OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Avoiding (trivial) spoofed "mail from"

From: Roman Medina-Heigl Hernandez (romanrs-labs.com)
Date: Mon Dec 01 2008 - 13:30:52 CST

Noel Jones escribió:

> If you have a large number of domains, keep a separate list of the domains and let the computer build the different tables for you. Use a Makefile to make it easy.

Or I could use two different mysql queries, over the same table containing
the vdomains...

> Some web invites / rotten mail lists / web notifications etc. will
> arrive with the recipient's address as the sender. While this is
> generally poor form, a few legit sites do it. I don't have any specific
> examples, but know they exist. "trust me"

Yes, you're right (I trust you! :-)). I did a quick search in my inbox and
found an example: notices from Ubuntu bug tracking system ("Launchpad" at
canonical.com) use that (poor) technique. But I'm wondering:
1) How often could you find this "nasty errors" (yes, difficult question;
impossible to answer, I'd add)
2) How important are this kind of "notices"...

Although it's a personal opinion, it seems that I can afford "loosing" such
mails... On the other hand, perhaps they're identifiable by other means, I
mean, headers, such as:

Return-Path: <bouncescanonical.com>
X-Original-To: romanrs-labs.com
Delivered-To: romanrs-labs.com
...
Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1])
        by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376
        for <romanrs-labs.com>; Fri, 28 Jul 2006 04:10:09 +0100 (BST)
From: RoMaNSoFt <romanrs-labs.com>
Reply-To: Bug 26119 <26119bugs.launchpad.net>
Sender: bouncescanonical.com
X-Launchpad-Bug: distribution=ubuntu; sourcepackage=linux-source-2.6.15;
        component=main; status=Needs Info; importance=Medium;
        assignee=ben.collinsubuntu.com;
To: romanrs-labs.com
Errors-To: bouncescanonical.com
X-Generated-By: Launchpad (canonical.com)

Perhaps the "reply-to" header could be an indication of this kind of notices?

You are (again) right, perhaps spamassasin is better for performing this
kind of check... with the added bonus that filtered mail is not dropped,
but quarantined (so you could always rescue a false negative). Do you know
"how well" does it (SA) perform at blocking this spam case (src dom=dst
dom) while recognizing "legit" (but nasty) notices?

For the very same reason, isn't it better to let Spamassassin make
"intelligent" SPF-checks instead of using some other policy server with
Postfix?

Thank you for your responses.

--

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]