OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Tokarev (mjttls.msk.ru)
Date: Thu Apr 12 2001 - 19:51:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Peter Bates wrote:
    >
    > Hello all...
    >
    > We've recently started to see UCE
    > with the following headers:
    >
    > Subject: Windows 95 Computers 195 pounds
    > From: david.r38ukonline.co.uk
    > Reply-To: david.r38ukonline.co.uk
    > Message-Id: <5yw2qpqy8l5j6.sin77a7cpg2p1bjt3a1npop3.freeserve.net>
    > To: $userlshtm.ac.uk
    >
    > I don't actually have a log of the
    > exchange of this message, but where
    > should I be looking to REJECT any messages
    > with a reference to $userourdomain?

    I'm quite shure that actual To: header was a bare $user,
    and it's your server who added "ourdomain" part. This
    is one little limitation of postfix -- it always qualifies
    addresses (this is good), but you can't control when it
    qualifies 'em, and can't restrict e.g. addresses w/o
    domain part (should be pretty legal to do so, as legitimate
    mails sent via legitimate mailserver should already contain
    qualified addresses). But anyway, you can experiment
    with:

    main.cf:
      header_checks regexp:/etc/postfix/headers

    /etc/postfix/headers:
      /^to: \$userlshtm\.ac\.uk/ REJECT
     or even
      /^to: \$user/ REJECT

    > If this is covered by body_checks,
    > is there anyone out there using
    > creative devices to restrict mail
    > to only exchanges which go (pardon me
    > if I'm failing to understand the process here)
    >
    > Out: 220 postbox.lshtm.ac.uk ESMTP
    > In: EHLO ecoepi.ocsen.mplik.ru
    > Out: 250-postbox.lshtm.ac.uk
    > Out: 250-PIPELINING
    > Out: 250-SIZE 10240000
    > Out: 250-ETRN
    > Out: 250 8BITMIME
    > In: MAIL FROM:<x> SIZE=5739
    > Out: 250 Ok
    > In: RCPT TO:<y>
    > Out: 250 Ok
    > In: DATA
    > Out: 354 End data with <CR><LF>.<CR><LF>
    > z
    > In: QUIT
    > Out: 221 Bye
    >
    > Where 'x' is a valid address from a known
    > (i.e. nslookable) domain, 'y'is a local user,
    > and then 'z' contains: (the body_checks bit)
    >
    > From: same as x
    > To: same as y
    > Subject: etc. etc.
    >
    > Or am I totally misunderstanding the process here?

    Well... If you want to allow only mail where envelope and
    headers are the same (if I understood you right), than
    yes, it's not what you want. Look to this mail from me --
    it contain
      To: postfix-userspostfix.org
    but it should be delivered to you (if you're subscribed to
    this list -- I specially NOT added your address when replied),
    using your address in envelope (envelope is e.g. those you saw
    in smtp session). The same will be true for BCC'd mails etc.

    Regards,
     Michael.

    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users