Who is the right sender? RSS Back to forum
@Ivo:
emails have two types of sender addresses: the SMTP envelope sender address (which is submitted by the sender server during the SMTP transport in the MAIL FROM: command, see http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example), and the MIME sender address, which is stored in the header of the email. ORF works with (and logs) the SMTP sender address, while your email client (like Outlook) will display the MIME header sender address.
The two addresses usually match but not necessarily : the Bcc: addressing, mailing lists, CRM software and other systems with automatic bounce-handling also often take advantage of this. Spammers often use different SMTP and MIME addresses to confuse the recipient (e.g., using the target recipient's own email address in the From: field, so it appears as the spam was sent by the user to himself or herself), but so do legitimate senders, so spam cannot be blocked based on this fact alone.
In this case, the SMTP sender address was while the MIME sender address was another address with your domain name in it.
To solve this problem, I recommend blacklisting your own domain in the MIME From: field of incoming emails. This should not cause any false positives, since ORF does not filter internal and outgoing emails:
1. Start the Administration Tool
2. Make sure the Keyword Blacklist test is enabled (Configuration / Tests / Tests)
3. Expand Configuration / Filtering - On Arrival / Keyword Blacklist in the left navigation tree
4. Click New
5. On the Filter Properties tab, set the Search scope radio button to "Raw MIME"
6. Add a comment text, so you can identify the filter later, e.g. "MIME spoof filter regex"
7. On the Filter Expression tab, add the following expression (replace yourdomain\.com to your actual domain name, with the dot characters preceded by \ characters):
.*^From:[^\r\n]*\b[^\r\n]*@yourdomain\.com\b[^\r\n]*\s$
8. Set the Expression type to "Regular expression (Perl-compatible)"
9. Click OK, and press Ctrl + S to save the configuration.
We have a sender blacklist rule which blocks all external e-mails where sender would be our domain. External sender can newer be from our domain! Such rule works perfectly!
Now the problem:
ORF detects sender and passes the message on to MS Exchange 2010.
MS Exchange 2010 in the same e-mail detects sender from our domain???!!!
How is that possible???
If ORF would detect the right sender then our rule mentioned above would block such e-mail.