[SOLVED] How to deal with different MFROM and FROM

Z

Zarhi

New Member
May 16, 2023
4
0
1
Hello,

I see increased numbers of email that have different MAIL FROM: in smtp and From: in headers.

Is there a way to check and wite/black list headers FROM: email addresses?

Code: 
Return-Path: info=bgwebinar.com@bounces.elasticemail.net
Received-SPF: pass (bounces.elasticemail.net: Sender is authorized to use 'info=bgwebinar.com@bounces.elasticemail.net' in 'mfrom' identity (mechanism 'include:_spf.elasticemail.com' matched)) receiver=; identity=mailfrom; envelope-from="info=bgwebinar.com@bounces.elasticemail.net"; helo=nf84.mxout.mta2.net; client-ip=141.95.129.84
DKIM-Signature: v=1; a=rsa-sha256; d=bounces.elasticemail.net; s=api;
    c=relaxed/simple; t=1699860498;
    h=from:date:subject:reply-to:to:list-unsubscribe:mime-version;
    bh=oLN6QXdzIcFWqDqaIgqnWMqudPbwkg8oYiIaj8zRtDE=;
    b=FqZEaC96W/hqkOfeWkYW0KHsg8RC/M6EOHY/bfMxRi2QBVYE8V25Ie3PPysC4hH0kvg09lbnMoE
    mBPttJS9KVrfCawrxaivrPl1qkViIeMXURWUB+Y/KKNDpN7SqtXq7nzqrPPyIkchoswHyqw+RKAKG
    zGpkaGL5FoO3NJkq3Zo=
DKIM-Signature: v=1; a=rsa-sha256; d=elasticemail.com; s=api;
    c=relaxed/simple; t=1699860498;
    h=from:date:subject:reply-to:to:list-unsubscribe;
    bh=oLN6QXdzIcFWqDqaIgqnWMqudPbwkg8oYiIaj8zRtDE=;
    b=iiV4KawjJs6eGdpFzkIU1osjbV+XlHeSLM2J5sOIcBhPezF9e2BEkQwsuD0gvRrQx8EC4H8Ce2T
    5psI+lYRPZKZ+pctU4IChqp8hkrjOvUZcFJUvX7yFlxRD/Xd0pCTEZyrzOkXp/EQhP9PkPi9CppaD
    Azi3LkmkltrVj8Crg68=
From: =?utf-8?b?0J/QvtC60LDQvdCwINC30LAg0L7QsdGD0YfQtdC90LjQtQ==?=
    <info@bgwebinar.com>


Code: 
Return-Path: <bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mail53
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=6.0 tests=BAYES_00,DKIMWL_WL_MED,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,
    MIXED_ES,RDNS_NONE,SPF_HELO_PASS,URIBL_GREY autolearn=no
    autolearn_force=no version=3.4.6
Received-SPF: pass (mandrillapp.com: Sender is authorized to use
 'bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com'
 in 'mfrom' identity (mechanism 'include:spf.mandrillapp.com' matched))
 receiver=; identity=mailfrom;
 envelope-from="bounce-md_30617490.65278b13.v1-f73b8ea6a32b48868efc6615c6498441@mandrillapp.com";
 helo=mail4.wdc04.mandrillapp.com; client-ip=205.201.139.4
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1697090323; h=from :
 subject : reply-to : to : message-id : date : mime-version :
 content-type : content-transfer-encoding : from : x-mandrill-user :
 list-unsubscribe; bh=bi0FZA7Yo9i1ANMxJ0Im0hnZLJGoqNEyhlxK7SgPQng=;
 b=WjjFLQF61nUETizMTM2LWah4tOwHYcjB5qd4pZ7/u4outt/iiSQWCl/QQ9g3D/ErV8SD1
 7ZPBALvQLgN+6C4GjTSDoe4ZtjTODc+karU2769wBOtq3JDeofCrRcpASRkU/oAenMM5v8w
 1hqQRschKsOTbV50gea3pvSHxyAxvKI=
From: user@example.com


Also in Mail Filter => Who Objects => Whitelist/Blacklist cannot be entered email with '=' in it:

Screenshot_20231113_101938.png
 
Zarhi said:
Is there a way to check and wite/black list headers FROM: email addresses?
Click to expand...
This can be done with a Match Field What Object (the Field is 'From')

Zarhi said:
Also in Mail Filter => Who Objects => Whitelist/Blacklist cannot be entered email with '=' in it:
Click to expand...
You can use a WhoRegex instead of an e-mail address - this should work
 
This sounds like 'Who objects" match on smtp level ( MAIL FROM:, RCPT TO: ) and "What objects" match on received mail headers ( where MAIL FROM: becomes Return-Path: in headers) ?
 
yes more or less - What objects match the contents of the mail - who objects in the rule-system deal with envelope information

Return-path might not exist (although it usually does in almost all mail), and/or might be "faked" (but that can also be said about envelope-sender/recipient
 
Stoiko Ivanov said:
yes more or less - What objects match the contents of the mail - who objects in the rule-system deal with envelope information
Click to expand...
Just to be sure: "contents of the mail" means entire email including body, or headers only?

Stoiko Ivanov said:
Return-path might not exist (although it usually does in almost all mail), and/or might be "faked" (but that can also be said about envelope-sender/recipient
Click to expand...
For few months using PMG I never see missing "Return-Path:" header and it always match with next "Received-SPF: ... envelope-from="" ;" header ( but in lower case).
Until now I assume that this two headers are top inserted by postfix?
 
Zarhi said:
Just to be sure: "contents of the mail" means entire email including body, or headers only?
Click to expand...
The match-field what objects only match header-fields
other what-objects (Spam Level, Virus, Attachments ) of course check the complete mails (for being spam, a virus, having a fitting attachment)...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back