Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]
The problem here is that DKIM isn't aligned to paypal.com Enforce strict DKIM alignment on sensitive domains like paypal smime.p7s Description: S/MIME Cryptographic Signature
Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]
That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp? From: Sebastian NielsenSent: Thursday, February 9, 2017 2:24 AMTo: postfix-users@postfix.orgSubject: Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]The problem here is that DKIM isn't aligned to paypal.com Enforce strict DKIM alignment on sensitive domains like paypal
Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]
On 9 Feb 2017 12:53, wrote: That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp? *From: *Sebastian Nielsen *Sent: *Thursday, February 9, 2017 2:24 AM *To: *postfix-users@postfix.org *Subject: *Re: The "from" header looks like paypal but it is coming from somewhere else. [signed] The problem here is that DKIM isn't aligned to paypal.com Enforce strict DKIM alignment on sensitive domains like paypal I don't think this is a DKIM issue. A bespoke regex as check_header should be able to trap this specific faking attempt - if it relates as I think to the internal From header not the envelope sender (client). More generally, are there legitimate cases where a sender shows a different but apparently valid email address as the (whole) to text of the From compared with the actual address which follows it? If not, can a pcre regex match such situations or is something more sophisticated needed?
Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]
It is a DKIM issue. Google "strict DKIM alignment" This is something usually defined in DMARC, but you could have a local definition that forces strict DKIM alignment for sensitive domains, like "all domains containing *paypal* or *bank*". Dominic Raferd skrev: (9 februari 2017 12:11:11 CET) >On 9 Feb 2017 12:53, wrote: > >That is the mailchimp server. (Technically rocketsciencegroup.com) So >has >the email originator figured out some sort of unintended use of >mailchimp? > > > >*From: *Sebastian Nielsen >*Sent: *Thursday, February 9, 2017 2:24 AM >*To: *postfix-users@postfix.org >*Subject: *Re: The "from" header looks like paypal but it is coming >from >somewhere else. [signed] > >The problem here is that DKIM isn't aligned to paypal.com >Enforce strict DKIM alignment on sensitive domains like paypal > >I don't think this is a DKIM issue. A bespoke regex as check_header >should >be able to trap this specific faking attempt - if it relates as I think >to >the internal From header not the envelope sender (client). > >More generally, are there legitimate cases where a sender shows a >different >but apparently valid email address as the (whole) to text of the From >compared with the actual address which follows it? If not, can a pcre >regex >match such situations or is something more sophisticated needed? smime.p7s Description: S/MIME Cryptographic Signature
