Does this email suggest a vulnerability in my mail server?
Return-Path: <
X-Original-To:
Delivered-To:
Received: from billgates (unknown [59.44.75.105])
by mail.mailserver.com (Postfix) with SMTP id 842104C55
for <
Message-Id: <
Date: Fri, 16 Jun 2006 03:12:31 -0400 (EDT)
From:
To: undisclosed-recipients:;
Status:
–-------------End email ------------------
mail.log:
Jun 16 03:12:27 www postfix/smtpd[17493]: connect from unknown[59.44.75.105]
Jun 16 03:12:32 www postfix/smtpd[17493]: 842104C55: client=unknown[59.44.75.105]
Jun 16 03:12:34 www postfix/cleanup[17496]: 842104C55: message-id=<
Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: from=<
Jun 16 03:12:34 www postfix/local[17497]: 842104C55: to=<
Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: removed
Jun 16 03:12:35 www postfix/smtpd[17493]: disconnect from unknown[59.44.75.105]
We use postfix and pop-before-smtp.
user DPmkV is not a valid user on mailserver.com. User DPmkV should, therefore, not be able to send from mailserver.com. User realuser is a valid user on mailserver.com. If this went through some other mailserver, realuser would necessarily receive it.
I cannot tell if there is a threat at hand or if the From: and Return-Path: are simply spoofed. Any ideas? Obviously if we've got a hole, I want to close it.
TIA
1 Reply
So I don't think it's a hole. IMO it wouldn't be worth the overhead to do additional checking such cross checking valid From: to real users. It would solve the problem until the spammer started sending mail with From: and To: as the same address.
It's also possible that this is the realuser who wanted to send an email to themself, had no relay server available to them, was too lazy to type their name in the From: box.