----- Originálna Správa -----
Od: Noel Jones
Komu: Meno
Poslaná: 16.01.2009 18:10
Predmet: Re: MAIL FROM confusion
> Meno wrote:
> > Hi all,
> >
> > Does somebody know what may cause a confusion like this?
> >
> > In maillog you can see, that the sender is
> > \\\"from=msmith(at)acutecprecision(dot)com\\\" (see below)
> >
> > r...@smtp3 # cat /var/log/mail-smtp3-090115.log | grep 55BB716282
> > Jan 15 04:43:25 smtp3 postfix/smtpd[17488]: [ID 197553 mail.info]
> > 55BB716282: client=localhost[127.0.0.1]
> > Jan 15 04:43:25 smtp3 postfix/cleanup[15371]: [ID 197553 mail.info]
> > 55BB716282: messageid
> > Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]5BB716282:
> > from=msmith(at)acutecprecision(dot)com,size=2407, nrcpt=1 (queue active)
> > Jan 15 04:43:25 smtp3 postfix/smtp[16197]: [ID 197553 mail.info]
> > 55BB716282:to=jlopatka(at)notes(dot)mydomain(dot)com,orig_to=jlopatka(at)mydomain(dot)com,relay=notes.mydomain.com[10.10.10.174]:25,delay=0.21,
> > delays=0.19/0/0.01/0.01, dsn=2.0.0, status=sent (250 Message accepted for
> > delivery)
> > Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info] 55BB716282:
> > removed
> >
> >
> >
> > But when I get this mail to my inbox, the souce of this mail looks like
> > this:
> > The sender is \\\"from=jlopatka(at)mydomain(dot)com\\\" which is my email
> > address.
> > Based on these source code, the email client assumes thet it was sent by me,
> > which is not true. It was received from \\\"unknown [211.203.243.81]\\\"
> >
> >
> >
> >
> > Received: from smtp3.example.com ([211.51.20.89])
> > by smtp1.example.com (Lotus Domino Release 7.0.3FP1)
> > with ESMTP id 2009011504432553-28468 ;
> > Thu, 15 Jan 2009 04:43:25 +0100
> > Received: from smtp2.example.com (localhost [127.0.0.1])
> > by smtp3.example.com (Postfix) with ESMTP id 55BB716282
> > for ; Thu, 15 Jan 2009 04:43:25 +0100 (MET)
> > X-Received-SPF: no SPF record found
> > Received: from 3com.com (unknown [211.203.243.81])by smtp2.example.com
> > (Postfix) with SMTP id 536831631for ; Thu, 15 Jan
> > 2009 04:43:22 +0100 (CET)
> > To: jlopatka(at)mydomain(dot)com
> > Subject: RE: message 62625
> > From: jlopatka(at)mydomain(dot)com
> > MIME-Version: 1.0
> > Importance: High
> > Message-Id:
> > Date: Thu, 15 Jan 2009 04:43:22 +0100 (CET)
> >
> >
> > Does somebody know how to stop getting such mail?
> > Either SPF cannot help me!
> >
> > Thankx,
> > Chris
> >
>
> The From: and To: in your logs and headers apparently got
> eaten somewhere, so I can\'t see what you\'re referring to.
>
> If you are getting mail claiming to be from your own domain,
> this has been discussed on the list several times recently.
> Check the archives.
>
> This particular client is listed in multiple RBLs, you could
> reject it and lots of other spam with \"reject_rbl_client
> zen.spamhaus.org\". Check the www.spamhaus.org web site for
> usage restrictions.
>
> The client also has no rDNS hostname, you could reject such
> clients with \"reject_unknown_reverse_client_hostname\". This
> restriction might reject legit mail, so watch your logs.
>
> The client used the HELO hostname \"3com.com\", which is bogus.
> You could reject this HELO hostname with a check_helo_access
> map, but this would be less generally useful than the above
> two checks. See the archive for examples.
>
> Your system should already reject unknown recipients for your
> own domain. You can reject mail using nonexistent local
> sender addresses by setting in main.cf:
> smtpd_reject_unlisted_sender = yes
>
> --
> Noel Jones
>
Thank you Noel for quick answer,
I do not know why these from: and to: addresses
has disappeared...maybe my provider is blocking
email add. in outgoing mails. hm!?
I will try to use another convention - user(at)domain(dot)com
I hope it will go through :)
> If you are getting mail claiming to be from your own domain,
> this has been discussed on the list several times recently.
> Check the archives.
You are right, but I think this is a special case, because
in my maillog, postfix assumes, that the sender is
smith(at)acutecprecision(dot)com - it goes through the SPF
check - but when I get it to my mailbox the from: address
is my e-mail address : jlopatka(at)mydomain(dot)com
and only in SMTPOriginator header information can find
the smith(at)acutecprecision(dot)com
I am curious how the attacker can confuse the address?
Thanks,
Chris
__________
http://sport.sme.sk - Najkomplexnejšie informácie zo športu
