[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Spoofed email
- To: "Administrative (website/upkeep) Discussions" <admin at arabeyes dot org>
- Subject: Re: Spoofed email
- From: Nadim Shaikli <shaikli at yahoo dot com>
- Date: Thu, 6 May 2004 15:10:39 -0700 (PDT)
--- Nadim Shaikli <shaikli at yahoo dot com> wrote:
> So the events as I see them were,
>
> + mail comes-in as @RESA.org destined to 'cvs'
> + postfix looks at it and says, ok its allowed since its no @arabeyes
> + postfix, and I'm guessing here, did something to change the address
> to be @arabeyes (or someone else did or something happened, not sure;
> its also odd that 'cvs-bounces' is involved)
> + mail now gets handed to mailman's cvs list
> + mailman checks the from header and sees @arabeyes address
> + mailman allows it through -> problem
After a bit more digging, I finally looked at the mbox file that
contains that raw message and saw how this whole thing happened.
The email message contains the following,
From Administrator at RESA dot ORG Sun May 2 13:06:18 2004
Return-Path: <Administrator at RESA dot ORG>
From: <Administrator at arabeyes dot org>
Sender: <Administrator at arabeyes dot org>
So what happened was that postfix looked at the raw From field,
the actual real one and it looked fine to it (ie. its not @arabeyes)
but when mailman looked at the message it used the later From: field
and let it post. Now the question is how to check that both fields
are the same else the email is rejected (or how to get both applications
to use the same From field).
Any ideas ?
Salam.
- Nadim
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover