It is a DKIM issue. Google "strict DKIM alignment" This is something usually defined in DMARC, but you could have a local definition that forces strict DKIM alignment for sensitive domains, like "all domains containing *paypal* or *bank*".
Dominic Raferd <domi...@timedicer.co.uk> skrev: (9 februari 2017 12:11:11 CET) >On 9 Feb 2017 12:53, <li...@lazygranch.com> wrote: > >That is the mailchimp server. (Technically rocketsciencegroup.com) So >has >the email originator figured out some sort of unintended use of >mailchimp? > > > >*From: *Sebastian Nielsen >*Sent: *Thursday, February 9, 2017 2:24 AM >*To: *postfix-users@postfix.org >*Subject: *Re: The "from" header looks like paypal but it is coming >from >somewhere else. [signed] > >The problem here is that DKIM isn't aligned to paypal.com >Enforce strict DKIM alignment on sensitive domains like paypal > >I don't think this is a DKIM issue. A bespoke regex as check_header >should >be able to trap this specific faking attempt - if it relates as I think >to >the internal From header not the envelope sender (client). > >More generally, are there legitimate cases where a sender shows a >different >but apparently valid email address as the (whole) to text of the From >compared with the actual address which follows it? If not, can a pcre >regex >match such situations or is something more sophisticated needed?
smime.p7s
Description: S/MIME Cryptographic Signature
