On Tue, Apr 09, 2002 at 11:05:42AM +0200, Guido Van De Velde wrote:
> Given these postfix logs :
> OK, the to is indeed an existing colleage of mine. He sends me the
> headers of the mail :
>
> > Return-Path: <candyxmakeryahoo.com>

This is spam, right?
 
> > From: Candypollux.kulnet.kuleuven.ac.be,
> > Manufacturerpollux.kulnet.kuleuven.ac.be
> > To: BEpollux.kulnet.kuleuven.ac.be
 
This is the "To:" mail header, supplied along with the other headers by
the remote side in the DATA portion of the SMTP session.

> > Subject: Jelly Pop
>
> The rest doen't matter much, i guess, but for sake of completeness :
>
> > Received: from <blabla>
> > by <blabla> with ESMTP id g3987TD07963
> > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:29
> +0200
>
> > Received: from <blabla>
> > by <blabla> with SMTP id KAA32428
> > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:29
> +0200
>
> > Received: through <blabla> SMTP Relay 1016030237; Tue Apr 09 10:07:29
> 2002
>
> > Received: from oemcomputer (pcd367193.netvigator.com [203.218.157.193])
> > by pollux.kulnet.kuleuven.ac.be (Postfix) with SMTP id 396FC3FC80
> > for <ivoonyx.arts.kuleuven.ac.be>; Tue, 9 Apr 2002 10:07:18
> +0200 (CEST)

Here's the received header your system added, and that shows what kind
of mail "envelope" it was given. It saw a mail envelope
(RCPT-TO) specifying ivoonyx.arts,kuleuven.ac.be, and that's who it
delivered to.

Below here the Received headers are very likely forged, given that this
is spam.

> > Received: from microsoft
> > by tpts5.seed.net.tw with SMTP id C0lzea0yoXNrJ223yrc9AF;
> > Tue, 09 Apr 2002 16:08:51 +0800
>
> > Message-ID: <WBuCmail.ht.net.tw>
>
> > X-Mailer: NbgSSRAceFCI5FXq3b
> > Content-Type: text/plain;
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Date: Tue, 9 Apr 2002 10:07:18 +0200 (CEST)
> > Content-Transfer-Encoding: 8bit
> > X-MIME-Autoconverted: from Quoted-Printable to 8bit by
> > onyx.arts.kuleuven.ac.be id g3987TD07963
> > Status:
> > X-Mozilla-Status: 8001
> > X-Mozilla-Status2: 00000000
> > X-UIDL: 3626dd480000801e
>
> Perhaps I should know the answers already, but I'm a little confused
> now. So I have some questions about this :
>
> 1) Where do the from and the to in the final headers come from ?

  The remote system which sends the email, usually in large part
directly from some mail client (including spamware.)

> 2) How is it possible a message with a to
> "bepollux.kulnet.kuleuven.ac.be" get delivered at
> "ivoonyx.arts.kuleuven.ac.be" These addresses are both "usermachine"
> addresses, two completely independant systems, a non-existing user be
> and an existing user ivo.

  How does mail addressed "To: postfix-userspostfix.org" get delivered
onto your mailbox, when your server knows nothing about the
configuration at postfix.org? A: It's really next thing to irrelevant,
as long as your server gets a valid recipient in the mail envelope.

> 3) Is here a security problem ?

  Sort of, in that the tenuous connection between the two kinds of To
address makes it a lot harder to validate incoming mail and makes it a
lot easier for spammers to abuse your server.

> 4) Can I avoid these kind of tricks ?

  You probably always need to accept mail which has a different
destination in the To: (or Cc:, or Apparently-To:, or Sender:...) than
the RCPT-TO because otherwise too many special cases will break,
starting with mailing lists. (Though I'd be very interested to know if
this is wrong and there's a way to make enough of these cases work.)
Generalized anti-spam measures are probably all you can hope for.

  -- Clifton

-- 
    Clifton Royston  --  LavaNet Systems Architect --  cliftonrlava.net
"What do we need to make our world come alive?  
   What does it take to make us sing?
 While we're waiting for the next one to arrive..." - Sisters of Mercy
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]