[Mimedefang] Double From: lines in email
Hi all, Currently I have a mimedefang-filter in place to prevent forged From: headers from entering our email system. See snippet: if (is_local_sender()) { adduselessdisclaimer() } else { if ($Sender =~ /[EMAIL PROTECTED]/ or $Sender =~ /[EMAIL PROTECTED]/ { return action_discard(); } } This doesn't stop emails with double From: headers from forging internal emailaddresses. Does anyone know of a method to stop this from happening. Currently I'm preventing this with a custom spamassassin rule, but I like to log this with MD. Thanks, Johan Disclaimer (http://www.tweedekamer.nl/applicaties/disclaimer_e_mail/index.jsp) Indien u de link niet kunt openen, neemt u dan contact op met telefoonnummer 070-3182211. Meer informatie vindt u op de website www.tweedekamer.nl If you are unable to access the link, please dial +31 70 3182211. Additional information is available on the website www.tweedekamer.nl and www.houseofrepresentatives.nl ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Double From: lines in email
On Tue, 2006-02-21 at 11:08 +0100, Sleeuwenhoek J. wrote: This doesn't stop emails with double From: headers from forging internal emailaddresses. Does anyone know of a method to stop this from happening. Currently I'm preventing this with a custom spamassassin rule, but I like to log this with MD. Open the HEADERS file and run over all the lines. It's one header per line, guaranteed (so you don't need to handle the wrapping yourself). If you find a From: header, do your filtering. This makes me thing... Are double From: headers a good indicator of spam? Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Double From: lines in email
On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote: This makes me thing... Are double From: headers a good indicator of spam? I'd guess it is. Duplicate From: headers are illegal, according to rfc 2822 (section 3.6.1). However, you can have multiple addresses in one From: header. A quick check finds 3 examples of this in my recent spam, and zero in ham, but that's a real quick and limited check over like 1500 messages. I wouldn't mind blocking email on sillyness like this. If there ever is a legitimate site doing it, you can at least slap them with the RFC and explain they were doing something REALLY bizarre. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Double From: lines in email
-Original Message- From: Jan Pieter Cornet On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote: This makes me thing... Are double From: headers a good indicator of spam? I'd guess it is. I agree. The only question is - does it occur often enough to warrant a check for it? Duplicate From: headers are illegal, according to rfc 2822 (section 3.6.1). However, you can have multiple addresses in one From: header. You can only have multiple addresses in From:, if there is an accompanying Sender: header to indicate which one actually sent it. I've never seen a legitimate use for it though. A quick check finds 3 examples of this in my recent spam, and zero in ham, but that's a real quick and limited check over like 1500 messages. A quick check of the quarantine folders here finds 1 double from, and 2 with no from line at all. All three of them look like they were generated by overloading a vulnerable web script. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang