You underrate yourself o obe wan..... thanks
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of East, Bill Sent: Thursday, February 23, 2006 9:02 AM To: Exchange Discussions Subject: RE: Help with Smtp Header Spoofing I'm so totally not a Sendmail expert. The configuration option FEATURE(always_add_domain) # Append local hostname to locally delivered e-mail in sendmail.mc might keep this from happening. It's really only needed in a few cases. But I'd check with your local guru first, or hit rent-a-guru. -- be - MOS Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John > Strongosky > Sent: Thursday, February 23, 2006 11:20 AM > To: Exchange Discussions > Subject: RE: Help with Smtp Header Spoofing > > Thanks for the replys, > > Bill is it because the from info is enclosed in "" and <> that it > then just see's the [EMAIL PROTECTED] > > Who/How would I go about reporting this bug, feature or does sendmail > folks know this is a problem? > > john > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > East, Bill > Sent: Thursday, February 23, 2006 6:38 AM > To: Exchange Discussions > Subject: RE: Help with Smtp Header Spoofing > > Replying to both of youse... > > /I/ think that the spammer got the envelope From: section right (in > other words, the SMTP conversation was > From: <[EMAIL PROTECTED]> > > My reason for saying this is the "envelope-sender" message in the > headers. > > However he somehow, in a way I can't quite reproduce, messed up the > body portion in a way that caused the MTA to think it should append > the local hostname. I can talk to my sendmail box and have it change > "Billy" to "[EMAIL PROTECTED]" even if it accepted a From: > <[EMAIL PROTECTED]> in the SMTP conversation. So the spammer > intended the From to look like "Steven <[EMAIL PROTECTED]>" but > wound up with the first MTA's hostname appended to it. > > Make sense? > > -- > be - MOS > > JAPAN is a WONDERFUL planet -- I wonder if we'll ever reach their > level of COMPARATIVE SHOPPING ... > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Ed > > Crowley [MVP] > > Sent: Thursday, February 23, 2006 2:53 AM > > To: Exchange Discussions > > Subject: RE: Help with Smtp Header Spoofing > > > > Why do you think it wasn't put there by the sender? > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > John Strongosky > > Sent: Wednesday, February 22, 2006 3:00 PM > > To: Exchange Discussions > > Subject: RE: Help with Smtp Header Spoofing > > > > Bill, thanks for the reply. I've trained my boss's to look > at the spam > > % and find why a piece of email was quarantined or not. > What they want > > to know is, Why did the our domain get added to the from line, even > > though it has the Verizon domain in the from line. With our domain > > there it makes it look like it came from us. Is there any > fix for this > > misformatted from line that you know of? > > > > john > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > East, Bill > > Sent: Wednesday, February 22, 2006 11:35 AM > > To: Exchange Discussions > > Subject: RE: Help with Smtp Header Spoofing > > > > So what is it that your bosses want to know? Why it wasn't > flagged as > > spam? > > It almost was, it looks like SpamAssassin flagged it for a couple > > things and assigned it a likelihood of 13%. But the spammers, I've > > heard, run their messages through SA before sending them > and strip out > > as much as possible that would trigger it. > > > > The From address is just goofy, it looks like one of your > mail systems > > saw that it wasn't really valid and tried to fix it by adding your > > domain after it. > > > > But it mostly just looks like collateral damage from the spam wars. > > -- > > be - MOS > > > > If you can't write it right, you can't think it right. > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of John > > > Strongosky > > > Sent: Wednesday, February 22, 2006 11:12 AM > > > To: Exchange Discussions > > > Subject: Help with Smtp Header Spoofing > > > > > > Hey Everyone, > > > > > > Several of my boss's have received a similar emails as > > the one below > > > and now they want to know how it got thru our smtp > > gateways. Our smtp > > > gateways are running BSD unix and sendmail. I believe it > > has something > > > got do with the way the "From" address was formatted but I > > don't know > > > what this type of spoofing is called so I don't know where > > to start to > > > find out how to stop it... > > > > > > Any help would be greatly appreciated... > > > > > > v/r > > > john > > > > > > Received: from smtp2.sdccd.cc.ca.us ([XX.X.XXX.XX]) by > > > XXXXXX.sdccd.cc.ca.us with SMTP (Microsoft Exchange Internet Mail > > > Service Version 5.5.2655.55) > > > id C7ZCQ6FA; Sun, 12 Feb 2006 23:08:10 -0800 > > > Received: from verizon.net (bzq-88-154-142-128.red.bezeqint.net > > > [88.154.142.128]) > > > by smtp2.sdccd.cc.ca.us (8.13.4/8.13.4) with SMTP id > > > k1D77wwx028734 > > > for <[EMAIL PROTECTED]>; Sun, 12 Feb 2006 > > > 23:08:05 -0800 (PST) > > > (envelope-from [EMAIL PROTECTED]) > > > Message-Id: <[EMAIL PROTECTED]> > > > From: "Steven"" <[EMAIL PROTECTED]>"@smtp2.sdccd.cc.ca.us > > > To: <[EMAIL PROTECTED]> > > > Subject: Mexican Pharmacy > > > Date: Mon, 13 Feb 2006 09:08:01 -0500 > > > Mime-Version: 1.0 > > > Content-Type: text/plain; charset=us-ascii > > > X-SDCCD-SPAM: Report=DATE_IN_FUTURE_06_12 1.3, __CT 0, > > __CT_TEXT_PLAIN > > > 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0 > > > X-SDCCD-SPAM: Gauge=XIII > > > X-SDCCD-SPAM: Probability=13% > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > > > To subscribe: > > http://e-newsletters.internet.com/discussionlists.html/ > > > To unsubscribe send a blank email to > > > [EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > To unsubscribe via postal mail, please contact us at: > > > Jupitermedia Corp. > > > Attn: Discussion List Management > > > 475 Park Avenue South > > > New York, NY 10016 > > > > > > Please include the email address which you have been > contacted with. > > > > > > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > > To subscribe: > http://e-newsletters.internet.com/discussionlists.html/ > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > > To subscribe: > http://e-newsletters.internet.com/discussionlists.html/ > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > > To subscribe: > http://e-newsletters.internet.com/discussionlists.html/ > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
