On 1/11/2016 1:57 PM, Justin Edmands wrote:
We have seen a few messages that were allowed to be sent "on be half of"
a user within our network. The external users domain was able to send
through our relay and sort of spoof the user. Any way to use spamassassin
to prevent this sort of this?
Note that "on behalf of" is an artifact of Outlook displaying message
headers in Exchange format (even in non-Exchange environments). It's not
really there in Internet mail, so Spamassassin will never see it.
Outlook constructs its (Exchange style) Sender header out of the Internet
From and Sender headers. If the Sender header exists and the address in it
is different from the From header, then Outlook displays "Sender Address on
behalf of From Address".
The good thing about this is that Outlook displays the content of the
Sender header at all. I don't know of another client that does. The bad
thing is that it displays the two in this peculiar manner that can give the
impression that the one address gave permission for the other to send "on
behalf of" which need not be the case at all. (The peculiar display is
adapted from Exchange messaging in which permission does have to be
granted.)
Typically what is happening is that the spammer uses an address @ an
external domain for the SMTP "mail from" and Sender header, but puts an
address @ your domain in the From header. Most mail clients show only the
content of the From header, so this spoofs effectively.
If you want to catch this, you'd want to score for the case where the From
header has your domain but the Sender header does not. BUT be careful. A
rule like that would hit on mail sent through mailing lists and some other
legitimate "send as" cases.
Joseph Brennan
Columbia University I T
