|

»

Multiple from inside mail headers

View: New views

6 Messages — Rating Filter: Alert me

	Multiple from inside mail headers by fred-119 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: <munitionb9@...> Delivered-To: root@... Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id <SA34818> for <root@...> from <munitionb9@...>; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 +0000 Message-ID: <000d01ca4ce4$b2b7b9c0$6400a8c0@munitionb9> From: "notifications@..." <notifications@...> To: <root@...> Subject: The settings for the root@... mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CA4CE4.B2B7B9C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitionb9@... instead of From: "notifications@..." notifications@... Is there any way to analyze the faked from? Thanks -fred _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail
	Re: Multiple from inside mail headers by Davide Libenzi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 14 Oct 2009, fred wrote: > > Hello guys, > > This is not really XMail specific but I am a bit confused there and I need help from experts. > > Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. > > Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked > from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:<...>' SMTP transaction. - Davide _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail
	Re: Multiple from inside mail headers by fred-119 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? -fred -----Original Message----- From: xmail-bounces@... [mailto:xmail-bounces@...] On Behalf Of Davide Libenzi Sent: 14 octobre 2009 13:01 To: XMail Users Mailing List Subject: Re: [xmail] Multiple from inside mail headers On Wed, 14 Oct 2009, fred wrote: > > Hello guys, > > This is not really XMail specific but I am a bit confused there and I need help from experts. > > Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. > > Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked > from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:<...>' SMTP transaction. - Davide _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail
	Re: Multiple from inside mail headers by Davide Libenzi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 14 Oct 2009, fred wrote: > I understand Davide, I knew this wasn't XMail fault, I only wanted to find a > solution to prevent these types of forged froms. > > I will have to add code into my script to parse the message header and look > for the From: line, compare this from with the one in the SMTP transaction, > if they are different do something. > > What do you guys think? Can work, but you need a post-data filter for it. - Davide _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail
	Re: Multiple from inside mail headers by fred-119 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yes, my current SPF script is at that level, I will simply add code into it to do this check. It will take more time to process but I like that better than having vilains sending viruses to the user accounts of my server. -----Original Message----- From: xmail-bounces@... [mailto:xmail-bounces@...] On Behalf Of Davide Libenzi Sent: 14 octobre 2009 13:20 To: XMail Users Mailing List Subject: Re: [xmail] Multiple from inside mail headers On Wed, 14 Oct 2009, fred wrote: > I understand Davide, I knew this wasn't XMail fault, I only wanted to find a > solution to prevent these types of forged froms. > > I will have to add code into my script to parse the message header and look > for the From: line, compare this from with the one in the SMTP transaction, > if they are different do something. > > What do you guys think? Can work, but you need a post-data filter for it. - Davide _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail
	Re: Multiple from inside mail headers by CLEMENT Francis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message >-----Message d'origine----- >De : xmail-bounces@... >[mailto:xmail-bounces@...]De la part de fred >Envoyé : mercredi 14 octobre 2009 19:25 >À : 'XMail Users Mailing List' >Objet : Re: [xmail] Multiple from inside mail headers > > >Yes, my current SPF script is at that level, I will simply add >code into it >to do this check. It will take more time to process but I like >that better >than having vilains sending viruses to the user accounts of my server. > >-----Original Message----- >From: xmail-bounces@... >[mailto:xmail-bounces@...] >On Behalf Of Davide >Libenzi >Sent: 14 octobre 2009 13:20 >To: XMail Users Mailing List >Subject: Re: [xmail] Multiple from inside mail headers > >On Wed, 14 Oct 2009, fred wrote: > >> I understand Davide, I knew this wasn't XMail fault, I only >wanted to find >a >> solution to prevent these types of forged froms. >> >> I will have to add code into my script to parse the message >header and >look >> for the From: line, compare this from with the one in the SMTP >transaction, >> if they are different do something. >> >> What do you guys think? > >Can work, but you need a post-data filter for it. > > > >- Davide > > > You need to read the mail to find the original From: from your script, not from xmail variables based on smtp level Francis _______________________________________________ xmail mailing list xmail@... http://xmailserver.org/mailman/listinfo/xmail