--- On Tue, 8/23/11, Todd Aiken <[email protected]> wrote: > In the past 24 hours, I've received a ton of spam at our site. The spam > seems to be coming from the same source, in that I see the spammer using > our domain name as a from address, but they are also using multiple From > addresses in the same message! I believe that this is non-standard, but > it's giving our Exchange server a ton of trouble. Our Linux gateways are > correctly classifying the mail as spam, but the transport rules on our > Exchange server that filter based on the X-Spam-Level header are not > triggering because of the multiple From addresses, and the spam ends up in > everyone's Inbox. Is there any easy way I can add something into my > MIMEDefang's configuration to detect and reject messages that come in with > more than one From address?
Not so fast. The "From:" header may have more than one address. However, "Sender:" may not. It doesn't happen often, but it is permitted - RFC 5322, Section 3.6.2: 3.6.2. Originator Fields The originator fields of a message consist of the from field, the sender field (when applicable), and optionally the reply-to field. The from field consists of the field name "From" and a comma- separated list of one OR MORE mailbox specifications. If the from field contains more than one mailbox specification in the mailbox- list, then the sender field, containing the field name "Sender" and a single mailbox specification, MUST appear in the message. In either case, an optional reply-to field MAY also be included, which contains the field name "Reply-To" and a comma-separated list of one or more addresses. from = "From:" mailbox-list CRLF sender = "Sender:" mailbox CRLF reply-to = "Reply-To:" address-list CRLF ... [Capitalization added above to "OR MORE" for emphasis.] Therefore, if you have multiple from addresses but no sender field, then the message may be rejected for violating the ABNF required syntax. The same would apply to the "Resent-*" set of headers as well. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
