----- Originálna Správa -----
Od: mouss
Komu:
Poslaná: 20.01.2009 21:01
Predmet: Re: MAIL FROM confusion
> Meno a écrit :
> >
> >
> > ----- Originálna Správa -----
> > Od: Noel Jones
> > Komu: Meno
> > Poslaná: 16.01.2009 18:10
> > Predmet: Re: MAIL FROM confusion
> >
> >> Meno wrote:
> >>> Hi all,
> >>>
> >>> Does somebody know what may cause a confusion like this?
> >>>
> >>> In maillog you can see, that the sender is
> >>> \\\\\\\"from=msmith(at)acutecprecision(dot)com\\\\\\\" (see below)
> >>>
> >>> r...@smtp3 # cat /var/log/mail-smtp3-090115.log | grep 55BB716282
> >>> Jan 15 04:43:25 smtp3 postfix/smtpd[17488]: [ID 197553 mail.info]
> >>> 55BB716282: client=localhost[127.0.0.1]
> >>> Jan 15 04:43:25 smtp3 postfix/cleanup[15371]: [ID 197553 mail.info]
> >>> 55BB716282: messageid
> >>> Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]5BB716282:
> >>> from=msmith(at)acutecprecision(dot)com,size=2407, nrcpt=1 (queue active)
> >>> Jan 15 04:43:25 smtp3 postfix/smtp[16197]: [ID 197553 mail.info]
> >>> 55BB716282:to=jlopatka(at)notes(dot)mydomain(dot)com,orig_to=jlopatka(at)mydomain(dot)com,relay=notes.mydomain.com[10.10.10.174]:25,delay=0.21,
> >>> delays=0.19/0/0.01/0.01, dsn=2.0.0, status=sent (250 Message accepted
> >>> for delivery)
> >>> Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]
> >>> 55BB716282: removed
> >>>
> >>>
> >>>
> >>> But when I get this mail to my inbox, the souce of this mail looks like
> >>> this:
> >>> The sender is \\\\\\\"from=jlopatka(at)mydomain(dot)com\\\\\\\" which is
> >>> my email address.
> >>> Based on these source code, the email client assumes thet it was sent by
> >>> me,
> >>> which is not true. It was received from \\\\\\\"unknown
> >>> [211.203.243.81]\\\\\\\"
> >>>
> >>>
> >>>
> >>>
> >>> Received: from smtp3.example.com ([211.51.20.89])
> >>> by smtp1.example.com (Lotus Domino Release 7.0.3FP1)
> >>> with ESMTP id 2009011504432553-28468 ;
> >>> Thu, 15 Jan 2009 04:43:25 +0100
> >>> Received: from smtp2.example.com (localhost [127.0.0.1])
> >>> by smtp3.example.com (Postfix) with ESMTP id 55BB716282
> >>> for ; Thu, 15 Jan 2009 04:43:25 +0100 (MET)
> >>> X-Received-SPF: no SPF record found
> >>> Received: from 3com.com (unknown [211.203.243.81])by smtp2.example.com
> >>> (Postfix) with SMTP id 536831631for ; Thu, 15 Jan
> >>> 2009 04:43:22 +0100 (CET)
> >>> To: jlopatka(at)mydomain(dot)com
> >>> Subject: RE: message 62625
> >>> From: jlopatka(at)mydomain(dot)com
> >>> MIME-Version: 1.0
> >>> Importance: High
> >>> Message-Id:
> >>> Date: Thu, 15 Jan 2009 04:43:22 +0100 (CET)
> >>>
> >>>
> >>> Does somebody know how to stop getting such mail?
> >>> Either SPF cannot help me!
> >>>
> >>> Thankx,
> >>> Chris
> >>>
> >> The From: and To: in your logs and headers apparently got
> >> eaten somewhere, so I can\\\'t see what you\\\'re referring to.
> >>
> >> If you are getting mail claiming to be from your own domain,
> >> this has been discussed on the list several times recently.
> >> Check the archives.
> >>
> >> This particular client is listed in multiple RBLs, you could
> >> reject it and lots of other spam with \\\"reject_rbl_client
> >> zen.spamhaus.org\\\". Check the www.spamhaus.org web site for
> >> usage restrictions.
> >>
> >> The client also has no rDNS hostname, you could reject such
> >> clients with \\\"reject_unknown_reverse_client_hostname\\\". This
> >> restriction might reject legit mail, so watch your logs.
> >>
> >> The client used the HELO hostname \\\"3com.com\\\", which is bogus.
> >> You could reject this HELO hostname with a check_helo_access
> >> map, but this would be less generally useful than the above
> >> two checks. See the archive for examples.
> >>
> >> Your system should already reject unknown recipients for your
> >> own domain. You can reject mail using nonexistent local
> >> sender addresses by setting in main.cf:
> >> smtpd_reject_unlisted_sender = yes
> >>
> >> --
> >> Noel Jones
> >>
> >
> > Thank you Noel for quick answer,
> >
> > I do not know why these from: and to: addresses
> > has disappeared...maybe my provider is blocking
> > email add. in outgoing mails. hm!?
>
> That is unlikely. most probably, your mail system removes what looks
> like html tags.
yes, you are right
>
> > I will try to use another convention - user(at)domain(dot)com
> > I hope it will go through :)
> >
>
> remove the \'\' around email addresses and see if they get out.
u...@domain.com :)
>
> >> If you are getting mail claiming to be from your own domain,
> >> this has been discussed on the list several times recently.
> >> Check the archives.
> >
> > You are right, but I think this is a special case, because
> > in my maillog, postfix assumes, that the sender is
> > smith(at)acutecprecision(dot)com - it goes through the SPF
> > check - but when I get it to my mailbox the from: address
> > is my e-mail address : jlopatka(at)mydomain(dot)com
> > and only in SMTPOriginator header information can find
> > the smith(at)acutecprecision(dot)com
> >
> > I am curious how the attacker can confuse the address?
> >
>
> you confuse \"envelope addresses\" and \"header addresses\".
>
> The address you see in postfix logs is the \"envelope sender\". if there
> is an error, a bounce is sent to this address.
>
> The adress you see in your mailer is \"From: header\". this is where a
> human would send a reply (unless the sender has specified a \"reply-To\"
> address... etc).
>
> If you look at _this_ message you receive from the list, you\'ll see that
> the From: header contains my address, but I didn\'t send it to you: the
> envelope sender is that of the postfix mailing list.
>
> google for \"envelope sender\" and \"envelope recipient\" for more infos.
Thank you all for infos, I will google to make oneself clear this topic :)
Chris
__________
http://www.tahaj.sk - Najnavstevovanejsia stranka slovenskeho downloadu
