Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 6215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PMX Forged from field in emails

rventura

Hello,

Lately, we have been getting emails from the outside with forged "from" so to the users it looks like the email came from someone inside the company.

Here is the headers info:

Return-Path: <AslaugLeavenworth@wildblue.net>
Delivered-To: etshop@DOMAIN.COM
Received: from housigma22.DOMAIN.COM (localhost [127.0.0.1])
	by localhost (Postfix) with SMTP id 7AE1BA9668
	for <etshop@DOMAIN.COM>; Fri,  2 Mar 2012 01:34:51 -0600 (CST)
Received: from [123.24.54.179] (unknown [123.24.54.179])
	by housigma22.DOMAIN.COM (Postfix) with ESMTP id C01C2A9656
	for <etshop@DOMAIN.COM>; Fri,  2 Mar 2012 01:34:49 -0600 (CST)
Received: from [123.24.54.179] (helo=graduate.org) by  with esmtpa (Exim 4.75 (FreeBSD)) (envelope-from <AslaugLeavenworth@wildblue.net>) id 1T18KG-5776zm-ID for etshop@DOMAIN.COM; Fri, 2 Mar 2012 10:34:49 +0700
From: <support@DOMAIN.COM>
To: etshop@DOMAIN.COM
Subject: Re: Fwd: Fwd: Scan from a HP Officejet  #73856235
Date: Fri, 2 Mar 2012 10:34:49 +0700
MIME-Version: 1.0
X-Priority: 3
X-Mailer: lwzyeoh.86
Message-ID: <8039269855.Y5GIOKUY704733@DOMAIN.COM>
Content-Type: multipart/mixed;
  boundary="----=a__xnitkflaqp_37_52_41"
X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2012.3.2.72131

 I have configured the backscatter policy, but this is not backscatter. How can i solve this?

Thanks

:22501


This thread was automatically locked due to age.
  • 0

    Hello,

    PureMessage won't automatically block e-mails based on the From header as this doesn't necessarily mean it is unwanted e-mail.  For example, externally hosted systems may send automated e-mails with a forged from header.

    You could configure rules to automatically quarantine these messages if you wish to though.  Before you start, make sure that your 'internal hosts' list is correct.  You only want this new policy to apply to mail from external hosts otherwise it will cause problems with outbound mail.

    If your using the PureMessage Manager GUI you can use the 'Sender's address' test to check if the sender's address contains @DOMAIN.COM.  This will test the 'From' header of the message.

    You could also setup another rule using the 'Envelope from' test to check the envelope address as well.

    A full guide on this is in the Help documentation here:

    http://pmdocs.sophos.com/pmdocs/Latest/en/pmdocs/tasks/AdmPolCustPolQuarantineMsgsFromFakeSenders.html

    Hope this helps! 

    Tom.

    :22599
  • 0

    Hi

    As long as you are using Postfix you should better solve this at the gateway and don't accept such messages at all.To reject them due to a spoofed 'envelope from' use standard hash/cdb/... lookup tables in 'check_sender_access ' tests. Check them inside the 'smtpd_recipient_restrictions' even if they belong to 'smtpd_sender_restrictions'.

    Another method checks the 'From:' header during the DATA phase of the smtp dialog. It is called 'header_checks'. Postfix has to be configured with PCRE (Perl compatible regular expressions) support. To find out type 'postconf -m '. The pattern are a little cumbersome and you first should WARN but not REJECT during the test phase. I have no experiences with this feature on heavy load servers but PCRE checks will probably scale bad.

    All is documented well at www.postfix.org under 'Documentation'.

    Have fun

    Ilja

    :23113
Unfiltered HTML