OT: Question related to From: field in x-headers vs who the message actually came from.

Julian Field MailScanner at ecs.soton.ac.uk
Fri Sep 4 16:14:17 IST 2009 


On 04/09/2009 16:02, Duncan, Brian M. wrote:
>
> On 04/09/2009 15:06, Duncan, Brian M. wrote:
>    
>> First, our sendmail servers are either incoming or outgoing for my
>> company. The incoming sendmail servers REJECT any messages coming in
>> from any of our domains.  To help keep spoofed messages out of our
>> environment, we reject around 35,000 spoofed messages combined per day
>>      
>    
>> at the edge.
>> So I have started to see what I show in the headers below occasionally
>>      
>    
>> now.  Can someone explain to me what is happening that knows?  And
>> does anyone know how to remove this possibility from occurring? I
>> can't replicate the behavior below with a mail client externally, so I
>>      
>    
>> am guessing it has to be specifically manipulated in a non RFC
>> compliant manner.
>> I don't understand how Mailscanner has the proper From: listed in the
>> x-header that this message came from, but there is an x-header with
>> the wrong From:
>>      
> Where is this wrong x-header? The only headers I can see are the
> Return-Path (which shows the real envelope sender address) and the
> X-MailScanner-From (which also shows the real envelope sender address).
> The "From:" header can contain any random string the sender wants it to
> contain, there's no protection on the value of that header at all.
>
> Which is why email apps are the wrong place to do sender filtering,
> unless you have a header (such as X-MailScanner-From) which you know
> will contain the real sender address. But that can still be any value
> they want, so it doesn't help enormously.
>
> Fundamentally, there is no protection applied to either the contents of
> the headers (which aren't used for mail routing at all), nor the sender
> (which is also not used, but may be checked for validity); it is only
> the envelope recipient that actually counts (as that determines the
> destination of the message).
>
> Many moons ago I wrote up how mail delivery actually works, but I doubt
> I can find it. There's quite a good description, written by someone
> else, in the back of my book. It's another great reason for you to buy
> the book! :-)
>
> Jules.
>
>
> Thanks Julian, that helps.
>
> So the from that sendmail lists in the logs should always match the
> return-path header then.
Correct.
>    And from: is NOT the envelope sender?
Correct, it is not the envelope sender. It's anything the sender feels 
like putting in there.
>   That is
> where I was confused, I thought the from: header was the envelope
> sender.
>    
No, it's not.
>
>
>
>
>
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
> ===========================================================
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction.  Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies.
> ===========================================================
> NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997).
> ===========================================================
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list