OT: Outlook oddities

[Glenn Steen]

On 9 March 2010 13:47, Steve Campbell <campbell at cnpapers.com> wrote:
>
>
> Glenn Steen wrote:
>>
>> On 8 March 2010 18:10, Steve Campbell <campbell at cnpapers.com> wrote:
>>
>>>
>>> Glenn Steen wrote:
>>>
>>>>
>>>> On 8 March 2010 15:53, Steve Campbell <campbell at cnpapers.com> wrote:
>>>>
>>>>
>>>>>
>>>>> Just wondering if anyone ever experiences email sent by Outlook senders
>>>>> that
>>>>> have no "From" in the envelop? The headers seem to have the proper
>>>>> "From"
>>>>> entry. These get caught quite often by MS (actually SA) with a "no
>>>>> watermark
>>>>> or sender address". They are sent from our users, which normally get
>>>>> whitelisted by IP address. The problem doesn't always happen even from
>>>>> the
>>>>> same sender.
>>>>>
>>>>> Thanks and sorry for the OT
>>>>>
>>>>> Steve Campbell
>>>>>
>>>>>
>>>>>
>>>>
>>>> The empty sender (MAIL FROM:<>) is a valid sender reserved for the
>>>> mail system itself. Typically used for delivery reports (or rather
>>>> "non-delivery":-). Since all mail coming into your system having an
>>>> empty sender need be in response to a mail sent from you, MailScanner
>>>> (not SA) adds a watermark header... The "returning MTA" is supposed to
>>>> preserve that in the reply/DSN/NDN, so MailScanner checks for that and
>>>> stamps any mail lacking a watermark, or having a forged one, as spam.
>>>>
>>>> So you need look a bit harder on from where you get these, and in what
>>>> situations;-). It's probably doing just the thing it should:-);-)
>>>>
>>>> Cheers
>>>>
>>>>
>>>
>>> Yep, I agree it looks like valid mail and all and that the headers and
>>> envelop are probably valid for certain types of email. But...
>>>
>>> All of our users are NATted to one IP address from our internal network
>>> to
>>> the outgoing mailserver. These emails show that they have arrived
>>> properly
>>> from that internal network. These are real emails sent from our users.
>>> They
>>> just don't have the "From" in them and, as you stated, they don't have
>>> the
>>> proper Return-Path (it's blank). They show only one hop to the mailserver
>>> and it's from the proper NATted IP.
>>>
>>> So I guess the question is: Why, if all email from our users takes the
>>> same
>>> path, do only Outlook users exhibit this problem and only occasionally?
>>> It
>>> never shows up from Thunderbird, OE, or any other mail client.
>>>
>>> I'll dig a little deeper, but was just hoping some of you had run across
>>> this before.
>>>
>>> Thanks for the reply.
>>>
>>> steve
>>>
>>>
>>
>> It could be some "automatic" thing ... some of the software we use
>> internally use a "mapisend" utility to send mail via OutLook (The MAPI
>> interface, of course)... And that software might be ... either through
>> flawed programming/knowledge or perhaps some type of misconfig,
>> abusing the "empty sender" feature of SMTP.
>>
>> But I'd look at capturing some of them and scrutinizing the actual
>> content. It might be either "out of office" or "return receipts" you
>> are seeing. Some MTAs (or MUAs for that matter) just plain don't
>> preserve the watermark headers as they should.
>> Capturing a few should be an easy config matter... perhaps you already
>> have them?
>>
>> Cheers
>>
>
> Glenn,
>
> I think I have them since MS quarantined them. Another strange thing about
> all this is that I whitelist our senders by IP address, the email is sent
> through that IP, and yet, MS has decided to block it anyway - sort of not
> honoring the whitelisted IP. I'm guessing this is due to the watermark not
> being inserted somewhere.
>
> Thanks for the help. If I find out anymore, I'll post it.
>
> steve
>
Depends on how you whitelist, on what settings you apply the whitelist
ruleset(s). You'd need apply one for the watermark setting (sorry, to
busy/lazy to look it up for you;-)

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se