Meno a écrit : > > > ----- Originálna Správa ----- > Od: Noel Jones > Komu: Meno > Poslaná: 16.01.2009 18:10 > Predmet: Re: MAIL FROM confusion > >> Meno wrote: >>> Hi all, >>> >>> Does somebody know what may cause a confusion like this? >>> >>> In maillog you can see, that the sender is >>> \\\"from=msmith(at)acutecprecision(dot)com\\\" (see below) >>> >>> r...@smtp3 # cat /var/log/mail-smtp3-090115.log | grep 55BB716282 >>> Jan 15 04:43:25 smtp3 postfix/smtpd[17488]: [ID 197553 mail.info] >>> 55BB716282: client=localhost[127.0.0.1] >>> Jan 15 04:43:25 smtp3 postfix/cleanup[15371]: [ID 197553 mail.info] >>> 55BB716282: messageid >>> Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]5BB716282: >>> from=msmith(at)acutecprecision(dot)com,size=2407, nrcpt=1 (queue active) >>> Jan 15 04:43:25 smtp3 postfix/smtp[16197]: [ID 197553 mail.info] >>> 55BB716282:to=jlopatka(at)notes(dot)mydomain(dot)com,orig_to=jlopatka(at)mydomain(dot)com,relay=notes.mydomain.com[10.10.10.174]:25,delay=0.21, >>> delays=0.19/0/0.01/0.01, dsn=2.0.0, status=sent (250 Message accepted for >>> delivery) >>> Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info] 55BB716282: >>> removed >>> >>> >>> >>> But when I get this mail to my inbox, the souce of this mail looks like >>> this: >>> The sender is \\\"from=jlopatka(at)mydomain(dot)com\\\" which is my email >>> address. >>> Based on these source code, the email client assumes thet it was sent by me, >>> which is not true. It was received from \\\"unknown [211.203.243.81]\\\" >>> >>> >>> >>> >>> Received: from smtp3.example.com ([211.51.20.89]) >>> by smtp1.example.com (Lotus Domino Release 7.0.3FP1) >>> with ESMTP id 2009011504432553-28468 ; >>> Thu, 15 Jan 2009 04:43:25 +0100 >>> Received: from smtp2.example.com (localhost [127.0.0.1]) >>> by smtp3.example.com (Postfix) with ESMTP id 55BB716282 >>> for ; Thu, 15 Jan 2009 04:43:25 +0100 (MET) >>> X-Received-SPF: no SPF record found >>> Received: from 3com.com (unknown [211.203.243.81])by smtp2.example.com >>> (Postfix) with SMTP id 536831631for ; Thu, 15 Jan >>> 2009 04:43:22 +0100 (CET) >>> To: jlopatka(at)mydomain(dot)com >>> Subject: RE: message 62625 >>> From: jlopatka(at)mydomain(dot)com >>> MIME-Version: 1.0 >>> Importance: High >>> Message-Id: >>> Date: Thu, 15 Jan 2009 04:43:22 +0100 (CET) >>> >>> >>> Does somebody know how to stop getting such mail? >>> Either SPF cannot help me! >>> >>> Thankx, >>> Chris >>> >> The From: and To: in your logs and headers apparently got >> eaten somewhere, so I can\'t see what you\'re referring to. >> >> If you are getting mail claiming to be from your own domain, >> this has been discussed on the list several times recently. >> Check the archives. >> >> This particular client is listed in multiple RBLs, you could >> reject it and lots of other spam with \"reject_rbl_client >> zen.spamhaus.org\". Check the www.spamhaus.org web site for >> usage restrictions. >> >> The client also has no rDNS hostname, you could reject such >> clients with \"reject_unknown_reverse_client_hostname\". This >> restriction might reject legit mail, so watch your logs. >> >> The client used the HELO hostname \"3com.com\", which is bogus. >> You could reject this HELO hostname with a check_helo_access >> map, but this would be less generally useful than the above >> two checks. See the archive for examples. >> >> Your system should already reject unknown recipients for your >> own domain. You can reject mail using nonexistent local >> sender addresses by setting in main.cf: >> smtpd_reject_unlisted_sender = yes >> >> -- >> Noel Jones >> > > Thank you Noel for quick answer, > > I do not know why these from: and to: addresses > has disappeared...maybe my provider is blocking > email add. in outgoing mails. hm!?
That is unlikely. most probably, your mail system removes what looks like html tags. > I will try to use another convention - user(at)domain(dot)com > I hope it will go through :) > remove the '<' and '>' around email addresses and see if they get out. >> If you are getting mail claiming to be from your own domain, >> this has been discussed on the list several times recently. >> Check the archives. > > You are right, but I think this is a special case, because > in my maillog, postfix assumes, that the sender is > smith(at)acutecprecision(dot)com - it goes through the SPF > check - but when I get it to my mailbox the from: address > is my e-mail address : jlopatka(at)mydomain(dot)com > and only in SMTPOriginator header information can find > the smith(at)acutecprecision(dot)com > > I am curious how the attacker can confuse the address? > you confuse "envelope addresses" and "header addresses". The address you see in postfix logs is the "envelope sender". if there is an error, a bounce is sent to this address. The adress you see in your mailer is "From: header". this is where a human would send a reply (unless the sender has specified a "reply-To" address... etc). If you look at _this_ message you receive from the list, you'll see that the From: header contains my address, but I didn't send it to you: the envelope sender is that of the postfix mailing list. google for "envelope sender" and "envelope recipient" for more infos.
