[Mimedefang] Rejecting forged senders - comments?

Jan-Pieter Cornet johnpc at xs4all.nl
Wed Sep 20 10:21:24 EDT 2006

On Wed, Sep 20, 2006 at 09:35:45AM -0400, Cormack, Ken wrote:
> As I was thinking more about this thread, something occurred to me.
> I wondered, what about external sources that generate email on behalf of a
> user, where the user keys in their email address as the sender... For
> example, sites that let you send "E-Cards" and such, where you type in your
> address as the sender.  If one of my users did something like that, would
> the rule discussed in this thread reject the mail as "forged"?
> I looked specifically at the American Greetings site, at their e-cards, and
> sent myself a test e-card, to observe the header I would receive.  That site
> puts a "Sender:" line in the header just before the "From:" line, like this:
> 	Sender: <services at americangreetings.com>
> 	From: "ken.cormack at roadway.com" <ken.cormack at roadway.com>
> My email client displays it as:
> 	From: services at americangreetings.com; on behalf of; Cormack, Ken
> Looking at my log entries for this email, I was pleasantly surprised to see
> that sendmail and/or MIMEDefang, are recording the "Sender:" as the $sender,
> and I assume that if "Sender:" is not present, "From:" is used by MD as
> $sender, as that is what I've seen logged and evaluated in the past.
> Could anyone validate this observation?

What MIMEDefang puts in $sender is the _envelope_ sender, which you
did not specify in this email. The envelope sender need not be visible
in the header, but it usually is, either as Return-Path, in the (in
case of mbox format) "From " line, or in the Received: ... from ...

In the above case, I'm _guessing_ that the envelope sender is the same
as what is put in the "Sender:" header, so in that case, your check would
work fine.

> I'm trying to think of ways that legitimate emails might be broken by
> implimenting the rule discussed in this thread (such as one of my users
> having a third-party web-site generate an email on behalf of the user.)

Oh, there will be broken web forms somewhere that send email with
whatever someone will type in a form. It remains to be seen whether
those are "legitimate".

Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

More information about the MIMEDefang mailing list