Mailing List Archive: SpamAssassin: users

Relation bettwen MAIL FROM: <> and From:

Index | Next | Previous | View Threaded

luis.daniel.lucio at gmail

Nov 12, 2009, 5:53 PM

Post #1 of 5 (674 views)
Permalink

Relation bettwen MAIL FROM: <> and From:

Hi All,

I'm wondering if some know is this is possible to stop using SA. Look.

[root [at] cyru postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to cyrus.sat.gob.mx (127.0.0.1).
Escape character is '^]'.
220 mx2.sat.gob.mx ESMTP Postfix
EHLO brandmauer.insys-corp.com.mx
250-mx2.sat.gob.mx
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <raulr [at] insys-corp>
250 2.1.0 Ok
RCPT TO: <sas [at] sat>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Samuel Flores <samuel.flores [at] sat>
To: SAS <sas [at] sat>
Date: Thu, 12 Nov 2009 18:40:06 -0600
MIME-Version: 1.0
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200911121840.06060.sas [at] sat>
Status: RO
X-Status: RS
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Subject: t2

Mensaje
.
250 2.0.0 Ok: queued as CA5426B837
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

As you see, MAIL FROM (SMTP protocol) and From (DATA) are different, and
Amavis+SA+Postfix is acceptiont this. Is this a SA task or Amavis or Postfix,

Here are my logs:

--------------
Nov 12 19:31:51 cyrus postfix/smtpd[7412]: CA5426B837:
client=cyrus.sat.gob.mx[127.0.0.1]
Nov 12 19:34:02 cyrus postfix/cleanup[8795]: CA5426B837: message-
id=<200911121840.06060.sas [at] sat>
Nov 12 19:34:02 cyrus postfix/qmgr[1488]: CA5426B837: from=<raulr [at] insys
corp.com.mx>, size=582, nrcpt=1 (queue active)
Nov 12 19:34:03 cyrus postfix/lmtp[8896]: CA5426B837: to=<sas [at] sat>,
relay=127.0.0.1[127.0.0.1]:10025, delay=161, delays=160/0.03/0/0.4, dsn=2.0.0,
status=sent (250 2.0.0 Ok: queued as 583096B9A1)
Nov 12 19:34:03 cyrus postfix/qmgr[1488]: CA5426B837: removed

[root [at] cyru postfix]# grep 583096B9A1 /var/log/mail/info.log
Nov 12 19:34:03 cyrus postfix/smtpd[8853]: 583096B9A1:
client=cyrus.sat.gob.mx[127.0.0.1]:unknown
Nov 12 19:34:03 cyrus postfix/cleanup[8796]: 583096B9A1: message-
id=<200911121840.06060.sas [at] sat>
Nov 12 19:34:03 cyrus postfix/qmgr[1488]: 583096B9A1: from=<raulr [at] insys
corp.com.mx>, size=1163, nrcpt=1 (queue active)
Nov 12 19:34:03 cyrus amavis[6486]: (06486-11) Passed CLEAN, MYNETS LOCAL
[127.0.0.1] [127.0.0.1] <raulr [at] insys-corp> -> <sas [at] sat>,
Message-ID: <200911121840.06060.sas [at] sat>, mail_id: h2ruWAjex7lV, Hits:
-2.394, size: 582, queued_as: 583096B9A1, 400 ms
Nov 12 19:34:03 cyrus postfix/lmtp[8896]: CA5426B837: to=<sas [at] sat>,
relay=127.0.0.1[127.0.0.1]:10025, delay=161, delays=160/0.03/0/0.4, dsn=2.0.0,
status=sent (250 2.0.0 Ok: queued as 583096B9A1)
Nov 12 19:34:03 cyrus postfix/smtp[8302]: 583096B9A1: to=<sas [at] sat>,
relay=10.10.60.10[10.10.60.10]:25, delay=0.07, delays=0.01/0.04/0.01/0.01,
dsn=2.0.0, status=sent (250 OK: <075480f2000093a4 [at] sat>)
Nov 12 19:34:03 cyrus postfix/qmgr[1488]: 583096B9A1: removed

Best Regards,

LD

dbfunk at engineering

Nov 12, 2009, 6:28 PM

Post #2 of 5 (619 views)
Permalink

Re: Relation bettwen MAIL FROM: <> and From: [In reply to]

If you search the archives of this list you will find a long-winded
discussion of this idea and an explanation of why it is a bad idea.

To make a long story short, you will block lots of legitimate mail
including almost every mail-list type message.
For example, check the Header-From and Envelope-From addresses of
any message that you get from this list.

A similar argument applies to the Header-To and Envelope-recipient
addresses.

The SMTP protocol provided for seperate header VS envelope addresses
with good reason, trying to block that feature only leads to trouble.

On Thu, 12 Nov 2009, Luis Daniel Lucio Quiroz wrote:

> Hi All,
>
> I'm wondering if some know is this is possible to stop using SA. Look.
>
> [root [at] cyru postfix]# telnet localhost 25
> Trying 127.0.0.1...
> Connected to cyrus.sat.gob.mx (127.0.0.1).
> Escape character is '^]'.
> 220 mx2.sat.gob.mx ESMTP Postfix
> EHLO brandmauer.insys-corp.com.mx
> 250-mx2.sat.gob.mx
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> MAIL FROM: <raulr [at] insys-corp>
> 250 2.1.0 Ok
> RCPT TO: <sas [at] sat>
> 250 2.1.5 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> From: Samuel Flores <samuel.flores [at] sat>
[snip..]
>
> As you see, MAIL FROM (SMTP protocol) and From (DATA) are different, and
> Amavis+SA+Postfix is acceptiont this. Is this a SA task or Amavis or Postfix,
>
[snip..]

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

mkettler_sa at verizon

Nov 12, 2009, 6:43 PM

Post #3 of 5 (627 views)
Permalink

Re: Relation bettwen MAIL FROM: <> and From: [In reply to]

Luis Daniel Lucio Quiroz wrote:
>
> Hi All,
>
> I'm wondering if some know is this is possible to stop using SA. Look.
>
MAIL FROM and From: are commonly mismatched in legitimate mail.

For example, every message that you receive from this list (and every
other sanely configured mailing list) will have an apache.org address in
the MAIL FROM, and the sender in the From:. That's because apache is
remailing, and should receive all DSN's, but they are not the originator
of the message.

There's quite a few other scenarios where mismatches occur outside of
spam. Perhaps you should look more closely at your nonspam email.

luis.daniel.lucio at gmail

Nov 12, 2009, 7:37 PM

Post #4 of 5 (623 views)
Permalink

Re: Relation bettwen MAIL FROM: <> and From: [In reply to]

Le jeudi 12 novembre 2009 20:28:51, David B Funk a �crit :
> If you search the archives of this list you will find a long-winded
> discussion of this idea and an explanation of why it is a bad idea.
>
> To make a long story short, you will block lots of legitimate mail
> including almost every mail-list type message.
> For example, check the Header-From and Envelope-From addresses of
> any message that you get from this list.
>
> A similar argument applies to the Header-To and Envelope-recipient
> addresses.
>
> The SMTP protocol provided for seperate header VS envelope addresses
> with good reason, trying to block that feature only leads to trouble.
>
> On Thu, 12 Nov 2009, Luis Daniel Lucio Quiroz wrote:
> > Hi All,
> >
> > I'm wondering if some know is this is possible to stop using SA. Look.
> >
> > [root [at] cyru postfix]# telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to cyrus.sat.gob.mx (127.0.0.1).
> > Escape character is '^]'.
> > 220 mx2.sat.gob.mx ESMTP Postfix
> > EHLO brandmauer.insys-corp.com.mx
> > 250-mx2.sat.gob.mx
> > 250-PIPELINING
> > 250-SIZE 10240000
> > 250-ETRN
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> > MAIL FROM: <raulr [at] insys-corp>
> > 250 2.1.0 Ok
> > RCPT TO: <sas [at] sat>
> > 250 2.1.5 Ok
> > DATA
> > 354 End data with <CR><LF>.<CR><LF>
> > From: Samuel Flores <samuel.flores [at] sat>
>
> [snip..]
>
> > As you see, MAIL FROM (SMTP protocol) and From (DATA) are different, and
> > Amavis+SA+Postfix is acceptiont this. Is this a SA task or Amavis or
> > Postfix,
>
> [snip..]
>
Many many thanx

hamann.w at t-online

Nov 13, 2009, 11:55 PM

Post #5 of 5 (594 views)
Permalink

Re: Relation bettwen MAIL FROM: <> and From: [In reply to]

>>
>> Hi All,
>>
>> I'm wondering if some know is this is possible to stop using SA. Look.
>>
>> [root [at] cyru postfix]# telnet localhost 25
>> Trying 127.0.0.1...
>> Connected to cyrus.sat.gob.mx (127.0.0.1).
>> Escape character is '^]'.
>> 220 mx2.sat.gob.mx ESMTP Postfix
>> EHLO brandmauer.insys-corp.com.mx
>> 250-mx2.sat.gob.mx
>> 250-PIPELINING
...
As you see, MAIL FROM (SMTP protocol) and From (DATA) are different, and
Amavis+SA+Postfix is acceptiont this. Is this a SA task or Amavis or Postfix,

Hi Luis,

I am running a custom filter in qmail to do exactly that. To be honest, it took me about
3 months to get that working right.
Basically the rules are:
a) If the To address matches one of my possible email addresses (the filter is applied
after collecting mails from a few pop mailboxes), and I am the only recipient, let
the mail through
b) if the (mailfrom or from) sender is in a whitelist (populated from mailing list senders,
and very few colleagues that send BCC), let the mail through
c) If I do not appear in To or Cc at all, quarantine the mail
d) If there are more than 3 or so recipients (in particular from @t-online.de, which is
a big ISP for private users), and not at least one of them also appears in that whitelist,
quarantine
e) Potential addition: detect display names that do not match those you use for sending

I still look at a quarantine summary - some mailing list could have changed or so, or
maybe there is an annual mailing list reminder that does not match the whitelist entry

As you can see, this is solution for a single recipient, not for a mailserver,
and as such it could perhaps be done in a procmail recipe.

Wolfgang

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads