03-27-2008 02:11 PM
This is probably going to be a rather dumb question, but here it goes. My company's CEO received a SPAM message the other day. The concern he had was that the message was not only addressed from him, but it appeared as though the sender was him also.
I was able to find the message through Ironport Mailflow and saw that the message came into the Ironport device with a from field of ;
Sender: n.turkina@bbkservice.ru
Recipient(s): myboss@ourcompany.org
Subject: Your Featured Products of the Week?
Message-ID Header: 20090318140646.3977.qmail@OMAR1
So how does a Spammer get the message to change the sender field information to reflect the same as the To field?
We are using Lotus Notes (Domino) for mail. They are only accepting messages from our Ironport devices.
03-27-2008 08:03 PM
It's because the envelope sender doesn't necessarily have to be the same as the header('From') email address. For legitimate mail, this doesn't come up, but spammers use this to try and bypass spam filters and such.
For example, here is what a potential smtp conversation between the Internet and the Ironport appliance:
----
(sender) helo
(receiver) 220 ok
(sender) mail-from: n.turkina@bbkservice.ru
(receiver) 250 ok
(sender) rcpt-to: myboss@ourcompany.org
(receiver) 250 ok
(sender) data
(receiver) 334 go ahead, end with "." on it's own line
(sender) From: myboss@ourcompany.org
(sender) To: myboss@ourcompany.org
(sender) Subject: Do you want to buy a brand new Rolex watch?
(sender)
(sender) Go to this website to buy it, http://newrolex.com
(sender) .
(receiver) 250 message accepted
This is probably going to be a rather dumb question, but here it goes. My company's CEO received a SPAM message the other day. The concern he had was that the message was not only addressed from him, but it appeared as though the sender was him also.
I was able to find the message through Ironport Mailflow and saw that the message came into the Ironport device with a from field of ;
Sender: n.turkina@bbkservice.ru
Recipient(s): myboss@ourcompany.org
Subject: Your Featured Products of the Week?
Message-ID Header: 20090318140646.3977.qmail@OMAR1
So how does a Spammer get the message to change the sender field information to reflect the same as the To field?
We are using Lotus Notes (Domino) for mail. They are only accepting messages from our Ironport devices.
03-27-2008 08:06 PM
Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.
03-27-2008 08:21 PM
If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.
Conditions (All of the following must match):
header("From") == "ourcompany.com$"
header("To") == "ourcompany.com$"
Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.
03-27-2008 10:03 PM
Would say that not having the envelope sender and header the same is a common practice for anything but SPAM. Would it be possible to set up something that would quarantine messages if the two do not match?
If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.
Conditions (All of the following must match):
header("From") == "ourcompany.com$"
header("To") == "ourcompany.com$"Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.
03-28-2008 12:01 AM
I would say that requiring that both the "mail-from" and the 'header("From")' email address be the same is not commonly required. For inbound mail from legitimate senders, this isn't usually a problem since they'll both be the same. For spammers, that's a tricky question. They will try and sneak in however they can.
The danger that you have to be aware of are this. There may be a few others.
- Sometimes legitimate mailing list come in where the envelope sender is not the same as the header('From').
-----
So, what I'm saying is that you may potentially run into false positives where good email may match this rule. The original rule that I gave you is pretty safe.
But, if you did want to proceed with a content filter that required both the envelope sender to be the same as the header('From'), then this should do the trick:
Conditions (All of the following must match):
header("From") == "ourcompany.com$"
mail-from == "ironport.com$"
Action:
quarantine("Policy")
You may want to test this out and regularly check your Policy quarantine to make sure there are no false positives.[Good email that accidentially got matched].
Hope that helps.
Would say that not having the envelope sender and header the same is a common practice for anything but SPAM. Would it be possible to set up something that would quarantine messages if the two do not match?If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.
Conditions (All of the following must match):
header("From") == "ourcompany.com$"
header("To") == "ourcompany.com$"Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide