from field being changed - How?

evick27_ironport · ‎03-27-2008

This is probably going to be a rather dumb question, but here it goes. My company's CEO received a SPAM message the other day. The concern he had was that the message was not only addressed from him, but it appeared as though the sender was him also.

I was able to find the message through Ironport Mailflow and saw that the message came into the Ironport device with a from field of ;

Sender: n.turkina@bbkservice.ru
Recipient(s): myboss@ourcompany.org
Subject: Your Featured Products of the Week?
Message-ID Header: 20090318140646.3977.qmail@OMAR1

So how does a Spammer get the message to change the sender field information to reflect the same as the To field?

We are using Lotus Notes (Domino) for mail. They are only accepting messages from our Ironport devices.

kluu_ironport · ‎03-27-2008

It's because the envelope sender doesn't necessarily have to be the same as the header('From') email address. For legitimate mail, this doesn't come up, but spammers use this to try and bypass spam filters and such.

For example, here is what a potential smtp conversation between the Internet and the Ironport appliance:

----

(sender)   helo
(receiver) 220 ok
(sender)   mail-from:  n.turkina@bbkservice.ru
(receiver) 250 ok
(sender)   rcpt-to:  myboss@ourcompany.org
(receiver) 250 ok
(sender)   data
(receiver) 334 go ahead, end with "." on it's own line
(sender)   From:  myboss@ourcompany.org
(sender)   To:      myboss@ourcompany.org
(sender)   Subject:  Do you want to buy a brand new Rolex watch?
(sender)   
(sender)   Go to this website to buy it, http://newrolex.com
(sender)   .
(receiver) 250 message accepted

----

What happened above is perfectly legal. It is RFC compliant and it's not breaking any rules.

Now, what I would recommend to counter this is the following:

1. Would there be any scenario where both the header("From") and the header("To") would be the same domain, in this case, "ourcompany.org".

When two co-workers send mail to one another, should it stay on the mailserver and never hit the Ironport appliance.

If this is the case, we can implement an incoming content filter like the following:

Same_from_to_domain_in_headers_quarantine:

Conditions (All of the following must match):
header("From") == "ourcompany.com$"
header("To") == "ourcompany.com$"

Actions:
quarantine ("Policy")

-----

This kb article may help you with content filters.

What conditions / actions are available to content filters?

http://tinyurl.com/jpqwl

This is probably going to be a rather dumb question, but here it goes. My company's CEO received a SPAM message the other day. The concern he had was that the message was not only addressed from him, but it appeared as though the sender was him also. 

I was able to find the message through Ironport Mailflow and saw that the message came into the Ironport device with a from field of ;

Sender: 	               n.turkina@bbkservice.ru
Recipient(s): 	myboss@ourcompany.org
Subject: 	Your Featured Products of the Week?
Message-ID Header: 	20090318140646.3977.qmail@OMAR1

So how does a Spammer get the message to change the sender field information to reflect the same as the To field? 

We are using Lotus Notes (Domino) for mail. They are only accepting messages from our Ironport devices.

evick27_ironport · ‎03-27-2008

Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.

kluu_ironport · ‎03-27-2008

If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.

Conditions (All of the following must match):
header("From") == "ourcompany.com$"
header("To") == "ourcompany.com$"

Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.

evick27_ironport · ‎03-27-2008

Would say that not having the envelope sender and header the same is a common practice for anything but SPAM. Would it be possible to set up something that would quarantine messages if the two do not match?

If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.

Conditions (All of the following must match): 
header("From") == "ourcompany.com$" 
header("To") == "ourcompany.com$"



Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.

kluu_ironport · ‎03-28-2008

I would say that requiring that both the "mail-from" and the 'header("From")' email address be the same is not commonly required. For inbound mail from legitimate senders, this isn't usually a problem since they'll both be the same. For spammers, that's a tricky question. They will try and sneak in however they can.

The danger that you have to be aware of are this. There may be a few others.

- Sometimes legitimate mailing list come in where the envelope sender is not the same as the header('From').

-----

So, what I'm saying is that you may potentially run into false positives where good email may match this rule. The original rule that I gave you is pretty safe.

But, if you did want to proceed with a content filter that required both the envelope sender to be the same as the header('From'), then this should do the trick:

Conditions (All of the following must match):
header("From") == "ourcompany.com$"
mail-from == "ironport.com$"

Action:
quarantine("Policy")

You may want to test this out and regularly check your Policy quarantine to make sure there are no false positives.[Good email that accidentially got matched].

Hope that helps.

Would say that not having the envelope sender and header the same is a common practice for anything but SPAM. Would it be possible to set up something that would quarantine messages if the two do not match?




If you decide to implement this content filter, make sure you toggle it so that ALL CONDITIONS must match.

Conditions (All of the following must match): 
header("From") == "ourcompany.com$" 
header("To") == "ourcompany.com$"



Thanks for the info. Your content filter sounds like a perfect solution. Thanks again.