4 Replies Latest reply on Jan 4, 2011 1:26 PM by runcmd

    Mail Header: From vs. Envelope-From

    runcmd

      One of our departments has contracted a third-party service to send newsletters to employees.  Although I have provided this organization with a bogus internal email address to spoof when sending these messages, which I have whitelisted, the messages are still being quarantined.  Here's a fudged sample message header...

       

       

      Received: from MyBogusDomain.com (nnn.nnn.nnn.nnn) by MyInternalMailServer.MyBogusDomain.com (nnn.nnn.nnn.nnn) with

      Microsoft SMTP Server id n.n.nnn.n; Thu, 9 Dec 2010 13:52:40 -0500

      Received: from ([nnn.nnn.nnn.nnn]) by ironmail.MyBogusDomain.com with ESMTP  id

      [IMSN].27127630; Thu, 09 Dec 2010 13:47:33 -0500

      Received: by Whatever.SendersBogusDomain.com (PowerMTA(TM) v3.5r15) id [id] for

      <MyAddress@MyBogusDomain.com>; Fri, 10 Dec 2010 04:29:46 +1100

      (envelope-from <MyCompany-[RandomCharacters]@SendersOtherBogusDomain.com>)

      From: My Company <WhiteListedAddress@MyBogusDomain.com>

      To: "MyAddress@MyBogusDomain.com" <MyAddress@MyBogusDomain.com>

      Reply-To: WhiteListedAddress@MyBogusDomain.com

      Date: Fri, 10 Dec 2010 04:29:41 +1100

      Subject: This is the Subject Line

       

       

      The newsletter service is supposed to be spoofing the "WhiteListedAddress@MyBogusDomain.com" address I provided.  The "From" address does show as "WhiteListedAddress@MyBogusDomain.com" when viewed Outlook; however, IronMail is seeing the sender as "MyCompany-[RandomCharacters]@SendersOtherBogusDomain.com" and NOT the whitelisted "WhiteListedAddress@MyBogusDomain.com" address.  The "MyCompany-[RandomCharacters]@SendersOtherBogusDomain.com" is showing as the "envelope-from" address in the mail header.  Has anyone seen this before?  Is this something the sending mail server is adding?  I don't recall seeing an "envelope-from" in a mail header before.  Is it normal for IronMail to pickup on that as the sender?

       

      Thanks!

        • 1. Re: Mail Header: From vs. Envelope-From
          ijahnke

          The address the ironmail uses to determine whitelists is the 821 address which is:

          [IMSN].27127630; Thu, 09 Dec 2010 13:47:33  -0500

          Received: by  Whatever.SendersBogusDomain.com (PowerMTA(TM) v3.5r15) id [id] for

          <MyAddress@MyBogusDomain.com>; Fri, 10 Dec  2010 04:29:46 +1100

          (envelope-from  <MyCompany-[RandomCharacters]@SendersOtherBogusDomain.com>)

           

          The rest is the 822 header

          From: My Company <WhiteListedAddress@MyBogusDomain.com>

          To: "MyAddress@MyBogusDomain.com" <MyAddress@MyBogusDomain.com>

          Reply-To: WhiteListedAddress@MyBogusDomain.com

          Date: Fri, 10 Dec 2010 04:29:41 +1100

          Subject: This is the Subject Line

           

           

          Anything in the from, to, date, subject is considered the 822 address. Unfortunately the 822 is part of the envelope which isnt parsed until it's in the superq

          • 2. Re: Mail Header: From vs. Envelope-From
            runcmd

            Thanks for the response, Ivan.  It's good to know that IronMail looks at the envelope header stamped by the sending mail server for whitelisting, as opposed to the message header.  If I understand correctly then, the PowerMTA mail server is presenting the email as from the non-whitelisted address, even though the message header shows it as from whitelisted address.  That's why it appears in Outlook as from the whitelisted address but IronMail sees it as from the non-whitelisted address.  In other words; when the SMTP connection is established with our IronMail server, the sending mail server is using a "MAIL FROM:" of a non-whitelisted address but is using the whitelisted address in a "From:" line in the DATA.  The former becoming the envelope header and the latter being the message header.  Did I get that right?

            • 3. Re: Mail Header: From vs. Envelope-From
              ijahnke

              Correct.

               

              An smtp conversation goes as follows:

               

              EHLO mcafeesupport.com
              250-ESMTP Server Ready
              250-SIZE 0
              250-DSN
              250-STARTTLS
              250 TLS
              MAIL FROM: <support@mcafee.comn>

              250 +OK Sender OK
              RCPT TO: <spartan@mfesupport.com> SIZE=43251
              250 +OK Recipient OK
              DATA
              354 Start mail input, end with '<CR><LF>.<CR><LF>'
              TO: spartan
              FROM: whitelistedAddress@mydom.com
              SUBJECT test

               

              As you can see there are two different FROM addresses.

               

              Basically anything past the DATA command is the 822 headers; These headers are considered to be part of the email message itself and are sent to the ripq to be seperated and then parsed by the superq. So in order for this scenario to work, you would have to whitelist the 821 email address (support@mcafee.comn).

               

              In the scenario that you have proposed there may be an issue with the sending domain as it appears that the FROM email address may have some random generated numbers applied to it. If this is the case then you will need to either whitelist the domain or talk to their system admin and see if they can send from a specific address.

              • 4. Re: Mail Header: From vs. Envelope-From
                runcmd

                Yeah, I figured I could whitelist the sender's domain but I'm loathed to do that because I see messages from the same domain (and mail server IP) that could potentially be classified as unwanted by our users.  I'm going to press the service provider to look at their mail server and determine why they aren't forging the whitelisted address I provided them.  Thanks for all your help on this.  That really clears it up!