[Mimedefang] Rejecting forged senders - comments?

David F. Skoll dfs at roaringpenguin.com
Wed Sep 20 09:47:52 EDT 2006

Cormack, Ken wrote:

> I wondered, what about external sources that generate email on behalf of a
> user, where the user keys in their email address as the sender... For
> example, sites that let you send "E-Cards" and such, where you type in your
> address as the sender.

Properly-written sites will use services at americangreetings.com, as you
saw.  Badly-written ones will use your address and trigger the problem.

> Looking at my log entries for this email, I was pleasantly surprised to see
> that sendmail and/or MIMEDefang, are recording the "Sender:" as the $sender,
> and I assume that if "Sender:" is not present, "From:" is used by MD as
> $sender, as that is what I've seen logged and evaluated in the past.

No.  MIMEDefang uses whatever was given in the MAIL FROM: SMTP command,
which may or may not correspond to anything in any of the headers.
(Though Sendmail typically adds the MAIL FROM: address in a
Return-Path: header when the message is delivered.)

> I'm trying to think of ways that legitimate emails might be broken by
> implimenting the rule discussed in this thread (such as one of my users
> having a third-party web-site generate an email on behalf of the user.)

Some mailing lists use the original poster's address as the MAIL FROM:
address.  Those will break.



More information about the MIMEDefang mailing list