient, you are 
> hereby notified that any viewing, copying, disclosure or distribution 
> of this information may be subject to legal restriction or sanction. 
> Please notify the sender, by electronic mail or telephone, of any 
> unintended recipients and delete the original message without making 
> any copies.
> ===========================================================
> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited 
> liability partnership that has elected to be governed by the Illinois 
> Uniform Partnership Act (1997).
> ===========================================================


Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list