OT: Question related to From: field in x-headers vs who the message actually came from.

Duncan, Brian M. brian.duncan at kattenlaw.com
Fri Sep 4 16:02:21 IST 2009

On 04/09/2009 15:06, Duncan, Brian M. wrote:
> First, our sendmail servers are either incoming or outgoing for my 
> company. The incoming sendmail servers REJECT any messages coming in 
> from any of our domains.  To help keep spoofed messages out of our 
> environment, we reject around 35,000 spoofed messages combined per day

> at the edge.
> So I have started to see what I show in the headers below occasionally

> now.  Can someone explain to me what is happening that knows?  And 
> does anyone know how to remove this possibility from occurring? I 
> can't replicate the behavior below with a mail client externally, so I

> am guessing it has to be specifically manipulated in a non RFC 
> compliant manner.
> I don't understand how Mailscanner has the proper From: listed in the 
> x-header that this message came from, but there is an x-header with 
> the wrong From:
Where is this wrong x-header? The only headers I can see are the
Return-Path (which shows the real envelope sender address) and the
X-MailScanner-From (which also shows the real envelope sender address). 
The "From:" header can contain any random string the sender wants it to
contain, there's no protection on the value of that header at all.

Which is why email apps are the wrong place to do sender filtering,
unless you have a header (such as X-MailScanner-From) which you know
will contain the real sender address. But that can still be any value
they want, so it doesn't help enormously.

Fundamentally, there is no protection applied to either the contents of
the headers (which aren't used for mail routing at all), nor the sender
(which is also not used, but may be checked for validity); it is only
the envelope recipient that actually counts (as that determines the
destination of the message).

Many moons ago I wrote up how mail delivery actually works, but I doubt
I can find it. There's quite a good description, written by someone
else, in the back of my book. It's another great reason for you to buy
the book! :-)


Thanks Julian, that helps.

So the from that sendmail lists in the logs should always match the
return-path header then.  And from: is NOT the envelope sender? That is
where I was confused, I thought the from: header was the envelope

CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction.  Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies.
NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997).

More information about the MailScanner mailing list