[Mimedefang] Question on Notify Sender.
David F. Skoll
dfs at roaringpenguin.com
Tue Nov 20 13:52:43 EST 2001
On Tue, 20 Nov 2001, Albert E. Whale wrote:
> The sender was '<cnussill at access.hky.com>'.
This is what is sent with the SMTP "MAIL FROM: command"
> Here are the message headers:
> FROM: carla mussill <cmussill at access.hky.com>
> It appears that the Virus has changed the information about the Sender,
> and the Message header's From address is correct. Can we update the The
> Sender address if the Message Header address than what is currently
> detected?
You can do it (all message headers are in the file ./HEADERS; just
read that file and pull out the From: line.) However, there is not
much point. It is very easy to forge either the SMTP MAIL FROM:
address or the address on the From: header line or both.
The notify_sender action is of questionable value. It makes a best-effort
to notify the sender, but you really can't rely on it.
Another way to tell a site that a virus has been detected would be
to do a reverse lookup on the SMTP relay and then a WHOIS to find the
organization. But this is also hit-and-miss and could send notifications
to inappropriate people.
My favourite is simply to call action_bounce if a virus is detected.
If the sender has forged the From: address, it's not our problem.
Regards,
David.
More information about the MIMEDefang
mailing list