Joshua Kordani a écrit : > Hello all! I have recently come across a few spams that I am trying to > block. The anatomy of the message probably isn't new to most of you, > but when I try to recreate the spoofed sections that I wish to filter by > hand over telnet, its clear that I am not understanding how the messages > are being built. Example to follow below: > > note the from line is spoofed to be wo...@mydomain.com, > i...@spamdomain.com, senten...@spamdomain.com. Which appears to my users > as coming from a user in my domain. Id like to filter against this, but > when I go into telnet and try to make a mail with a from field so > deformed, my mail server spits back "I can break things too" and quits > my connection.
then I guess you tried to put the content of the From: header in a "MAIL FROM" command. if so, you need to understand that these are completely different things. MAIL FROM is an smtp command (RFC xy21) the From: header is part of the message (RFC xy22). > How can I manually recreate this spoof so that I can > learn how to filter it out? > there's no spoof as far as I can see. there's a suspicious "From:" header. > Thanks for your pointers! > > Joshua Kordani > jkord...@intlogsys.com > > X-Account-Key: account2 > X-Mozilla-Keys: > Return-Path: <remodel...@frailich.com> > Received: from murder ([unix socket]) > by mydomain.com (Cyrus v2.3.7-Invoca-RPM-2.3.7-2.el5) with LMTPA; > Thu, 25 Feb 2010 11:20:39 -0500 > X-Sieve: CMU Sieve 2.3 > Received: from localhost (mylocalhostname [127.0.0.1]) > by mydomain.com (Postfix) with SMTP id 6C663D8863 > for <emplo...@mydomain.com>; Thu, 25 Feb 2010 11:20:39 -0500 (EST) > Received: from work.frailich.com (work.frailich.com [64.120.12.102]) > by mydomain.com (Postfix) with SMTP id 01F22D8854 > for <mgrinn...@intlogsys.com>; Thu, 25 Feb 2010 11:20:38 -0500 (EST) > To: <emplo...@mydomain.com> > From: bathr...@mydomain.com, remodel...@frailich.com > Reply-To: <bathroomremodel...@frailich.com> > Subject: Bathroom Remodeling Ideas > Date: Thu, 25 Feb 2010 11:20:37 -0500 > MIME-Version: 1.0 > Content-type: text/html > Message-Id: <20100225162039.01f22d8...@mydomain.com> > X-Antispam: NO; Spamcatcher 4.1.11. Score 57
