[Mimedefang] Double From: lines in email

2006-02-21 Thread Sleeuwenhoek J. 
Hi all,

Currently I have a mimedefang-filter in place to prevent forged From: headers 
from entering our email system. See snippet:

if (is_local_sender()) {
  adduselessdisclaimer()
} else {
  if ($Sender =~ /[EMAIL PROTECTED]/ or $Sender =~ /[EMAIL PROTECTED]/ {
return action_discard();
  }
}

This doesn't stop emails with double From: headers from forging internal 
emailaddresses. Does anyone know of a method to stop this from happening. 
Currently I'm preventing this with a custom spamassassin rule, but I like to 
log this with MD.

Thanks, Johan


Disclaimer (http://www.tweedekamer.nl/applicaties/disclaimer_e_mail/index.jsp)
Indien u de link niet kunt openen, neemt u dan contact op met telefoonnummer 
070-3182211. Meer informatie vindt u op de website www.tweedekamer.nl
If you are unable to access the link, please dial +31 70 3182211. Additional 
information is available on the website www.tweedekamer.nl and 
www.houseofrepresentatives.nl

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Double From: lines in email

2006-02-21 Thread Richard Laager 
On Tue, 2006-02-21 at 11:08 +0100, Sleeuwenhoek J. wrote:
 This doesn't stop emails with double From: headers from forging internal 
 emailaddresses. Does anyone know of a method to stop this from happening. 
 Currently I'm preventing this with a custom spamassassin rule, but I like to 
 log this with MD.

Open the HEADERS file and run over all the lines. It's one header per
line, guaranteed (so you don't need to handle the wrapping yourself). If
you find a From: header, do your filtering.

This makes me thing... Are double From: headers a good indicator of
spam?

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Double From: lines in email

2006-02-21 Thread Jan Pieter Cornet 
On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote:
 This makes me thing... Are double From: headers a good indicator of
 spam?

I'd guess it is. Duplicate From: headers are illegal, according to
rfc 2822 (section 3.6.1). However, you can have multiple addresses in
one From: header.

A quick check finds 3 examples of this in my recent spam, and zero
in ham, but that's a real quick and limited check over like 1500
messages.

I wouldn't mind blocking email on sillyness like this. If there ever is
a legitimate site doing it, you can at least slap them with the RFC and
explain they were doing something REALLY bizarre.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED]
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Double From: lines in email

2006-02-21 Thread Damrose, Mark 
 -Original Message-
 From: Jan Pieter Cornet

 On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote:
  This makes me thing... Are double From: headers a good indicator of 
  spam?

 I'd guess it is. 

I agree.  The only question is - does it occur often enough to warrant
a check for it?

 Duplicate From: headers are illegal, 
 according to rfc 2822 (section 3.6.1). However, you can have 
 multiple addresses in one From: header.

You can only have multiple addresses in From:, if there is an
accompanying Sender: header to indicate which one actually
sent it.  I've never seen a legitimate use for it though.

 A quick check finds 3 examples of this in my recent spam, and 
 zero in ham, but that's a real quick and limited check over 
 like 1500 messages.

A quick check of the quarantine folders here finds 1 double from, 
and 2 with no from line at all.  All three of them look like they 
were generated by overloading a vulnerable web script.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang