Question respecting the headers?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question respecting the headers?

James B. Byrne
I am sure that the message associated with the header extract
reproduced below is fraudulent.  But, I would like to know how this
particular header line was constructed at the source:

Received: from theguardian.com (regtreis.viverindia.com.br
[31.172.134.4])

How did they get 'from theguardian.com' into the Received header
generated by our mx?


X-Spam-Status: Yes, score=3.596 tagged_above=-9999 required=2.5
tests=[BAYES_50=0.8, DCC_CHECK=1.1, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.25, MIME_HEADER_CTYPE_ONLY=0.1, MIME_HTML_ONLY=0.1,
NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_FAIL=0.001,
SPF_HELO_FAIL=0.001] autolearn=no autolearn_force=no

Received: from mx31.harte-lyne.ca ([127.0.31.1])
by mx31.harte-lyne.ca (mx31.harte-lyne.ca [127.0.31.1]) (amavisd-new,
port 10024)
with ESMTP id hWdti3MHs_-D for <x>;
Tue, 23 Jul 2019 11:36:06 -0400 (EDT)

Received: from theguardian.com (regtreis.viverindia.com.br
[31.172.134.4])
by mx31.harte-lyne.ca (Postfix) with ESMTP
for <x>; Tue, 23 Jul 2019 11:36:05 -0400 (EDT)

Received: from localhost (127.0.0.1) by
.[hidden email] id Jd4PSSYSxKJS for <x>; Tue, 23 Jul
2019 15:07:09 +0200 (envelope-from <[hidden email]>)

From: Your Flight <[hidden email]>

Content-Type: text/html

References: x

Message-ID: <[hidden email]>

Reply-To: x

To: x

List-ID: YYfL9s2a56JPGCwMwjkz

Subject: ***Spam***Your chance to fly with Air Canada

Date: Tue, 23 Jul 2019 15:07:09 +0200


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Question respecting the headers?

Bill Cole-3
On 24 Jul 2019, at 12:56, James B. Byrne wrote:

> I am sure that the message associated with the header extract
> reproduced below is fraudulent.  But, I would like to know how this
> particular header line was constructed at the source:
>
> Received: from theguardian.com (regtreis.viverindia.com.br
> [31.172.134.4])
>
> How did they get 'from theguardian.com' into the Received header
> generated by our mx?

The token immediately following the "from" in a Received header
generated by Postfix is the name offered in the EHLO or HELO command
from the SMTP client.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Question respecting the headers?

James B. Byrne


On Wed, July 24, 2019 13:21, Bill Cole wrote:

> On 24 Jul 2019, at 12:56, James B. Byrne wrote:
>
>> I am sure that the message associated with the header extract
>> reproduced below is fraudulent.  But, I would like to know how this
>> particular header line was constructed at the source:
>>
>> Received: from theguardian.com (regtreis.viverindia.com.br
>> [31.172.134.4])
>>
>> How did they get 'from theguardian.com' into the Received header
>> generated by our mx?
>
> The token immediately following the "from" in a Received header
> generated by Postfix is the name offered in the EHLO or HELO command
> from the SMTP client.
>

I am not asking this question correctly.

theguardian.com is not the domain that is sending this traffic.  The
people who are sending it connect from an array of IP addresses but
they always use theguardian.com as the server name.  I had believed up
until this moment that we were checking that the remote server name
matched the server domain but perhaps we are just checking that the
server name exists in DNS.  Can we configure Postfix to prevent
fraudulent use of a valid DNS host?


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Question respecting the headers?

Wietse Venema
> >> Received: from theguardian.com (regtreis.viverindia.com.br
> >> [31.172.134.4])

The remote SMTP client sent theguardian.com in the EHLO or HELO command.

31.172.134.4 is the client IP address. The Postfix SMTP server looks
up the domain name for that client IP address, regtreis.viverindia.com.br,
and uses that domain name only if it resolves to the remote client
IP address. Otherwise, the Postfix SMTP server will use "unknown" instead.

If you want to enforce that the HELO/EHLO matches the client domain
name, then Postfix does not do that.

        Wietse