[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spoofed email

--- Nadim Shaikli <shaikli at yahoo dot com> wrote:
>   From Administrator at RESA dot ORG  Sun May  2 13:06:18 2004
>   Return-Path: <Administrator at RESA dot ORG>
>   From:   <Administrator at arabeyes dot org>
>   Sender: <Administrator at arabeyes dot org>
> 
> So what happened was that postfix looked at the raw From field,
> the actual real one and it looked fine to it (ie. its not @arabeyes)
> but when mailman looked at the message it used the later From: field
> and let it post.  Now the question is how to check that both fields
> are the same else the email is rejected (or how to get both applications
> to use the same From field).

I wasn't able to figure out (nor did I find anything on the net that
pointed me in right direction about comparing the two FROMs), so after
talking to Uniball/Xsnack on IRC - I added a header check to our postfix
main.cf file.  So now we should really be solid.  We are now NOT allowing
anyone from the outside to come-in with either an envelope from (that was
the first check being done already) or a header From field (new check now)
set to arabeyes.org

All that is left now is how to handle the spoofing of other people's
accounts and whether we should really do anything.  Should we add the
"I will not accept mail from known open relay hosts" option ?

Here are some links I found useful with regard to this generic problem,
I'll leave it be until someone else says something and/or a decision on
a plan of action is made :-)

  http://www.ordb.org/faq
  http://www.spamhaus.org/xbl/index.lasso
  http://www.ordb.org/faq/#usage_postfix
  http://pfortin.com/Linux/PostFix

BTW: there are some errors/warnings in the syslog file that someone
     should look into and fix-up.

Salam.

 - Nadim



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover