Re: [Mimedefang] Checking origin of sender

Fri, 02 Sep 2005 16:44:52 -0700 

Ian Mitchell wrote:
...snip...


HELO junkmail.com
MAIL FROM: <[EMAIL PROTECTED]>
RCTP TO: <[EMAIL PROTECTED]>
DATA
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
...
Why would this make it past your SPAM filter? Unless you're doing something like whitelisting your domain (which is a bad idea in general) it should still be scanned. 

Especially since in your example you have:
MAIL FROM: <[EMAIL PROTECTED]>
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
which means that as far as the MTA is concerned, the mail came from <[EMAIL PROTECTED]> .. 



Now what's the advantage of the above? It appears to come from the
receiver thus allowing it to be filtered on appropriately. Now as long as
the email doesn't break too many of the litterally thousands of other
rules, it will make it through an appear to be legitimate (at least on the
side of the server).
actually, it will only "appear to be legitimate" on the side of the client. assuming the client displays the "[EMAIL PROTECTED]" part of the FROM: value as the sender (which a lot of clients do)
this is more of a social engineering issue, except that it's not really since the system is working exactly as it's been designed to. 


No email from my domain either in the plain text name portion or the
actual sender email address should orgininate outside my domain's SPF
record. Any suggestions for hunting and destroying these emails?
In this case, if you want to avoid your end users being confused by this type of email, I would suggest that you check the comment portions (in quotes) and the email portion (in <>) of the From: to see if the comment contains your domain name, and if so if it matches the domain from the <>.
if it doesn't match, markup the Subject or add a tag to the From: comment to make it obvious that it wasn't originated from your network. 

HTH

alan
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to