[unisog] Rejecting incoming mail with from addresses in your own domain.

Steve VanDevender stevev at darkwing.uoregon.edu
Tue Jul 22 02:24:31 GMT 2003


Russell Fulton writes:
 > The mail that triggered this though was sent to at least one researcher
 > in our medical school and purported to be an advertisement for DNA
 > analysis software.  If one followed the links and  downloaded the trial
 > versions you ended up with some sort of spy ware installed on your
 > system.  The email had a From: header of DNAuser at auckland.ac.nz.  I am
 > also sure that everyone agrees that spammers and worms frequently use
 > From: headers in the recipient's domain to make the message appear more
 > trustworthy.

If someone wants to do this kind of social engineering, they can just as
easily forge a valid domain that isn't yours if you happen to block
incoming mail that is apparently from your domain.

Which thing are you proposing to block on -- the envelope sender
(specified in the SMTP "MAIL From:") or the header sender (in the
"From:" header)?  Either way, you are likely to cause problems for
legitimate off-campus users who are using other ISPs but sending mail
using their university addresses, especially if they can't all use your
SMTP-over-TLS solution (some ISPs block all port 25 connections except
those to their own mail hosts).

I suspect the kind of blocking you are proposing won't buy you much in
the way of real security but will bring you a lot of headaches, and will
be difficult to get right.  There are probably much better measures you
could take to prevent social engineering or mail worm propagation than
this.



More information about the unisog mailing list