On Fri, Aug 8, 2008 at 5:47 PM, Amedee Van Gasse
On Sat, August 9, 2008 02:15, John Andersen wrote:
On Fri, Aug 8, 2008 at 5:03 PM, Amedee Van Gasse
wrote: On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
wrote: On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to Alexey, yes then you have a point. But it's not the spammer. Google sees a legitimate sender in the SMTP session: opensuse.org. Checking for spoofing senders is an SMTP session feature. That means at HELO (or EHLO). I don't know how I can explain this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076: client=lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076: message-id=<27061.81.82.3.9.1218239560.squirrel@intrepid.warp.be> Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076: from=
, size=4454, nrcpt=1 (queue active) Aug 9 01:52:48 intrepid postfix/smtpd[27319]: disconnect from lists4.suse.de[195.135.221.135] As you can see, the SMTP session only sees opensuse+bounces-67833-amedee=amedee.be@opensuse.org as the sender, even if the original sender was amedee@amedee.be. By the way there is a + separator, that means for checking valid mailboxes you can ignore everything after the + so the sender address is really opensuse@opensuse.org.
-- Amedee
--
When I said "First few Received Headers" I did NOT mean the top-most.
Neither did I.
I mean the first. Just above the body.
And I meant the postfix log which records (part of) the SMTP session:
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: connect from lists4.suse.de[195.135.221.135] Aug 9 02:15:34 intrepid postfix/smtpd[29764]: A1DD3138084: client=lists4.suse.de[195.135.221.135] Aug 9 02:15:34 intrepid postfix/cleanup[29757]: A1DD3138084: message-id=<60fb01490808081715o2143519cm9fae9b002e18d1aa@mail.gmail.com> Aug 9 02:15:34 intrepid postfix/qmgr[19655]: A1DD3138084: from=
, size=7007, nrcpt=1 (queue active) Aug 9 02:15:34 intrepid postfix/smtpd[29764]: disconnect from lists4.suse.de[195.135.221.135] Aug 9 02:15:41 intrepid postfix/local[29758]: A1DD3138084: to= , relay=local, delay=7.1, delays=0.12/6.9/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION") Check it out in this email. Opensuse does not "blur" these.
It does. At the SMTP level. I'm looking at the protocol level, you are looking at the data level.
Yup. I'm looking at what is available in real data. You are looking at theory. -- ----------JSA--------- There are 10 kinds of people in this world, those that can read binary and those that can't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org