OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Guido Van De Velde (Guido.VanDeVeldecc.kuleuven.ac.be)
Date: Tue Apr 09 2002 - 04:05:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Given these postfix logs :

    Apr 9 10:07:16 pollux postfix/smtpd[23481]: connect from
    pcd367193.netvigator.com[203.218.157.193]
    Apr 9 10:07:18 pollux postfix/smtpd[23481]: 396FC3FC80:
    client=pcd367193.netvigator.com[203.218.157.193]
    Apr 9 10:07:29 pollux postfix/cleanup[23485]: 396FC3FC80:
    message-id=<WBuCmail.ht.net.tw>
    Apr 9 10:07:29 pollux postfix/qmgr[20741]: 396FC3FC80:
    from=<candyxmakeryahoo.com>, size=714, nrcpt=1 (queue active)
    Apr 9 10:07:29 pollux postfix/smtp[23513]: 396FC3FC80:
    to=<ivoonyx.arts.kuleuven.ac.be>,
    relay=cav.kulnet.kuleuven.ac.be[134.58.240.42], delay=11, status=sent
    (250 Requested mail action okay, completed)
    Apr 9 10:07:31 pollux postfix/smtpd[23481]: disconnect from
    pcd367193.netvigator.com[203.218.157.193]

    They seem very normal : machine pollux (postfix server) receives mail
    and send it to the next hop, cav.kulnet.kuleuven.ac.be. The from seems
    OK, the to is indeed an existing colleage of mine. He sends me the
    headers of the mail :

    > Return-Path: <candyxmakeryahoo.com>

    > From: Candypollux.kulnet.kuleuven.ac.be,
    > Manufacturerpollux.kulnet.kuleuven.ac.be

    > To: BEpollux.kulnet.kuleuven.ac.be

    > Subject: Jelly Pop

    The rest doen't matter much, i guess, but for sake of completeness :

    > Received: from <blabla>
    > by <blabla> with ESMTP id g3987TD07963
    > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:29
    +0200

    > Received: from <blabla>
    > by <blabla> with SMTP id KAA32428
    > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:29
    +0200

    > Received: through <blabla> SMTP Relay 1016030237; Tue Apr 09 10:07:29
    2002

    > Received: from oemcomputer (pcd367193.netvigator.com [203.218.157.193])
    > by pollux.kulnet.kuleuven.ac.be (Postfix) with SMTP id 396FC3FC80
    > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:18
    +0200 (CEST)

    > Received: from microsoft
    > by tpts5.seed.net.tw with SMTP id C0lzea0yoXNrJ223yrc9AF;
    > Tue, 09 Apr 2002 16:08:51 +0800

    > Message-ID: <WBuCmail.ht.net.tw>

    > X-Mailer: NbgSSRAceFCI5FXq3b
    > Content-Type: text/plain;
    > X-Priority: 3
    > X-MSMail-Priority: Normal
    > Date: Tue, 9 Apr 2002 10:07:18 +0200 (CEST)
    > Content-Transfer-Encoding: 8bit
    > X-MIME-Autoconverted: from Quoted-Printable to 8bit by
    > onyx.arts.kuleuven.ac.be id g3987TD07963
    > Status:
    > X-Mozilla-Status: 8001
    > X-Mozilla-Status2: 00000000
    > X-UIDL: 3626dd480000801e

    Perhaps I should know the answers already, but I'm a little confused
    now. So I have some questions about this :

    1) Where do the from and the to in the final headers come from ?
    2) How is it possible a message with a to
    "bepollux.kulnet.kuleuven.ac.be" get delivered at
    "ivoonyx.arts.kuleuven.ac.be" These addresses are both "usermachine"
    addresses, two completely independant systems, a non-existing user be
    and an existing user ivo.
    3) Is here a security problem ?
    4) Can I avoid these kind of tricks ?

    Any suggestions are welcome. 

    -- 
guido

    -
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users