On Wed, July 24, 2019 13:21, Bill Cole wrote:
> On 24 Jul 2019, at 12:56, James B. Byrne wrote:
>
>> I am sure that the message associated with the header extract
>> reproduced below is fraudulent. But, I would like to know how this
>> particular header line was constructed at the source:
>>
>> Received: from theguardian.com (regtreis.viverindia.com.br
>> [31.172.134.4])
>>
>> How did they get 'from theguardian.com' into the Received header
>> generated by our mx?
>
> The token immediately following the "from" in a Received header
> generated by Postfix is the name offered in the EHLO or HELO command
> from the SMTP client.
>
I am not asking this question correctly.
theguardian.com is not the domain that is sending this traffic. The
people who are sending it connect from an array of IP addresses but
they always use theguardian.com as the server name. I had believed up
until this moment that we were checking that the remote server name
matched the server domain but perhaps we are just checking that the
server name exists in DNS. Can we configure Postfix to prevent
fraudulent use of a valid DNS host?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
