Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 6214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PMX Forged from field in emails

rventura

Hello,

Lately, we have been getting emails from the outside with forged "from" so to the users it looks like the email came from someone inside the company.

Here is the headers info:

Return-Path: <AslaugLeavenworth@wildblue.net>
Delivered-To: etshop@DOMAIN.COM
Received: from housigma22.DOMAIN.COM (localhost [127.0.0.1])
	by localhost (Postfix) with SMTP id 7AE1BA9668
	for <etshop@DOMAIN.COM>; Fri,  2 Mar 2012 01:34:51 -0600 (CST)
Received: from [123.24.54.179] (unknown [123.24.54.179])
	by housigma22.DOMAIN.COM (Postfix) with ESMTP id C01C2A9656
	for <etshop@DOMAIN.COM>; Fri,  2 Mar 2012 01:34:49 -0600 (CST)
Received: from [123.24.54.179] (helo=graduate.org) by  with esmtpa (Exim 4.75 (FreeBSD)) (envelope-from <AslaugLeavenworth@wildblue.net>) id 1T18KG-5776zm-ID for etshop@DOMAIN.COM; Fri, 2 Mar 2012 10:34:49 +0700
From: <support@DOMAIN.COM>
To: etshop@DOMAIN.COM
Subject: Re: Fwd: Fwd: Scan from a HP Officejet  #73856235
Date: Fri, 2 Mar 2012 10:34:49 +0700
MIME-Version: 1.0
X-Priority: 3
X-Mailer: lwzyeoh.86
Message-ID: <8039269855.Y5GIOKUY704733@DOMAIN.COM>
Content-Type: multipart/mixed;
  boundary="----=a__xnitkflaqp_37_52_41"
X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2012.3.2.72131

 I have configured the backscatter policy, but this is not backscatter. How can i solve this?

Thanks

:22501


This thread was automatically locked due to age.
Parents
  • 0

    Hi

    As long as you are using Postfix you should better solve this at the gateway and don't accept such messages at all.To reject them due to a spoofed 'envelope from' use standard hash/cdb/... lookup tables in 'check_sender_access ' tests. Check them inside the 'smtpd_recipient_restrictions' even if they belong to 'smtpd_sender_restrictions'.

    Another method checks the 'From:' header during the DATA phase of the smtp dialog. It is called 'header_checks'. Postfix has to be configured with PCRE (Perl compatible regular expressions) support. To find out type 'postconf -m '. The pattern are a little cumbersome and you first should WARN but not REJECT during the test phase. I have no experiences with this feature on heavy load servers but PCRE checks will probably scale bad.

    All is documented well at www.postfix.org under 'Documentation'.

    Have fun

    Ilja

    :23113
Reply
  • 0

    Hi

    As long as you are using Postfix you should better solve this at the gateway and don't accept such messages at all.To reject them due to a spoofed 'envelope from' use standard hash/cdb/... lookup tables in 'check_sender_access ' tests. Check them inside the 'smtpd_recipient_restrictions' even if they belong to 'smtpd_sender_restrictions'.

    Another method checks the 'From:' header during the DATA phase of the smtp dialog. It is called 'header_checks'. Postfix has to be configured with PCRE (Perl compatible regular expressions) support. To find out type 'postconf -m '. The pattern are a little cumbersome and you first should WARN but not REJECT during the test phase. I have no experiences with this feature on heavy load servers but PCRE checks will probably scale bad.

    All is documented well at www.postfix.org under 'Documentation'.

    Have fun

    Ilja

    :23113
Children
No Data
Unfiltered HTML