[Mimedefang] Checking origin of sender
alan premselaar
alien at 12inch.com
Fri Sep 2 19:30:35 EDT 2005
Ian Mitchell wrote:
...snip...
> HELO junkmail.com
> MAIL FROM: <junk at junkmail.com>
> RCTP TO: <unwillingvictim at target.com>
> DATA
> From: "unwillingvictim at target.com" <junk at junkmail.com>
> To: "unwillingvictim at target.com" <unwillingvictim at target.com>
> ...
>
Why would this make it past your SPAM filter? Unless you're doing
something like whitelisting your domain (which is a bad idea in general)
it should still be scanned.
Especially since in your example you have:
MAIL FROM: <junk at junkmail.com>
From: "unwillingvictim at target.com" <junk at junkmail.com>
which means that as far as the MTA is concerned, the mail came from
<junk at junkmail.com> ..
> Now what's the advantage of the above? It appears to come from the
> receiver thus allowing it to be filtered on appropriately. Now as long as
> the email doesn't break too many of the litterally thousands of other
> rules, it will make it through an appear to be legitimate (at least on the
> side of the server).
>
actually, it will only "appear to be legitimate" on the side of the
client. assuming the client displays the "unwillingvictim at target.com"
part of the FROM: value as the sender (which a lot of clients do)
this is more of a social engineering issue, except that it's not really
since the system is working exactly as it's been designed to.
> No email from my domain either in the plain text name portion or the
> actual sender email address should orgininate outside my domain's SPF
> record. Any suggestions for hunting and destroying these emails?
>
In this case, if you want to avoid your end users being confused by this
type of email, I would suggest that you check the comment portions (in
quotes) and the email portion (in <>) of the From: to see if the comment
contains your domain name, and if so if it matches the domain from the <>.
if it doesn't match, markup the Subject or add a tag to the From:
comment to make it obvious that it wasn't originated from your network.
HTH
alan
More information about the MIMEDefang
mailing list