[Mimedefang] More than one From address

David F. Skoll dfs at roaringpenguin.com
Tue Aug 23 16:01:01 EDT 2011


On Tue, 23 Aug 2011 14:50:22 -0400
Todd Aiken <todd.aiken at ubishops.ca> wrote:

> In the past 24 hours, I've received a ton of spam at our site.  The
> spam seems to be coming from the same source, in that I see the
> spammer using our domain name as a from address, but they are also
> using multiple From addresses in the same message!  I believe that
> this is non-standard, but it's giving our Exchange server a ton of
> trouble.

It's non-standard, but legal.  See section 3.6.2 of
http://www.ietf.org/rfc/rfc5322.txt

The From: header is allowed to have multiple mailboxes, but the Sender: header
(if present) can have only one.

> Our Linux gateways are correctly classifying the mail as
> spam, but the transport rules on our Exchange server that filter
> based on the X-Spam-Level header are not triggering because of the
> multiple From addresses, and the spam ends up in everyone's Inbox.
> Is there any easy way I can add something into my MIMEDefang's
> configuration to detect and reject messages that come in with more
> than one From address?

Call Microsoft support and ask them to fix Exchange! :)

You'll have to parse the From: header, I guess.  Use the Mail::Address
Perl module to parse it out and if you get back more than one address,
take action... but be aware that you may block legitimate mail.

Regards,

David.



More information about the MIMEDefang mailing list