Re: [xmail] Multiple from inside mail headers
-Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]de la part de fred Envoyé : mercredi 14 octobre 2009 19:25 À : 'XMail Users Mailing List' Objet : Re: [xmail] Multiple from inside mail headers Yes, my current SPF script is at that level, I will simply add code into it to do this check. It will take more time to process but I like that better than having vilains sending viruses to the user accounts of my server. -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Davide Libenzi Sent: 14 octobre 2009 13:20 To: XMail Users Mailing List Subject: Re: [xmail] Multiple from inside mail headers On Wed, 14 Oct 2009, fred wrote: I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? Can work, but you need a post-data filter for it. - Davide You need to read the mail to find the original From: from your script, not from xmail variables based on smtp level Francis ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
[xmail] Multiple from inside mail headers
Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
Hello Fred As this is a filter, the choice made to use 'return-path' in place of 'from' is filter specific, not related to xmail To help you we need to know more about this filter, how it works, parameters, ... Self-written filter or found on the net ? Do you have source code for this filter (or can we get it somewhere) ? Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]de la part de fred Envoyé : mercredi 14 octobre 2009 17:56 À : 'XMail Users Mailing List' Objet : [xmail] Multiple from inside mail headers Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
Hi Francis, Thanks for your reply. This is a self-written script that get the following arguments from filter.post-data.tab !aex /mailsrv/MailRoot/filters/spfcheck/spfcheck.php @@FROM @@CRCPT @@REMOTEADDR @@FILE The @@FROM is the actual variable that is checked by this linux command (from within a PHP script): exec(spfquery --name . $this-_spfServer . -sender= . $this-_from . -ip= . $this-_remoteAddress . -helo= . $this-_helo, $output, $return); $this-_from == @@FROM Spfquery return a digit as the return code which is what I use for either dropping the email or let it go throught. Thanks -fred -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of CLEMENT Francis Sent: 14 octobre 2009 12:13 To: 'XMail Users Mailing List' Subject: Re: [xmail] Multiple from inside mail headers Hello Fred As this is a filter, the choice made to use 'return-path' in place of 'from' is filter specific, not related to xmail To help you we need to know more about this filter, how it works, parameters, ... Self-written filter or found on the net ? Do you have source code for this filter (or can we get it somewhere) ? Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]de la part de fred Envoyé : mercredi 14 octobre 2009 17:56 À : 'XMail Users Mailing List' Objet : [xmail] Multiple from inside mail headers Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
On Wed, 14 Oct 2009, fred wrote: Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:...' SMTP transaction. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? -fred -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Davide Libenzi Sent: 14 octobre 2009 13:01 To: XMail Users Mailing List Subject: Re: [xmail] Multiple from inside mail headers On Wed, 14 Oct 2009, fred wrote: Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:...' SMTP transaction. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
On Wed, 14 Oct 2009, fred wrote: I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? Can work, but you need a post-data filter for it. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail