You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeremy Davila <JD...@languageworks.com> on 2009/10/28 21:07:28 UTC
Spam with my company domain
Hi all,
I'm getting Spam which is addressed to another person in my company , but
it getting sent to me . So in my inbox the To Field is Kristin , but in
Jeremy's inbox.
Re: Spam with my company domain
Posted by Jari Fredriksson <ja...@iki.fi>.
28.10.2009 22:07, Jeremy Davila kirjoitti:
>
> Hi all,
>
> I'm getting Spam which is addressed to another person in my company ,
> but it getting sent to me . So in my inbox the To Field is Kristin , but
> in Jeremy's inbox.
Hello. That is possible, the email is sent to whoever is in the RCPT-TO
command of the SMTP transaction.
The sender does this:
<open connection to your MX>
HELO someclient.example.org
MAIL-FROM: sender@example.org
RCPT-TO: jeremy@example.com
DATA
From: someuser@example.org
To: kristin@example.com
Subject: this is a spam message
Hello kristin!
.
QUIT
<disconnect>
The sender *feeds* the To-header into the submission, but actually sends
the mail to a different user.
The "To:" header is just a decoration.
--
http://www.iki.fi/jarif/
Q: How can you tell when a Burroughs salesman is lying?
A: When his lips move.
Re: Spam with my company domain
Posted by Evan Platt <ev...@espphotography.com>.
As John and a few others pointed out, you need to explain what
SPECIFICALLY you mean.
Or, give an example.
In your original example, you said the mail gets to you, but it says
To: Kirstin.
This is because the 'To" field that is shown in your mail client is -
well, can be anything. I can send you mail that says To:
President@whitehouse.gov - but not have it go to
president@whitehouse.gov . There's a seperate header that shows who
the mail is actually being delivered to (or rather, what mailbox).
So - as I mentioned, mail on this list goes 'To
users@spamassassin.apache.org', but gets to you.
Same way (in essence) that mail 'to' you says "to Kirstin'..
I can't think of how you could accept one but not the other, without
creating custom rules for every list you sign up for.
At 02:55 PM 10/28/2009, you wrote:
>I should have clarified that. I meant mail that isn't specifically
>addressed to me .
>
>Thanks for your response.
>
>
>
>Evan Platt <ev...@espphotography.com>
>
>10/28/2009 05:34 PM
>Please respond to
>users@spamassassin.apache.org
>
>To
>users@spamassassin.apache.org
>cc
>Subject
>Re: Spam with my company domain
>
>
>
>
>What do you want to prevent from happening?
>
>Mail that isn't specifically addressed "To" you not to get to you?
>
>Look at the mail on this list:
>
>To: users@spamassassin.apache.org
>Subject: Re: Spam with my company domain
>From: Jeremy Davila <JD...@languageworks.com>
>
>You realize, that would mean you wouldn't get this list mail, and
>likely any other mail from any other list, right?
>
>
>At 02:29 PM 10/28/2009, you wrote:
>
>
> >Thanks John ,
> >
> >How can I prevent this from Happening. I'm currently using Exim for
> >the SMTP relay then passing to Lotus Domino.
> >Any suggestions will be appreciated.
> >
> >
> >
> >John Hardin <jh...@impsec.org>
> >
> >10/28/2009 04:21 PM
> >To
> >users@spamassassin.apache.org
> >cc
> >Subject
> >Re: Spam with my company domain
> >
> >
> >
> >
> >On Wed, 28 Oct 2009, Jeremy Davila wrote:
> >
> > > I'm getting Spam which is addressed to another person in my company ,
> > > but it getting sent to me . So in my inbox the To Field is Kristin , but
> > > in Jeremy's inbox.
> >
> >The information in the To: header has nothing to do with who actually
> >receives the message. Delivery is controlled by the "envelope To", which
> >is the "please send this message to" address communicated during message
> >transfer between mail programs.
> >
> >There are more details available if you google "smtp envelope to address"
> >
> >It's risky to use "my address isn't in the to:" as a spam sign, because
> >blind carbon copies would always hit and forwarded messages (e.g. from
> >your gmail account to your ISP account) would likely hit.
> >
> >--
> > John Hardin
> > KA7OHZ
> >
> <<http://www.impsec.org/~jhardin/>http://www.impsec.org/~jhardin/>http://www.impsec.org/~jhardin/
> > jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> >-----------------------------------------------------------------------
> > ...the Fates notice those who buy chainsaws...
> > --
> > <<www.darwinawards.htm>www.darwinawards.htm>www.darwinawards.com
> >-----------------------------------------------------------------------
> > 3 days until Halloween
>
Re: Spam with my company domain
Posted by Adam Katz <an...@khopis.com>.
Evan Platt wrote:
> What do you want to prevent from happening?
>
> Mail that isn't specifically addressed "To" you not to get to you?
>
> Look at the mail on this list:
Hm. It might be interesting to consider a meta connecting the lack of
a Precedence: of bulk or list with a test noting an absence of
relevant domains.
Re: Spam with my company domain
Posted by Jeremy Davila <JD...@languageworks.com>.
I should have clarified that. I meant mail that isn't specifically
addressed to me .
Thanks for your response.
Evan Platt <ev...@espphotography.com>
10/28/2009 05:34 PM
Please respond to
users@spamassassin.apache.org
To
users@spamassassin.apache.org
cc
Subject
Re: Spam with my company domain
What do you want to prevent from happening?
Mail that isn't specifically addressed "To" you not to get to you?
Look at the mail on this list:
To: users@spamassassin.apache.org
Subject: Re: Spam with my company domain
From: Jeremy Davila <JD...@languageworks.com>
You realize, that would mean you wouldn't get this list mail, and
likely any other mail from any other list, right?
At 02:29 PM 10/28/2009, you wrote:
>Thanks John ,
>
>How can I prevent this from Happening. I'm currently using Exim for
>the SMTP relay then passing to Lotus Domino.
>Any suggestions will be appreciated.
>
>
>
>John Hardin <jh...@impsec.org>
>
>10/28/2009 04:21 PM
>To
>users@spamassassin.apache.org
>cc
>Subject
>Re: Spam with my company domain
>
>
>
>
>On Wed, 28 Oct 2009, Jeremy Davila wrote:
>
> > I'm getting Spam which is addressed to another person in my company ,
> > but it getting sent to me . So in my inbox the To Field is Kristin ,
but
> > in Jeremy's inbox.
>
>The information in the To: header has nothing to do with who actually
>receives the message. Delivery is controlled by the "envelope To", which
>is the "please send this message to" address communicated during message
>transfer between mail programs.
>
>There are more details available if you google "smtp envelope to address"
>
>It's risky to use "my address isn't in the to:" as a spam sign, because
>blind carbon copies would always hit and forwarded messages (e.g. from
>your gmail account to your ISP account) would likely hit.
>
>--
> John Hardin
> KA7OHZ
> <http://www.impsec.org/~jhardin/>http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
> ...the Fates notice those who buy chainsaws...
> --
> <www.darwinawards.htm>www.darwinawards.com
>-----------------------------------------------------------------------
> 3 days until Halloween
Re: Spam with my company domain
Posted by Evan Platt <ev...@espphotography.com>.
What do you want to prevent from happening?
Mail that isn't specifically addressed "To" you not to get to you?
Look at the mail on this list:
To: users@spamassassin.apache.org
Subject: Re: Spam with my company domain
From: Jeremy Davila <JD...@languageworks.com>
You realize, that would mean you wouldn't get this list mail, and
likely any other mail from any other list, right?
At 02:29 PM 10/28/2009, you wrote:
>Thanks John ,
>
>How can I prevent this from Happening. I'm currently using Exim for
>the SMTP relay then passing to Lotus Domino.
>Any suggestions will be appreciated.
>
>
>
>John Hardin <jh...@impsec.org>
>
>10/28/2009 04:21 PM
>To
>users@spamassassin.apache.org
>cc
>Subject
>Re: Spam with my company domain
>
>
>
>
>On Wed, 28 Oct 2009, Jeremy Davila wrote:
>
> > I'm getting Spam which is addressed to another person in my company ,
> > but it getting sent to me . So in my inbox the To Field is Kristin , but
> > in Jeremy's inbox.
>
>The information in the To: header has nothing to do with who actually
>receives the message. Delivery is controlled by the "envelope To", which
>is the "please send this message to" address communicated during message
>transfer between mail programs.
>
>There are more details available if you google "smtp envelope to address"
>
>It's risky to use "my address isn't in the to:" as a spam sign, because
>blind carbon copies would always hit and forwarded messages (e.g. from
>your gmail account to your ISP account) would likely hit.
>
>--
> John Hardin
> KA7OHZ
> <http://www.impsec.org/~jhardin/>http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
> ...the Fates notice those who buy chainsaws...
> --
> <www.darwinawards.htm>www.darwinawards.com
>-----------------------------------------------------------------------
> 3 days until Halloween
Re: Spam with my company domain
Posted by John Hardin <jh...@impsec.org>.
On Wed, 28 Oct 2009, Jeremy Davila wrote:
> How can I prevent this from Happening.
As far as the "my address isn't in the To: header", you can't. That would
break lots of legitimate email, like BCCs and (as Evan pointed out) mail
from this mailing list.
> I'm currently using Exim for the SMTP relay then passing to Lotus
> Domino. Any suggestions will be appreciated.
Is SpamAssassin anywhere in there? If so, we're back to a simple case of
"why did this spam get through SA?" If not, we probably can't help you.
The fact that you don't know the difference between the To: header and the
envelope suggests you aren't the administrator of your email system. Is
that indeed the case? If you aren't the admin then you should be talking
to your admin about this, and (s)he can contact us if help is needed in
troubleshooting your SA install.
If you _are_ the admin for your mail system, we need to know things like
how SA is hooked into your mail system (I assume it's being called somehow
by Exim - how?), and we need to see samples of spam messages that got
through. Those samples _must_ be complete - _all_ headers must be intact,
including the ones your mail client is not showing you - and they should
be posted to a website (like pastebin.com) rather than being mailed to the
list.
Getting usable samples out of Domino is going to be, unfortunately, your
problem. Somebody here may be able to give advice how to do that.
When that is done we may be able to provide suggestions for changes to
your SA install.
> John Hardin <jh...@impsec.org>
>
> On Wed, 28 Oct 2009, Jeremy Davila wrote:
>
>> I'm getting Spam which is addressed to another person in my company ,
>> but it getting sent to me . So in my inbox the To Field is Kristin ,
>> but in Jeremy's inbox.
>
> The information in the To: header has nothing to do with who actually
> receives the message. Delivery is controlled by the "envelope To", which
> is the "please send this message to" address communicated during message
> transfer between mail programs.
>
> There are more details available if you google "smtp envelope to address"
>
> It's risky to use "my address isn't in the to:" as a spam sign, because
> blind carbon copies would always hit and forwarded messages (e.g. from
> your gmail account to your ISP account) would likely hit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween
Re: Spam with my company domain
Posted by Jeremy Davila <JD...@languageworks.com>.
Thanks John ,
How can I prevent this from Happening. I'm currently using Exim for the
SMTP relay then passing to Lotus Domino.
Any suggestions will be appreciated.
John Hardin <jh...@impsec.org>
10/28/2009 04:21 PM
To
users@spamassassin.apache.org
cc
Subject
Re: Spam with my company domain
On Wed, 28 Oct 2009, Jeremy Davila wrote:
> I'm getting Spam which is addressed to another person in my company ,
> but it getting sent to me . So in my inbox the To Field is Kristin , but
> in Jeremy's inbox.
The information in the To: header has nothing to do with who actually
receives the message. Delivery is controlled by the "envelope To", which
is the "please send this message to" address communicated during message
transfer between mail programs.
There are more details available if you google "smtp envelope to address"
It's risky to use "my address isn't in the to:" as a spam sign, because
blind carbon copies would always hit and forwarded messages (e.g. from
your gmail account to your ISP account) would likely hit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween
Re: Spam with my company domain
Posted by John Hardin <jh...@impsec.org>.
On Wed, 28 Oct 2009, Jeremy Davila wrote:
> I'm getting Spam which is addressed to another person in my company ,
> but it getting sent to me . So in my inbox the To Field is Kristin , but
> in Jeremy's inbox.
The information in the To: header has nothing to do with who actually
receives the message. Delivery is controlled by the "envelope To", which
is the "please send this message to" address communicated during message
transfer between mail programs.
There are more details available if you google "smtp envelope to address"
It's risky to use "my address isn't in the to:" as a spam sign, because
blind carbon copies would always hit and forwarded messages (e.g. from
your gmail account to your ISP account) would likely hit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween