Spam with my company domain

View: New views

7 Messages — Rating Filter: Alert me

Spam with my company domain

by Jeremy Davila :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi all,

I'm getting Spam which is addressed to another person in my company , but it getting sent to me . So in my inbox the To Field is Kristin , but in Jeremy's inbox.

Re: Spam with my company domain

by John Hardin :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 28 Oct 2009, Jeremy Davila wrote:

> I'm getting Spam which is addressed to another person in my company ,
> but it getting sent to me . So in my inbox the To Field is Kristin , but
> in Jeremy's inbox.

The information in the To: header has nothing to do with who actually
receives the message. Delivery is controlled by the "envelope To", which
is the "please send this message to" address communicated during message
transfer between mail programs.

There are more details available if you google "smtp envelope to address"

It's risky to use "my address isn't in the to:" as a spam sign, because
blind carbon copies would always hit and forwarded messages (e.g. from
your gmail account to your ISP account) would likely hit.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@... FALaholic #11174 pgpk -a jhardin@...
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween

Re: Spam with my company domain

by Jari Fredriksson :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

28.10.2009 22:07, Jeremy Davila kirjoitti:
>
> Hi all,
>
> I'm getting Spam which is addressed to another person in my company ,
> but it getting sent to me . So in my inbox the To Field is Kristin , but
> in Jeremy's inbox.

Hello. That is possible, the email is sent to whoever is in the RCPT-TO
command of the SMTP transaction.

The sender does this:

<open connection to your MX>
HELO someclient.example.org
MAIL-FROM: sender@...
RCPT-TO: jeremy@...
DATA
From: someuser@...
To: kristin@...
Subject: this is a spam message

Hello kristin!
.
QUIT
<disconnect>

The sender *feeds* the To-header into the submission, but actually sends
the mail to a different user.

The "To:" header is just a decoration.

--
http://www.iki.fi/jarif/

Q: How can you tell when a Burroughs salesman is lying?
A: When his lips move.

signature.asc (259 bytes) Download Attachment

Re: Spam with my company domain

by Jeremy Davila :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Thanks John ,

How can I prevent this from Happening. I'm currently using Exim for the SMTP relay then passing to Lotus Domino.
Any suggestions will be appreciated.

John Hardin <jhardin@...>

10/28/2009 04:21 PM

To	users@...
cc
Subject	Re: Spam with my company domain

On Wed, 28 Oct 2009, Jeremy Davila wrote: > I'm getting Spam which is addressed to another person in my company , > but it getting sent to me . So in my inbox the To Field is Kristin , but > in Jeremy's inbox. The information in the To: header has nothing to do with who actually receives the message. Delivery is controlled by the "envelope To", which is the "please send this message to" address communicated during message transfer between mail programs. There are more details available if you google "smtp envelope to address" It's risky to use "my address isn't in the to:" as a spam sign, because blind carbon copies would always hit and forwarded messages (e.g. from your gmail account to your ISP account) would likely hit. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin@... FALaholic #11174 pgpk -a jhardin@... key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...the Fates notice those who buy chainsaws... --www.darwinawards.com----------------------------------------------------------------------- 3 days until Halloween

Re: Spam with my company domain

by Jeremy Davila :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I should have clarified that. I meant mail that isn't specifically addressed to me .

Thanks for your response.

Evan Platt <evan@...>

10/28/2009 05:34 PM

Please respond to
users@...

To	users@...
cc
Subject	Re: Spam with my company domain

What do you want to prevent from happening? Mail that isn't specifically addressed "To" you not to get to you? Look at the mail on this list: To: users@... Subject: Re: Spam with my company domain From: Jeremy Davila <JDavila@...> You realize, that would mean you wouldn't get this list mail, and likely any other mail from any other list, right? At 02:29 PM 10/28/2009, you wrote: >Thanks John , > >How can I prevent this from Happening. I'm currently using Exim for >the SMTP relay then passing to Lotus Domino. >Any suggestions will be appreciated. > > > >John Hardin <jhardin@...> > >10/28/2009 04:21 PM >To >users@... >cc >Subject >Re: Spam with my company domain > > > > >On Wed, 28 Oct 2009, Jeremy Davila wrote: > > > I'm getting Spam which is addressed to another person in my company , > > but it getting sent to me . So in my inbox the To Field is Kristin , but > > in Jeremy's inbox. > >The information in the To: header has nothing to do with who actually >receives the message. Delivery is controlled by the "envelope To", which >is the "please send this message to" address communicated during message >transfer between mail programs. > >There are more details available if you google "smtp envelope to address" > >It's risky to use "my address isn't in the to:" as a spam sign, because >blind carbon copies would always hit and forwarded messages (e.g. from >your gmail account to your ISP account) would likely hit. > >-- > John Hardin > KA7OHZ > <http://www.impsec.org/~jhardin/>http://www.impsec.org/~jhardin/> jhardin@... FALaholic #11174 pgpk -a jhardin@... > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >----------------------------------------------------------------------- > ...the Fates notice those who buy chainsaws... > -- > <www.darwinawards.htm>www.darwinawards.com>----------------------------------------------------------------------- > 3 days until Halloween

Re: Spam with my company domain

by John Hardin :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 28 Oct 2009, Jeremy Davila wrote:

> How can I prevent this from Happening.

As far as the "my address isn't in the To: header", you can't. That would
break lots of legitimate email, like BCCs and (as Evan pointed out) mail
from this mailing list.

> I'm currently using Exim for the SMTP relay then passing to Lotus
> Domino. Any suggestions will be appreciated.

Is SpamAssassin anywhere in there? If so, we're back to a simple case of
"why did this spam get through SA?" If not, we probably can't help you.

The fact that you don't know the difference between the To: header and the
envelope suggests you aren't the administrator of your email system. Is
that indeed the case? If you aren't the admin then you should be talking
to your admin about this, and (s)he can contact us if help is needed in
troubleshooting your SA install.

If you _are_ the admin for your mail system, we need to know things like
how SA is hooked into your mail system (I assume it's being called somehow
by Exim - how?), and we need to see samples of spam messages that got
through. Those samples _must_ be complete - _all_ headers must be intact,
including the ones your mail client is not showing you - and they should
be posted to a website (like pastebin.com) rather than being mailed to the
list.

Getting usable samples out of Domino is going to be, unfortunately, your
problem. Somebody here may be able to give advice how to do that.

When that is done we may be able to provide suggestions for changes to
your SA install.

> John Hardin <jhardin@...>
>
> On Wed, 28 Oct 2009, Jeremy Davila wrote:
>
>> I'm getting Spam which is addressed to another person in my company ,
>> but it getting sent to me . So in my inbox the To Field is Kristin ,
>> but in Jeremy's inbox.
>
> The information in the To: header has nothing to do with who actually
> receives the message. Delivery is controlled by the "envelope To", which
> is the "please send this message to" address communicated during message
> transfer between mail programs.
>
> There are more details available if you google "smtp envelope to address"
>
> It's risky to use "my address isn't in the to:" as a spam sign, because
> blind carbon copies would always hit and forwarded messages (e.g. from
> your gmail account to your ISP account) would likely hit.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@... FALaholic #11174 pgpk -a jhardin@...
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween

Re: Spam with my company domain

by Adam Katz-10 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Evan Platt wrote:
> What do you want to prevent from happening?
>
> Mail that isn't specifically addressed "To" you not to get to you?
>
> Look at the mail on this list:

Hm. It might be interesting to consider a meta connecting the lack of
a Precedence: of bulk or list with a test noting an absence of
relevant domains.