[SOLVED] How to deal with different MFROM and FROM

Z

Zarhi

New Member
May 16, 2023
4
0
1
Hello,

I see increased numbers of email that have different MAIL FROM: in smtp and From: in headers.

Is there a way to check and wite/black list headers FROM: email addresses?

Code: 
Return-Path: info=bgwebinar.com@bounces.elasticemail.net
Received-SPF: pass (bounces.elasticemail.net: Sender is authorized to use 'info=bgwebinar.com@bounces.elasticemail.net' in 'mfrom' identity (mechanism 'include:_spf.elasticemail.com' matched)) receiver=; identity=mailfrom; envelope-from="info=bgwebinar.com@bounces.elasticemail.net"; helo=nf84.mxout.mta2.net; client-ip=141.95.129.84
DKIM-Signature: v=1; a=rsa-sha256; d=bounces.elasticemail.net; s=api;
    c=relaxed/simple; t=1699860498;
    h=from:date:subject:reply-to:to:list-unsubscribe:mime-version;
    bh=oLN6QXdzIcFWqDqaIgqnWMqudPbwkg8oYiIaj8zRtDE=;
    b=FqZEaC96W/hqkOfeWkYW0KHsg8RC/M6EOHY/bfMxRi2QBVYE8V25Ie3PPysC4hH0kvg09lbnMoE
    mBPttJS9KVrfCawrxaivrPl1qkViIeMXURWUB+Y/KKNDpN7SqtXq7nzqrPPyIkchoswHyqw+RKAKG
    zGpkaGL5FoO3NJkq3Zo=
DKIM-Signature: v=1; a=rsa-sha256; d=elasticemail.com; s=api;
    c=relaxed/simple; t=1699860498;
    h=from:date:subject:reply-to:to:list-unsubscribe;
    bh=oLN6QXdzIcFWqDqaIgqnWMqudPbwkg8oYiIaj8zRtDE=;
    b=iiV4KawjJs6eGdpFzkIU1osjbV+XlHeSLM2J5sOIcBhPezF9e2BEkQwsuD0gvRrQx8EC4H8Ce2T
    5psI+lYRPZKZ+pctU4IChqp8hkrjOvUZcFJUvX7yFlxRD/Xd0pCTEZyrzOkXp/EQhP9PkPi9CppaD
    Azi3LkmkltrVj8Crg68=
From: =?utf-8?b?0J/QvtC60LDQvdCwINC30LAg0L7QsdGD0YfQtdC90LjQtQ==?=
    <info@bgwebinar.com>


Code: 
Return-Path: <bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mail53
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=6.0 tests=BAYES_00,DKIMWL_WL_MED,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,
    MIXED_ES,RDNS_NONE,SPF_HELO_PASS,URIBL_GREY autolearn=no
    autolearn_force=no version=3.4.6
Received-SPF: pass (mandrillapp.com: Sender is authorized to use
 'bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com'
 in 'mfrom' identity (mechanism 'include:spf.mandrillapp.com' matched))
 receiver=; identity=mailfrom;
 envelope-from="bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com";
 helo=mail4.wdc04.mandrillapp.com; client-ip=205.201.139.4
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1697090323; h=from :
 subject : reply-to : to : message-id : date : mime-version :
 content-type : content-transfer-encoding : from : x-mandrill-user :
 list-unsubscribe; bh=bi0FZA7Yo9i1ANMxJ0Im0hnZLJGoqNEyhlxK7SgPQng=;
 b=WjjFLQF61nUETizMTM2LWah4tOwHYcjB5qd4pZ7/u4outt/iiSQWCl/QQ9g3D/ErV8SD1
 7ZPBALvQLgN+6C4GjTSDoe4ZtjTODc+karU2769wBOtq3JDeofCrRcpASRkU/oAenMM5v8w
 1hqQRschKsOTbV50gea3pvSHxyAxvKI=
From: user@example.com


Also in Mail Filter => Who Objects => Whitelist/Blacklist cannot be entered email with '=' in it:

Screenshot_20231113_101938.png
 
Zarhi said:
Is there a way to check and wite/black list headers FROM: email addresses?
Click to expand...
This can be done with a Match Field What Object (the Field is 'From')

Zarhi said:
Also in Mail Filter => Who Objects => Whitelist/Blacklist cannot be entered email with '=' in it:
Click to expand...
You can use a WhoRegex instead of an e-mail address - this should work
 
This sounds like 'Who objects" match on smtp level ( MAIL FROM:, RCPT TO: ) and "What objects" match on received mail headers ( where MAIL FROM: becomes Return-Path: in headers) ?
 
yes more or less - What objects match the contents of the mail - who objects in the rule-system deal with envelope information

Return-path might not exist (although it usually does in almost all mail), and/or might be "faked" (but that can also be said about envelope-sender/recipient
 
Stoiko Ivanov said:
yes more or less - What objects match the contents of the mail - who objects in the rule-system deal with envelope information
Click to expand...
Just to be sure: "contents of the mail" means entire email including body, or headers only?

Stoiko Ivanov said:
Return-path might not exist (although it usually does in almost all mail), and/or might be "faked" (but that can also be said about envelope-sender/recipient
Click to expand...
For few months using PMG I never see missing "Return-Path:" header and it always match with next "Received-SPF: ... envelope-from="" ;" header ( but in lower case).
Until now I assume that this two headers are top inserted by postfix?
 
Zarhi said:
Just to be sure: "contents of the mail" means entire email including body, or headers only?
Click to expand...
The match-field what objects only match header-fields
other what-objects (Spam Level, Virus, Attachments ) of course check the complete mails (for being spam, a virus, having a fitting attachment)...
 
You must log in or register to reply here.
Top Bottom