OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
forging the 'From' header

From: Allen Unueco (allenpremierweb.com)
Date: Sun Jul 11 2004 - 22:04:20 CDT

By what mechanism could an email have it's 'From' header changed between
the time in enters and leaves postfix?

I publish a SPF record such that my server is the only one allowed to
send email for my domain. I have noticed a few emails which claim to be
from my domain using an invalid email address.

I checked mail.log for the message IDs and the log the 'from=' parameter
does not contain my domain name, the SPF check passes, but when it
reaches my inbox the From line is changed.

The header of the received email has no trace of the "from=" address I
see in the mail log.

How is this possible? I wanted to try and simulate it (via telnet) but I
don't know what they might be doing.

Here are the excerpts from the logs, I've removed lines I didn't feel
were useful. This messages was sent to 5 or 6 other emails address in my
domain which were all false and rejected, only one made it through.

postfix/smtpd[31660]: C9EC979DDF: client=unknown[219.134.12.58]
postfix/policy-spf[31662]: C9EC979DDF: testing: stripped
sender=drarbiter284cltvlvbardfield.co.uk, stripped
rcpt=allenpremierweb.com
postfix/policy-spf[31662]: C9EC979DDF: SPF none: smtp_comment=SPF:
domain of sender drarbiter284cltvlvbardfield.co.uk does not designate m
ailers, header_comment=alderaan.premierweb.com: domain of
drarbiter284cltvlvbardfield.co.uk does not designate permitted sender hosts
postfix/cleanup[31695]: C9EC979DDF:
message-id=<20040710115940.C9EC979DDFalderaan.premierweb.com>
postfix/qmgr[28753]: C9EC979DDF:
from=<drarbiter284cltvlvbardfield.co.uk>, size=5034, nrcpt=2 (queue active)

The sender/from is still bardfield.co.uk when it's queued for the
content_filter (amavisd-new)

postfix/smtpd[31699]: 6A70D79DF0: client=localhost[127.0.0.1]
postfix/cleanup[31695]: 6A70D79DF0:
message-id=<20040710115940.C9EC979DDFalderaan.premierweb.com>
postfix/qmgr[28753]: 6A70D79DF0:
from=<drarbiter284cltvlvbardfield.co.uk>, size=5422, nrcpt=2 (queue active)
postfix/smtpd[31699]: disconnect from localhost[127.0.0.1]
amavis[30967]: (30967-10) Passed CLEAN, [219.134.12.58]
<drarbiter284cltvlvbardfield.co.uk> -> <allenpremierweb.com>,
Message-ID: <20040710115940.C9EC979DDFalderaan.premierweb.com>, Hits: -
postfix/smtp[31696]: C9EC979DDF: to=<allenpremierweb.com>,
relay=127.0.0.1[127.0.0.1], delay=18, status=sent (250 2.6.0 Ok,
id=30967-10, f
rom MTA: 250 Ok: queued as 6A70D79DF0)
postfix/smtp[31696]: C9EC979DDF: to=<allenpremierweb.com>,
relay=127.0.0.1[127.0.0.1], delay=18, status=sent (250 2.6.0 Ok,
id=30967-10,
  from MTA: 250 Ok: queued as 6A70D79DF0)
postfix/qmgr[28753]: C9EC979DDF: removed
postfix/pipe[31701]: 6A70D79DF0: to=<allenpremierweb.com>, relay=dspam,
delay=0, status=sent (alderaan.premierweb.com)
postfix/pipe[31715]: 6A70D79DF0: to=<allenpremierweb.com>,
orig_to=<aunuecopremierweb.com>, relay=dspam, delay=0, status=sent
(alderaan.p
remierweb.com)
postfix/qmgr[28753]: 6A70D79DF0: removed

I don't have the logs from dspam but by the time message id 6A70D79DF0
made it into my inbox the headers didn't have any reference to
bardfield.co.uk and the From header was a invalid username at my domain.

 From the above logs I would suspect amavisd-new or dspam but I remember
having a few of these same messages before installing those two
components so I suspect something else is going on.

Any ideas?

Thanks,
-allen