[Esa-l]Help with hybris getting thru filters

Rick Thompson rthompson at motleypc.com
Wed Jun 6 07:08:33 PDT 2001 

Ok....things are becoming a little clearer.

The actual email header:

Return-Path: <MAILER-DAEMON at prometheus.motleypc.com>
Received: from oemcomputer ([206.99.228.55])
	by prometheus.motleypc.com (8.11.0/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP
id f55CTwA07640
	for <gmcallister at motleypc.com>; Tue, 5 Jun 2001 08:29:58 -0400
Date: Tue, 5 Jun 2001 08:29:58 -0400
Message-Id: <200106051229.f55CTwA07640 at prometheus.motleypc.com>
From: Hahaha <hahaha at sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEVSXIB"
To: undisclosed-recipients:;
X-UIDL: fdefb34e8bfa370e00c24fc7e92ac0a7



Anybody with a guess as to thy the return-path is my own mail server?  The
mail message got an internal messageid which let it bypass the filter.  Why
didn't this get the messageid from the mailserver it originated from?

-----Original Message-----
From: esa-l-admin at spconnect.com [mailto:esa-l-admin at spconnect.com]On
Behalf Of Angus Lees
Sent: Wednesday, June 06, 2001 9:41 AM
To: Rick Thompson
Cc: Email Security Announce list
Subject: Re: [Esa-l]Help with hybris getting thru filters


On Wed, Jun 06, 2001 at 09:15:12AM -0400, Rick Thompson wrote:
> One of my users received an email this morning that bypassed the procmail
> filter altogether.  The headers didn't have the "sanitized on" info.
>
> >From the sendmail log:
>
> Jun  5 08:30:10 prometheus sendmail[7640]: f55CTwA07640: from=<>,
> size=31779, class=0, nrcpts=1,
> msgid=<200106051229.f55CTwA07640 at prometheus.motleypc.com>, proto=SMTP,
> daemon=MTA, relay=[206.99.228.55]
> Jun  5 08:30:11 prometheus sendmail[7641]: f55CTwA07640:
> to=<gmcallister at motleypc.com>, delay=00:00:13, xdelay=00:00:01,
> mailer=local, pri=61629, dsn=2.0.0, stat=Sent
>
> Notice the  "from=<>"
>
> The attachment was a .scr, which is supposed to be mangled and poisoned
> (neither of which happened in this case).
>
>
>
> >From my procmailrc if it helps:
>
> :0
> * ^(From|Message-ID|Sender): .*@([^>, ]+\.)*motleypc\.com([>, ].*)*$
> $DEFAULT

erm, when a message arrives with (as this one did):

 Message-ID: 200106051229.f55CTwA07640 at prometheus.motleypc.com

surely its going to be delivered directly to $DEFAULT, bypassing the
filter?


or am i missing something here?

--
 - Gus
_______________________________________________
E-mail Security Announce list mailing list
E-mail Security Announce list at spconnect.com
http://www.spconnect.com/mailman/listinfo/esa-l

More information about the esd-l mailing list