[Mimedefang] Rejecting forged senders - comments?

Cormack, Ken ken.cormack at roadway.com
Wed Sep 20 09:35:45 EDT 2006

As I was thinking more about this thread, something occurred to me.

I wondered, what about external sources that generate email on behalf of a
user, where the user keys in their email address as the sender... For
example, sites that let you send "E-Cards" and such, where you type in your
address as the sender.  If one of my users did something like that, would
the rule discussed in this thread reject the mail as "forged"?

I looked specifically at the American Greetings site, at their e-cards, and
sent myself a test e-card, to observe the header I would receive.  That site
puts a "Sender:" line in the header just before the "From:" line, like this:

	Sender: <services at americangreetings.com>
	From: "ken.cormack at roadway.com" <ken.cormack at roadway.com>

My email client displays it as:

	From: services at americangreetings.com; on behalf of; Cormack, Ken

Looking at my log entries for this email, I was pleasantly surprised to see
that sendmail and/or MIMEDefang, are recording the "Sender:" as the $sender,
and I assume that if "Sender:" is not present, "From:" is used by MD as
$sender, as that is what I've seen logged and evaluated in the past.

Could anyone validate this observation?

I'm trying to think of ways that legitimate emails might be broken by
implimenting the rule discussed in this thread (such as one of my users
having a third-party web-site generate an email on behalf of the user.)


More information about the MIMEDefang mailing list