Re: Prevent 'on behalf of' showing internal but really from external domain

["Kevin A. McGrail" <KM...@PCCC.com>]

On 1/11/2016 1:57 PM, Justin Edmands wrote:
> We have seen a few messages that were allowed to be sent "on be half 
> of" a user within our network. The external users domain was able to 
> send through our relay and sort of spoof the user. Any way to use 
> spamassassin to prevent this sort of this?
>
Sounds like more of something for a milter on outgoing mail like MIMEDefang.

Re: Prevent 'on behalf of' showing internal but really from external domain

[Justin Edmands <j....@sagedining.com>]

ok thank you. we do use that so I will post to the mimedefang list. 


-- 

Justin Edmands 
SAGE Dining Services, Inc.® 
Technology Department 
justin@sagedining.com 
(410) 339-3950 x38 


From: "Kevin A. McGrail" <KM...@PCCC.com> 
To: "Justin Edmands" <j....@sagedining.com>, users@spamassassin.apache.org 
Sent: Monday, January 11, 2016 1:54:46 PM 
Subject: Re: Prevent 'on behalf of' showing internal but really from external domain 

On 1/11/2016 1:57 PM, Justin Edmands wrote: 



We have seen a few messages that were allowed to be sent "on be half of" a user within our network. The external users domain was able to send through our relay and sort of spoof the user. Any way to use spamassassin to prevent this sort of this? 



Sounds like more of something for a milter on outgoing mail like MIMEDefang. 

Re: Prevent 'on behalf of' showing internal but really from external domain

[Joseph Brennan <br...@columbia.edu>]

> On 1/11/2016 1:57 PM, Justin Edmands wrote:
>
> We have seen a few messages that were allowed to be sent "on be half of"
> a user within our network. The external users domain was able to send
> through our relay and sort of spoof the user. Any way to use spamassassin
> to prevent this sort of this?


Note that "on behalf of" is an artifact of Outlook displaying message 
headers in Exchange format (even in non-Exchange environments). It's not 
really there in Internet mail, so Spamassassin will never see it.

Outlook constructs its (Exchange style) Sender header out of the Internet 
>From and Sender headers. If the Sender header exists and the address in it 
is different from the From header, then Outlook displays "Sender Address on 
behalf of From Address".

The good thing about this is that Outlook displays the content of the 
Sender header at all. I don't know of another client that does. The bad 
thing is that it displays the two in this peculiar manner that can give the 
impression that the one address gave permission for the other to send "on 
behalf of" which need not be the case at all. (The peculiar display is 
adapted from Exchange messaging in which permission does have to be 
granted.)

Typically what is happening is that the spammer uses an address @ an 
external domain for the SMTP "mail from" and Sender header, but puts an 
address @ your domain in the From header. Most mail clients show only the 
content of the From header, so this spoofs effectively.

If you want to catch this, you'd want to score for the case where the From 
header has your domain but the Sender header does not. BUT be careful. A 
rule like that would hit on mail sent through mailing lists and some other 
legitimate "send as" cases.


Joseph Brennan
Columbia University I T