Mailinglist Archive: opensuse (2112 mails)
| < Previous | Next > |
Re: [opensuse] Re: Email Security question: Hijacked email !!! was: Vista
- From: "Amedee Van Gasse" <amedee@xxxxxxxxx>
- Date: Sat, 9 Aug 2008 02:47:22 +0200 (CEST)
- Message-id: <5234.81.82.3.9.1218242842.squirrel@xxxxxxxxxxxxxxxx>
On Sat, August 9, 2008 02:15, John Andersen wrote:
Neither did I.
And I meant the postfix log which records (part of) the SMTP session:
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: connect from
lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: A1DD3138084:
client=lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/cleanup[29757]: A1DD3138084:
message-id=<60fb01490808081715o2143519cm9fae9b002e18d1aa@xxxxxxxxxxxxxx>
Aug 9 02:15:34 intrepid postfix/qmgr[19655]: A1DD3138084:
from=<opensuse+bounces-67840-amedee=amedee.be@xxxxxxxxxxxx>, size=7007,
nrcpt=1 (queue active)
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: disconnect from
lists4.suse.de[195.135.221.135]
Aug 9 02:15:41 intrepid postfix/local[29758]: A1DD3138084:
to=<amedee@xxxxxxxxx>, relay=local, delay=7.1, delays=0.12/6.9/0/0.02,
dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a
"$EXTENSION")
It does. At the SMTP level. I'm looking at the protocol level, you are
looking at the data level.
--
Amedee
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On Fri, Aug 8, 2008 at 5:03 PM, Amedee Van Gasse <amedee@xxxxxxxxx> wrote:
On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson <hendersj@xxxxxxxxx>
wrote:
On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according
to
logical something that arrived into my GMail, with "From:
al4321@xxxxxxxxx" - my email address, but
never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by
definition
means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed
if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert
except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to
Alexey, yes then you have a point.
But it's not the spammer. Google sees a legitimate sender in the SMTP
session: opensuse.org. Checking for spoofing senders is an SMTP session
feature. That means at HELO (or EHLO). I don't know how I can explain
this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from
lists4.suse.de[195.135.221.135]
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076:
client=lists4.suse.de[195.135.221.135]
Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076:
message-id=<27061.81.82.3.9.1218239560.squirrel@xxxxxxxxxxxxxxxx>
Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076:
from=<opensuse+bounces-67833-amedee=amedee.be@xxxxxxxxxxxx>, size=4454,
nrcpt=1 (queue active)
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: disconnect from
lists4.suse.de[195.135.221.135]
As you can see, the SMTP session only sees
opensuse+bounces-67833-amedee=amedee.be@xxxxxxxxxxxx as the sender, even
if the original sender was amedee@xxxxxxxxxx By the way there is a +
separator, that means for checking valid mailboxes you can ignore
everything after the + so the sender address is really
opensuse@xxxxxxxxxxxxx
--
Amedee
--
When I said "First few Received Headers" I did NOT mean the top-most.
Neither did I.
I mean the first. Just above the body.
And I meant the postfix log which records (part of) the SMTP session:
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: connect from
lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: A1DD3138084:
client=lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/cleanup[29757]: A1DD3138084:
message-id=<60fb01490808081715o2143519cm9fae9b002e18d1aa@xxxxxxxxxxxxxx>
Aug 9 02:15:34 intrepid postfix/qmgr[19655]: A1DD3138084:
from=<opensuse+bounces-67840-amedee=amedee.be@xxxxxxxxxxxx>, size=7007,
nrcpt=1 (queue active)
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: disconnect from
lists4.suse.de[195.135.221.135]
Aug 9 02:15:41 intrepid postfix/local[29758]: A1DD3138084:
to=<amedee@xxxxxxxxx>, relay=local, delay=7.1, delays=0.12/6.9/0/0.02,
dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a
"$EXTENSION")
Check it out in this email. Opensuse does not "blur" these.
It does. At the SMTP level. I'm looking at the protocol level, you are
looking at the data level.
--
Amedee
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |