PCRE on Received Header

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

PCRE on Received Header

Michael B Allen
Hi,

I would like to re-write the Received header on some messages being
sent using ESMTPSA through my mail server. Specifically the header I
would like to re-write currently looks like the following (names have
been changed to protect the guilty):

"
Received: from workstation.busihome.local
(pool-101-2-122-10.nwrknj.fios.verizon.net [101.2.122.10])
(Authenticated sender: mike) by mail.busicorp.com (Postfix) with
ESMTPSA id 987567F1 for <[hidden email]>; Wed, 8 Nov 2017 00:21:52
-0500 (EST)
"

There's way too much information in there!

I'm thinking the re-written header could look something more like:

"
Received: by mail.busicorp.com (Postfix, from userid 501) id 987567F1;
Wed, 8 Nov 2017 00:21:52 -0500 (EST)
"

This replacement header format was reconnoitered from a message I sent
using sendmail on the commandline on the mail server itself. Meaning I
want messages (or at least the messages that match the pcre expression
that I will ultimately use) to appear as though they were sent
directly from a client on the mail server itself. There is simply no
reason why anyone needs to know that I'm sending emails from home in
my bunny slippers. I am sending mail almost exclusively to large
companies that frequently use aggressive mail filtering appliances. I
do not use my business email to communicate with civilians and
gmailers.

So the question is, is there anything about this re-written header
that could be interpreted as spam? Will the resulting message be^Hlook
legit? Is there a less spammy looking way to do this in general?

Second, many folks are apparently removing this header entirely. That
seems sloppy to me but if you think otherwise, please tell me about
it.

Additionally, my current understanding is that I can implement this
with smtp_header_checks and a PCRE expression. If that is not the
correct method, please give me a pointer.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Ralph Seichter
On 08.11.17 23:45, Michael B Allen wrote:

> many folks are apparently removing this header entirely. That seems
> sloppy to me but if you think otherwise, please tell me about it.

'Received' headers are used for diagnostic purposes. If one chooses to
discard these headers for authenticated email arriving over port 587
(submission) to hide network details, user names or other information
considered sensitive, there is nothing "sloppy" or unusual about it.

-Ralph

Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Michael B Allen
On Wed, Nov 8, 2017 at 6:03 PM, Ralph Seichter
<[hidden email]> wrote:
> On 08.11.17 23:45, Michael B Allen wrote:
>
>> many folks are apparently removing this header entirely. That seems
>> sloppy to me but if you think otherwise, please tell me about it.
>
> 'Received' headers are used for diagnostic purposes. If one chooses to
> discard these headers for authenticated email arriving over port 587
> (submission) to hide network details, user names or other information
> considered sensitive, there is nothing "sloppy" or unusual about it.

From a spam perspective, it doesn't really matter if the message is
protocol correct.

Does anyone else here think removing vs changing the origin 'Received'
header would NOT have a negative impact wrt getting through hardcore
spam filters?
Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Matus UHLAR - fantomas
In reply to this post by Michael B Allen
On 08.11.17 17:45, Michael B Allen wrote:

>I would like to re-write the Received header on some messages being
>sent using ESMTPSA through my mail server. Specifically the header I
>would like to re-write currently looks like the following (names have
>been changed to protect the guilty):
>
>"
>Received: from workstation.busihome.local
>(pool-101-2-122-10.nwrknj.fios.verizon.net [101.2.122.10])
>(Authenticated sender: mike) by mail.busicorp.com (Postfix) with
>ESMTPSA id 987567F1 for <[hidden email]>; Wed, 8 Nov 2017 00:21:52
>-0500 (EST)
>"
>
>There's way too much information in there!

what's "way too much"?

the only information there that could/should be turned off is the
"(Authenticated sender: mike)" which should be turned off by setting
smtpd_sasl_authenticated_header to "no" (which is the default).

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Ralph Seichter
In reply to this post by Michael B Allen
On 09.11.2017 03:04, Michael B Allen wrote:

> From a spam perspective, it doesn't really matter if the message is
> protocol correct.

I don't know what you mean by "protocol correct" re trace information.
In any case, https://tools.ietf.org/html/rfc5321#section-4.4 states:

  When an SMTP server receives a message for delivery or further
  processing, it MUST insert trace ("time stamp" or "Received")
  information at the beginning of the message content [...]

Postfix does what is required. If you consider the generated trace info
too revealing and therefore plan to alter it, you might as well remove
the whole Received line during submission cleanup. Both modification and
omission are violations of

  An Internet mail program MUST NOT change or delete a Received: line
  that was previously added to the message header section.

Source as before. Choose your poison, or leave it to Postfix, which is
not overly chatty with default settings as Matus Uhlar pointed out.
Personally, I sometimes like to have even more info added by using
smtpd_tls_received_header=yes .

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Michael B Allen
On Thu, Nov 9, 2017 at 10:09 AM, Ralph Seichter
<[hidden email]> wrote:
> I don't know what you mean by "protocol correct" re trace information.
> In any case, https://tools.ietf.org/html/rfc5321#section-4.4 states:

The RFC states that Received headers must be inserted and that they
must not be altered. Spam filters (and specifically appliances like
Barracuda) are /exploiting/ that trace information to exclude
messages. They are looking at the origin Received header, deciding
that it looks like a residential connection and excluding the message
based on that. So why are you quoting RFCs? I will fake timestamps,
change headers and insert ascii-art cats into my messages if I think
it will improve delivery. That is what spammers are doing, that is
what spam filters are looking for and therefore I will do whatever I
have to do to compete.
Reply | Threaded
Open this post in threaded view
|

Re: PCRE on Received Header

Ralph Seichter
On 09.11.17 18:44, Michael B Allen wrote:

> Spam filters (and specifically appliances like Barracuda) are
> /exploiting/ that trace information to exclude messages.

Sure. I never mentioned this, thinking it is already clear.

> So why are you quoting RFCs? I will fake timestamps, change headers
> and insert ascii-art cats into my messages if I think it will improve
> delivery. That is what spammers are doing, that is what spam filters
> are looking for and therefore I will do whatever I have to do to compete.

If you take the time to read my postings in this thread carefully, you
will find that I never begrudged anybody their manipulating or removing
Received lines. I mentioned the RFC simply to clarify that *any* change
or omission is a violation anyway, so just decide if you can accept that
(I know I can) and be done with it. Frankly, I don't give the proverbial
fart in hard vacuum what you do, but my personal preference is deleting
Received lines from authenticated mail over rewriting them. ;-)

-Ralph