How so? The spammer is 'From: [EMAIL PROTECTED]' and 'To: [EMAIL PROTECTED]' is a user inside our domain. Yes, we have [EMAIL PROTECTED] whitelisted, but not [EMAIL PROTECTED]
I'm boggled here...how is the Return-Path getting our local user ('[EMAIL PROTECTED]')? Shouldn't this be the spammers address in the From header?
Return-Path is added by your MTA and is set to whatever the envelope "mail from" is, which does not have to be the same as the From: header that is actually in the message. In fact, it's quite common for these to differ, for example in the case of mail-list postings and bounce messages.
In this case, the spammer forged one of your addresses as the envelope from, and used a yahoo address as the From header in the message itself.
If whitelisting works this way, and somehow the spammer is setting the Return-Path to the recipients address, then how can we trust it for whitelisting?
It is a fundamental law of email that you cannot trust the headers, with the exception of those added by your own MTA. The From: line could have been forged just as easily as the envelope from was forged in this case.
You also can't trust the To: header in the message to actually be the message recipient. Mail-list messages are a great example, where you get a copy, but the "To:" is [EMAIL PROTECTED]
This is why whitelist_from_rcvd exists. plain whitelist_from is forgeable by any idiot.
It's also why it's an absolutely horrid idea to whitelist_from your own domain.
Please explain, I'm very confused now.
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
