Remove headers before MailScanner
Martin Hepworth
maxsec at gmail.com
Tue Oct 23 16:21:59 IST 2012
hmm looks like exch doing a crap job of forwarding the emails, either that
or it's poorly setup. My exch just forwards the emails to my local exch
server without all this extra cruft in the logs.
Are these two sites part of the same AD domain or do they run some sort of
split design?
--
Martin Hepworth, CISSP
Oxford, UK
On 23 October 2012 14:08, Dave Gattis <mailscanner at romehosting.com> wrote:
> According to mailwatch, here's all the listed headers:
>
> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX])
> by domain1.com (Postfix) with ESMTP id D30D01C100FB
> for <dave.gattis at domain2.com>; Tue, 23 Oct 2012 08:48:31 -0400 (EDT)
> Received: from mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by
> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP
> Server id
> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200
> From: Dave Gattis <dave.gattis at hotmail.com> <-- MailScanner/MailWatch
> ignores this line
> To: Dave Gattis <dave.gattis at domain1.com>
> Subject: test for mailscanner group
> Date: Tue, 23 Oct 2012 12:48:40 +0000
> Message-ID: <b4339c5b9c53472eae950d4ff046d840 at mail2.domain1.com>
> Resent-From: <dave.gattis at domain1.com> <-- MailScanner/MailWatch
> considers this line to be the sender
> Content-Type: multipart/alternative;
> boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_"
> MIME-Version: 1.0
>
> MailWatch's recent messages tab displays the message like this, only in
> column format:
>
>
> Date/Time:
> 23/10/12
> 08:48:33
>
> From:
> dave.gattis at domain1.com (needs to be dave.gattis at hotmail.com)
>
> To:
> dave.gattis at sdomain2.com
>
> Subject:
> test for mailscanner group
>
> Size
> 2.2Kb
>
> SA Score
> -1.02
>
> Status
> Clean
>
>
> --
> Dave Gattis
>
>
> > Mailwatch uses the "envelope-from" to display in the list.
> >
> > On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com>
> wrote:
> >
> >> Let me see if I can explain this properly:
> >>
> >> a at hotmail.com sends to b at mydomain1.com.
> >>
> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com,
> therefore
> >>
> >> a at hotmail.com arrives safely c at mydomain2.com.
> >>
> >> When opening the email, it looks like this:
> >>
> >> From: a at hotmail.com
> >> To: b at mydomain1.com
> >>
> >> This is exactly what I want and works perfectly in any mail client.
> >>
> >> Unfortunately, when you look at the list of messages MailScanner has
> >> processed (using the MailWatch frontend), every message, no matter who
> >> from looks like this:
> >>
> >> From: b at mydomain1.com
> >> To: c at mydomain2.com
> >>
> >> This renders white/blacklisting useless, and subject lines are the only
> >> clues available for releasing SPAM. When looking at the raw headers,
> >> the
> >> redirect is adding a "Resent-From" header which I believe is overriding
> >> the "From" header.
> >>
> >> No matter what is received, MailScanner is basing some of it's decisions
> >> on the "Resent-From" address which lowers the score for all messages.
> >>
> >> This is what happens when corporations make poor decisions.
> >> Unfortunately, I am forced to find a workaround for it.
> >>
> >> Thanks,
> >> --
> >> Dave Gattis
> >>
> >>
> >> > Le 22/10/2012 15:26, Dave Gattis a écrit :
> >> >> Each message is stamped with "Resent-From" and "Return-Path" of the
> >> >> redirecting address. I can strip those headers out, after
> >> MailScanner,
> >> >> but really need them removed before.
> >> >
> >> > Why do you really need them removed? If it's just for spamassassin,
> >> you
> >> > can use bayes_ignore_header in your local.cf file.
> >> >
> >> > John.
> >> >
> >> > --
> >> > -- Over 5000 webcams from ski resorts around the world -
> >> www.snoweye.com
> >> > -- Translate your technical documents and web pages -
> www.tradoc.fr
> >> > --
> >> > MailScanner mailing list
> >> > mailscanner at lists.mailscanner.info
> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> >
> >> > Before posting, read http://wiki.mailscanner.info/posting
> >> >
> >> > Support MailScanner development - buy the book off the website!
> >> >
> >>
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/93270a91/attachment.html
More information about the MailScanner
mailing list