[Mimedefang] Rejecting forged senders - comments?
Jan-Pieter Cornet
johnpc at xs4all.nl
Wed Sep 20 10:21:24 EDT 2006
On Wed, Sep 20, 2006 at 09:35:45AM -0400, Cormack, Ken wrote:
> As I was thinking more about this thread, something occurred to me.
>
> I wondered, what about external sources that generate email on behalf of a
> user, where the user keys in their email address as the sender... For
> example, sites that let you send "E-Cards" and such, where you type in your
> address as the sender. If one of my users did something like that, would
> the rule discussed in this thread reject the mail as "forged"?
>
> I looked specifically at the American Greetings site, at their e-cards, and
> sent myself a test e-card, to observe the header I would receive. That site
> puts a "Sender:" line in the header just before the "From:" line, like this:
>
> Sender: <services at americangreetings.com>
> From: "ken.cormack at roadway.com" <ken.cormack at roadway.com>
>
> My email client displays it as:
>
> From: services at americangreetings.com; on behalf of; Cormack, Ken
>
> Looking at my log entries for this email, I was pleasantly surprised to see
> that sendmail and/or MIMEDefang, are recording the "Sender:" as the $sender,
> and I assume that if "Sender:" is not present, "From:" is used by MD as
> $sender, as that is what I've seen logged and evaluated in the past.
>
> Could anyone validate this observation?
What MIMEDefang puts in $sender is the _envelope_ sender, which you
did not specify in this email. The envelope sender need not be visible
in the header, but it usually is, either as Return-Path, in the (in
case of mbox format) "From " line, or in the Received: ... from ...
header.
In the above case, I'm _guessing_ that the envelope sender is the same
as what is put in the "Sender:" header, so in that case, your check would
work fine.
> I'm trying to think of ways that legitimate emails might be broken by
> implimenting the rule discussed in this thread (such as one of my users
> having a third-party web-site generate an email on behalf of the user.)
Oh, there will be broken web forms somewhere that send email with
whatever someone will type in a form. It remains to be seen whether
those are "legitimate".
--
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
More information about the MIMEDefang
mailing list