"spoofed" email messages coming from recepient

Professional Software Engineering PSE-L at mail.professional.org
Sat Jan 31 00:15:20 CET 2009

At 12:10 2009-01-30 -0800, Alex Rodriguez wrote:

>I am a junior Linux admin with very limited experience with procmail.
>I need to have procmail dump email messages which have the same address on 
>both sender and receiver field on the email envelope.

If it's envelope data, you should specify what headers your MTA is adding 
to the message such that programs such as Procmail can see the envelope 
data.  This isn't inherently part of the headers.

Also, you may be better off setting up a filter in your MTA to reject these 
at SMTP delivery time - thus advising legitimate senders (perhaps your 
users) that the message is being rejected.  Accepting and THEN bouncing the 
message is problematic.

Consider also whether you want the rule to apply only to addresses at your 
domain(s), or to ANY address pair - it isn't wholly uncommon for people to 
address a group of recipients as BCC and themselves as the TO:.  This 
wouldn't meet the criteria of an ENVELOPE TO: and FROM: match unless of 
course that person was your customer (and is receiving the individual copy 
addressed to themselves), but if you're using non-envelope - plain From: 
and To: headers - then such messages will match.

If the emails you're trying to block are spoofing your own domain, you 
should consider setting up your MTA to require SMTP authentication.  Local 
(shell) users would have no problems sending, and any users mailing into 
your SMTP would need to authenticate in order to do so.  This protects your 
own server from being hijacked to send mail out to other sites as if they 
came from your users.

  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.

More information about the procmail mailing list