> -----Original Message----- > From: Will Yardley [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 30, 2004 12:58 PM > To: users@spamassassin.apache.org > Subject: Re: spoofed Received header > > > On Thu, Sep 30, 2004 at 12:50:04PM -0700, Nate Schindler wrote: > > > I actually block all incoming mail that claims to be from my domain. > > The only problem is that I don't get copies of messages > that I send to > > some lists, such as this one. But... as far as I'm concerned, if a > > mail server isn't listed as an MX for <somedomain.com>, it > should use > > <somedomain.com> in the mail from or envelope from feilds. It's a > > wide open hole for spam and social engineering attacks. > > Should or should not? > And what does being listed as an MX have to do with sending mail? It's > completely reasonable for a server not listed as an MX for a domain to > send mail "from" that domain. Or am I misunderstanding what you're > saying?
Sorry, i meant should NOT. :) According to the RFCs (from what I've seen) MX records are *not* required for sending servers. This is a problem. Unfortunately, it's difficult to validate a source machine when an MX record doesn't exist. Even when we had a send-only server, we had a low-priority MX record for it. Many anti-spam packages do RMX lookups, if not to validate 'mail from', to at least see if records exist for it at all to make it seem more like a legitimate mail host. > > > I was actually surprised to see that even anti-spam lists > such as this > > one spoof the envelope from field. :/ > > What are you talking about? > > Any reasonable MLM (including the one used for this list, which I > believe is EZMLM) rewrites the envelope address to its own. > > Because the MLM used by this list uses VERP, your address is > embedded in > the envelope-address - maybe your filters just aren't configured > properly? > There are two From lines in an incoming message, mail from, and the envelope from which is in the data portion. We scan only the envelope from field for our domain name, because it's what users see. For example, in your reply, my mail client says the message is from "[EMAIL PROTECTED]". When I click Reply, I have to change the To field so that it gets back to the list, instead of directly to you. I know this is how list servers work, but I don't agree with it. I did mis-state what I said above. Technically, it's not "spoofed". Having the original sender in the envelope from field, even though the message isn't being delivered by the original mail server, is allowed according to the RFCs... but when it comes to getting a virus that uses my address in the envelope from field, should I say that wasn't spoofed either? There's also the point that with these list archives, since address obfuscation is either very simple, or nonexistant, scouring bots can acquire our addresses. I try to treat my e-mail address as if it were my personal phone number. I don't sign up with many mailing lists for this reason... but I love SpamAssassin, so I've made an exception. ;) Well, that, and I wanted to track issues with v3. Anyway, IMO, when my mail server hands a message off to another external system, it's no longer a trusted message. It shouldn't come back in claiming to be from us anymore in either from field, and I'll happily bounce it right back. It's a flaw in the standard which is exploited by spammers and virus programmers. There are ietf drafts for using rmx validation for sending hosts, but who knows if those'll ever become anything solid. Nate > From > [EMAIL PROTECTED] > >