[Mimedefang] Rejecting forged senders - comments?
David F. Skoll
dfs at roaringpenguin.com
Wed Sep 20 09:47:52 EDT 2006
Cormack, Ken wrote:
> I wondered, what about external sources that generate email on behalf of a
> user, where the user keys in their email address as the sender... For
> example, sites that let you send "E-Cards" and such, where you type in your
> address as the sender.
Properly-written sites will use services at americangreetings.com, as you
saw. Badly-written ones will use your address and trigger the problem.
> Looking at my log entries for this email, I was pleasantly surprised to see
> that sendmail and/or MIMEDefang, are recording the "Sender:" as the $sender,
> and I assume that if "Sender:" is not present, "From:" is used by MD as
> $sender, as that is what I've seen logged and evaluated in the past.
No. MIMEDefang uses whatever was given in the MAIL FROM: SMTP command,
which may or may not correspond to anything in any of the headers.
(Though Sendmail typically adds the MAIL FROM: address in a
Return-Path: header when the message is delivered.)
> I'm trying to think of ways that legitimate emails might be broken by
> implimenting the rule discussed in this thread (such as one of my users
> having a third-party web-site generate an email on behalf of the user.)
Some mailing lists use the original poster's address as the MAIL FROM:
address. Those will break.
More information about the MIMEDefang