Other To: and Delivered:

Hello,

Some spammers send email using my server. In header of message I have
different address then this message is delivered for. Massage from spammer:
alkalibayport@mad.scientist.com is in header message adressed for
wjaworski@domain-sa.com.pl:, but it was delivered to:
najem@domain-sa.com.pl. Why is this happend? What patch for qmail should I
use?


Thanks
Pawel Rutkowski


Header message:
Return-Path: <alkalibayport@mad.scientist.com>
Delivered-To: 143-najem@domain-sa.com.pl
Received: (qmail 17089 invoked from network); 3 Aug 2006 15:03:29 +0200
Received: from pool-151-197-185-210.phil.east.verizon.net (HELO
ROBOT.rc0t.com) (151.197.185.210)
by srv1.domain.pl with SMTP; 3 Aug 2006 15:03:29 +0200
Message-ID: <01270571849750.3C33806A70@QJZAPCKK>
From: "Zachariah" <backupdetail@bikerider.com>
To: <wjaworski@domain-sa.com.pl>
Subject: Enjoy secure ordering, lowest possible prices and almost instant
shipment. Be delighted with
Date: Thu, 3 Aug 2006 09:03:12 -0400
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: zVXxufFpIzexEoPKGe0radPPLGCGZ4haLdjX
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit


Logs from qmail:
Aug 3 15:03:30 srv1 qmail: 1154610210.048418 delivery 25672: success:
did_1+0
+2/did_0+0+1/
Aug 3 15:03:30 srv1 spamd[15560]: result: . 0 - FORGED_RCVD_HELO
scantime=0.
5,size=1543,mid=<01270571849750.3C33806A70@QJZAPCK K>,autolearn=ham
Aug 3 15:03:30 srv1 spamd[15560]: clean message (0.1/7.0) for
najem@domain-sa.
com.pl:110 in 0.5 seconds, 1543 bytes.
Aug 3 15:03:29 srv1 qmail: 1154610209.982397 status: local 1/10 remote 0/20
Aug 3 15:03:29 srv1 qmail: 1154610209.982362 delivery 25671: success:
did_1+0
+2/did_0+0+1/
Aug 3 15:03:29 srv1 spamd[16842]: result: . 0 - FORGED_RCVD_HELO
scantime=0.
4,size=1543,mid=<01270571849750.3C33806A70@QJZAPCK K>,autolearn=ham
Aug 3 15:03:29 srv1 spamd[16842]: clean message (0.1/7.0) for
wjaworski@domain
-sa.com.pl:110 in 0.4 seconds, 1543 bytes.
Aug 3 15:03:29 srv1 spamd[15560]: processing message
<01270571849750.3C33806A
70@QJZAPCKK> for najem@domain-sa.com.pl:110.
Aug 3 15:03:29 srv1 spamd[16842]: processing message
<01270571849750.3C33806A
70@QJZAPCKK> for wjaworski@domain-sa.com.pl:110.
Aug 3 15:03:29 srv1 spamd[15560]: Using default config for
najem@domain-sa.com
..pl: /var/qmail/mailnames/domain-sa.com.pl/najem/.spamassassin/user_prefs
Aug 3 15:03:29 srv1 spamd[15560]: got connection over /tmp/spamd_full.sock
Aug 3 15:03:29 srv1 spamd[16842]: Using default config for
wjaworski@domain-sa
..com.pl:
/var/qmail/mailnames/domain-sa.com.pl/wjaworski/.spamassassin/user_pre
fs
Aug 3 15:03:29 srv1 spamd[16842]: got connection over /tmp/spamd_full.sock
Aug 3 15:03:29 srv1 qmail: 1154610209.444360 status: local 2/10 remote 0/20
Aug 3 15:03:29 srv1 qmail: 1154610209.444353 starting delivery 25672: msg
627
19 to local 143-najem@domain-sa.com.pl
Aug 3 15:03:29 srv1 qmail: 1154610209.444342 status: local 1/10 remote 0/20
Aug 3 15:03:29 srv1 qmail: 1154610209.444323 starting delivery 25671: msg
627
19 to local 143-wjaworski@domain-sa.com.pl
Aug 3 15:03:29 srv1 qmail: 1154610209.400734 info msg 62719: bytes 1543
from
<alkalibayport@mad.scientist.com> qp 17089 uid 2020
Aug 3 15:03:29 srv1 qmail: 1154610209.400709 new msg 62719
Aug 3 15:03:29 srv1 qmail-queue: dwlib[17083]: scan: the
message(drweb.tmp.Er
rGKo) sent by alkalibayport@mad.scientist.com to rcpts should be passed
withou
t checks, because contains uncheckable addresses
Aug 3 15:03:29 srv1 qmail-queue: dwlib[17083]: mail: all addreses are
uncheck
able - need to skip scanning (by deny mode)

On 2006-08-04, Pawel Rutkowski <rutekp@moja-poczta.com.pl> wrote:
> Some spammers send email using my server. In header of message I have
> different address then this message is delivered for. Massage from spammer:
> alkalibayport@mad.scientist.com is in header message adressed for
> wjaworski@domain-sa.com.pl:, but it was delivered to:
> najem@domain-sa.com.pl. Why is this happend? What patch for qmail should I
> use?

The envelope recipient address does not necessarily equal the address
given in the From header field. The Delivered-To header, in contrast,
documents the envelope recipient.

You are free to filter out emails where these two headers do not
match properly. However, you have to take care then of mailing lists
where likewise the To-field doesn't include your address.

Andreas.

>
> The envelope recipient address does not necessarily equal the address
> given in the From header field. The Delivered-To header, in contrast,
> documents the envelope recipient.
>
> You are free to filter out emails where these two headers do not
> match properly. However, you have to take care then of mailing lists
> where likewise the To-field doesn't include your address.

Is there any patch which will check equal those two fileds in header ?

Pawel Rutkowski

Pawel Rutkowski wrote:

>>The envelope recipient address does not necessarily equal the address
>>given in the From header field. The Delivered-To header, in contrast,
>>documents the envelope recipient.
>>
>>You are free to filter out emails where these two headers do not
>>match properly. However, you have to take care then of mailing lists
>>where likewise the To-field doesn't include your address.
>
>
> Is there any patch which will check equal those two fileds in header ?
>
> Pawel Rutkowski
>
>

The processing needs to be done during the final delivery stage. Since
You are using spamassasin configure rules to determine whether a mailing
is spam or ham during the SMTP session based on the Return-path: From or
envelope recipient and To fields.
You could also use black lists www.openrbl.org to prevent certain IPs
from connecting (rblsmtpd)

Report the offenders to their ISP.

AK

On 2006-08-04, Pawel Rutkowski <rutekp@moja-poczta.com.pl> wrote:
>> The envelope recipient address does not necessarily equal the address
>> given in the From header field. The Delivered-To header, in contrast,
>> documents the envelope recipient.
>>
>> You are free to filter out emails where these two headers do not
>> match properly. However, you have to take care then of mailing lists
>> where likewise the To-field doesn't include your address.
>
> Is there any patch which will check equal those two fileds in header ?

Please check out iftocc which is part of the mess822 package by
Dan J. Bernstein. See http://cr.yp.to/mess822.html

Andreas.

>
> The processing needs to be done during the final delivery stage. Since You
> are using spamassasin configure rules to determine whether a mailing is
> spam or ham during the SMTP session based on the Return-path: From or
> envelope recipient and To fields.

Can I configure Spamassassin to give about 5 points to email which To: and
Delivered to: is not equal?

Pawel R.

Pawel Rutkowski wrote:

>>The processing needs to be done during the final delivery stage. Since You
>>are using spamassasin configure rules to determine whether a mailing is
>>spam or ham during the SMTP session based on the Return-path: From or
>>envelope recipient and To fields.
>
>
> Can I configure Spamassassin to give about 5 points to email which To: and
> Delivered to: is not equal?
>
> Pawel R.
>
>

I believe so, but can not say for certain as I have not directly dealt
with an issue such as this.

Have a look at http://www.rulesemporium.com/ to see whether you can find
something there that would help you.

AK