Re: Multiple from inside mail headers

Hello Fred

As this is a filter, the choice made to use 'return-path' in place of 'from'
is filter specific, not related to xmail

To help you we need to know more about this filter, how it works,
parameters, ...
Self-written filter or found on the net ?
Do you have source code for this filter (or can we get it somewhere) ?

Francis


-----Message d'origine-----
De : xmail-bounces@... [mailto:xmail-bounces@...]De
la part de fred
Envoyé : mercredi 14 octobre 2009 17:56
À : 'XMail Users Mailing List'
Objet : [xmail] Multiple from inside mail headers


Hello guys,
 
This is not really XMail specific but I am a bit confused there and I need
help from experts.
 
Here is the problem, I am using a filter that works with SPF, everything is
working fine except one thing.
 
Sometimes forged froms pass through the filter because the filter is getting
the return-path instead of a faked from, see this example:
 
Return-Path: <munitionb9@...>
Delivered-To: root@...
Received: from dsldevice.lan ([92.18.93.37]:49281)
                by mail with [XMail 1.26 ESMTP Server]
                id <SA34818> for <root@...> from
<munitionb9@...>;
                Wed, 14 Oct 2009 11:50:35 -0400
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
spamshield.fullmetalpacket.com
X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE,
 
MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4,
                URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287
autolearn=no
                version=3.2.4
Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46
+0000
Message-ID: <000d01ca4ce4$b2b7b9c0$6400a8c0@munitionb9>
From: "notifications@..."
<notifications@...>
To: <root@...>
Subject: The settings for the root@... mailbox were changed
Date: Wed, 14 Oct 2009 16:40:46 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_NextPart_000_0007_01CA4CE4.B2B7B9C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.2300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300
 
 
This guy is sending email like this with links to spread his malware.
 
My filter is analyzing Return-Path: munitionb9@... instead of
From: "notifications@..." notifications@...
 
Is there any way to analyze the faked from?
 
Thanks
 
-fred
_______________________________________________
xmail mailing list
xmail@...
http://xmailserver.org/mailman/listinfo/xmail

Hi Francis,

Thanks for your reply.

This is a self-written script that get the following arguments from
filter.post-data.tab

"!aex"  "/mailsrv/MailRoot/filters/spfcheck/spfcheck.php"       "@@FROM"
"@@CRCPT"       "@@REMOTEADDR"  "@@FILE"

The @@FROM is the actual variable that is checked by this linux command
(from within a PHP script):

exec("spfquery --name " . $this->_spfServer . " -sender=" . $this->_from . "
-ip=" . $this->_remoteAddress . " -helo=" . $this->_helo, $output, $return);

$this->_from == @@FROM

Spfquery return a digit as the return code which is what I use for either
dropping the email or let it go throught.

Thanks

-fred


-----Original Message-----
From: xmail-bounces@... [mailto:xmail-bounces@...]
On Behalf Of CLEMENT Francis
Sent: 14 octobre 2009 12:13
To: 'XMail Users Mailing List'
Subject: Re: [xmail] Multiple from inside mail headers

Hello Fred

As this is a filter, the choice made to use 'return-path' in place of 'from'
is filter specific, not related to xmail

To help you we need to know more about this filter, how it works,
parameters, ...
Self-written filter or found on the net ?
Do you have source code for this filter (or can we get it somewhere) ?

Francis


-----Message d'origine-----
De : xmail-bounces@... [mailto:xmail-bounces@...]De
la part de fred
Envoyé : mercredi 14 octobre 2009 17:56
À : 'XMail Users Mailing List'
Objet : [xmail] Multiple from inside mail headers


Hello guys,

This is not really XMail specific but I am a bit confused there and I need
help from experts.

Here is the problem, I am using a filter that works with SPF, everything is
working fine except one thing.

Sometimes forged froms pass through the filter because the filter is getting
the return-path instead of a faked from, see this example:

Return-Path: <munitionb9@...>
Delivered-To: root@...
Received: from dsldevice.lan ([92.18.93.37]:49281)
                by mail with [XMail 1.26 ESMTP Server]
                id <SA34818> for <root@...> from
<munitionb9@...>;
                Wed, 14 Oct 2009 11:50:35 -0400
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
spamshield.fullmetalpacket.com
X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE,

MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4,
                URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287
autolearn=no
                version=3.2.4
Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46
+0000
Message-ID: <000d01ca4ce4$b2b7b9c0$6400a8c0@munitionb9>
From: "notifications@..."
<notifications@...>
To: <root@...>
Subject: The settings for the root@... mailbox were changed
Date: Wed, 14 Oct 2009 16:40:46 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_NextPart_000_0007_01CA4CE4.B2B7B9C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.2300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300


This guy is sending email like this with links to spread his malware.

My filter is analyzing Return-Path: munitionb9@... instead of
From: "notifications@..." notifications@...

Is there any way to analyze the faked from?

Thanks

-fred
_______________________________________________
xmail mailing list
xmail@...
http://xmailserver.org/mailman/listinfo/xmail



_______________________________________________
xmail mailing list
xmail@...
http://xmailserver.org/mailman/listinfo/xmail