The SMTP protocol RFCs are pretty clear, anything in angle-brackets '<' & '>'
take priority in defining an address field. So technically that's a legit local
address and sendmail is doing default MSA processing on it (IE treating it as a
bare username that needs the local hostname added).
Is this sendmail instance just an incoming MTA or is it also used as an outgoing
MSA for your users?
If it's just an incoming MTA (IE your users have another instance they're using
for outgoing MSA service) then just turn off the MSA feature for that specific
sendmail instance to stop that processing: "FEATURE(` no_default_msa')"
On Wed, 17 Jul 2024, Kirk Ismay wrote:
I have a spammer using a malformed From header, as follows:
From: <UPS>sha...@marketcrank.com
The envelope from is: direcc...@delher.com.mx, and I've set up blocks for
that address.
Sendmail is munging the From: header to change <UPS> to <u...@my.host.name>,
so it ends up looking like a local address to my users.
How do I detect similar mangled From headers in Spamassassin?
Also does anyone know how to prevent Sendmail from rewriting the From header
like this? The documentation for confFROM_HEADER is a somewhat cryptic:
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER
I'd rather it say <UPS@suspected-spammer> instead, or reject it entirely.
Thanks,
Kirk
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
