Hi Scott:
1. >> For the Badtrans.B that just came out, the ones we have seen all have
a "_" before the From: address <<
Yes - I have seen those two - but I've also see the following style header
at least TWICE. As you can see - the FROM header appears to have a valid
email address, but the envelope FROM was identical to the "To" user.
Received: from aol.com [172.183.212.19] by mail.webhost.hm-software.com
(SMTPD32-7.04) id A490B5A02D0; Mon, 26 Nov 2001 08:33:04 -0500
From: "Linda" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <[EMAIL PROTECTED]>
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="SETUP.DOC.scr"
... virus follows
2. >> The %ALLRECIPS% option should show the recipients from the SMTP
envelope (the actual addresses that were used to send the mail to). If
using the new "SWITCHRECIPS" option, this behavior could vary. <<
>> >b) ALLRECIPS should only show the ORIGINAL recipient <<
>>It should be working like that. <<
Yes, I HAD to use this option to avoid incorrect notifications in the
JUNKMAIL feature.
I definitely have see a sender notification forwarded to me which showed
BOTH the original and the intended email address. I did check the headers
and the SMTP conversation - and I did not see TWO "TO" addresses being
submitted.
So I don't believe it's working like that, at least if SWITCHRECEIPTS is
turned on for the JUNKMAIL option.
3. >> Declude doesn't ever look at the "From:" header in the E-mail. <<
Well - at least Declude Junkmail does, otherwise it could't have all those
BADHEADER and SPAMHEADER and SPAMROUTING tests.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue
Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
http://www.hm-software.com/
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Tuesday, November 27, 2001 01:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] 1.28 - Sender Notification
>The BADTRANS virus uses different "FROM:" data in the message envelope
(from
>the SMTP conversation) vs. what's in the SMTP "From:" headers. I've had
>several people who seemingly got mail from themselves (e.g., the FROM in
the
>envelope was my customer, so was the TO.) However, in EACH case, the SMTP
>"From:" header contained a different person's email address.
For the Badtrans.B that just came out, the ones we have seen all have a "_"
before the From: address (IE "From: <_username..." rather than "From:
<username..."). So the envelope MAIL FROM (the one Declude uses) will be
correct, the one from the E-mail headers will not.
>Furthermore, it was confusing, because the %ALLRECIPS% seems to show BOTH
>the original recipient AND the ultimate recipient - something that my
>clients do NOT wish to publish.
The %ALLRECIPS% option should show the recipients from the SMTP envelope
(the actual addresses that were used to send the mail to). If using the
new "SWITCHRECIPS" option, this behavior could vary.
>Thus - I have the following suggestions:
>
>a) if SENDER and RECIPIENT are one and the same - don't send TWO
>notifications. Suppress the SENDER notification.
That's something we will look into.
>b) ALLRECIPS should only show the ORIGINAL recipient
It should be working like that.
>c) There should be a way to show the ENVELOPE "from" and the HEADER
"from" -
>and there should be a way to notify EITHER - IF they are different!
Declude doesn't ever look at the "From:" header in the E-mail. The
envelope MAIL FROM is that address that "bounce" messages should be going
to. The "From:" in the E-mail headers is less likely to be correct. But,
this is something we will also look into.
-Scott
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
