[Mimedefang] More than one From address

Rolf E. Sonneveld R.E.Sonneveld at sonnection.nl
Thu Aug 25 11:08:53 EDT 2011 

On 8/25/11 3:42 PM, Todd Aiken wrote:
> -----Original Message-----
>
> From: "David F. Skoll"<dfs at roaringpenguin.com>
> Reply-To:"mimedefang at lists.roaringpenguin.com"
> <mimedefang at lists.roaringpenguin.com>
> Date: Tue, 23 Aug 2011 16:01:01 -0400
> To:"mimedefang at lists.roaringpenguin.com"
> <mimedefang at lists.roaringpenguin.com>
> Subject: Re: [Mimedefang] More than one From address
>
>>> Our Linux gateways are correctly classifying the mail as
>>> spam, but the transport rules on our Exchange server that filter
>>> based on the X-Spam-Level header are not triggering because of the
>>> multiple From addresses, and the spam ends up in everyone's Inbox.
>>> Is there any easy way I can add something into my MIMEDefang's
>>> configuration to detect and reject messages that come in with more
>>> than one From address?
>> Call Microsoft support and ask them to fix Exchange! :)
>>
>> You'll have to parse the From: header, I guess.  Use the Mail::Address
>> Perl module to parse it out and if you get back more than one address,
>> take action... but be aware that you may block legitimate mail.
> Thanks for your assistance.  I was able to modify my Mimedefang
> configuration with the following code in filter_end, right after I discard
> messages with a spam rating>  15:
>
> if ($hits>  5) {
>      my $From = $entity->head->get("From");
>      if ($From =~ /\@ubishops\.ca/i) {
>          md_graphdefang_log('spam', $hits, $RelayAddr);
>          md_syslog('info', "$MsgID, filter_end changed HEADERS because spam
> level = $hits AND sender says they are from ubishops.ca");
>          action_change_header("X-Old-From", "$From");
>          action_change_header("From", "$Sender");
>      }
> }
> This fixes two problems in Exchange.  1) It prevents the transport rules
> from crapping out due to multiple From addresses, and 2) It prevents our
> Outlook safe senders rules from leaving the spam in a user's mailbox
> because Outlook thinks the message is from us.  And it also doesn't block
> any mail because the mail is already classified as spam and is supposed to
> end up in the user's Junk Mail folder anyways.

Two questions:

   1. if you increase the score for mail from Internet, which has your
      own domain in the From address, what about mail to this MIMEdefang
      list that is distributed to all subscribers, including yourself? I
      assume your own posting to this list is marked as spam now? :-)
   2. there is no guarantee that the $Sender (envelope From or
      5321.From) address of a spam message is not also
      something at ubishops.ca. If the 5321.From address also contains the
      domain ubishops.ca, then you still have problem #2 (Outlook safe
      senders rule).


/rolf

More information about the MIMEDefang mailing list