Johannes Wiedersich wrote: > Rolando Pereira wrote: > > (And if he had nothing to do, how come my email went to his mailbox > > directly?) > > ... because someone sent an email with his forged from-address: Yes it was forged. No one was more suprised than myself to see that message show up on the mailing list! (Go away for a few days and everything falls apart. :-) For the record I did not originate it. It is strange that someone would take the time to craft an individual one such as this. This is not the first time I have been a victim of a "joe-job" but it has been a while. I guess it is time to return to sending signed emails again. Apologies in advance to those who dislike those but it is the only way to be sure of the author. > An apparently legitimate mail contains > Received: by dementia.proulx.com (Postfix, from userid 1000) Usually yes since that is my desktop. But that is not strictly required and when traveling I may use my laptop. But regardless of the machine I used to compose the message upon I will be sending my email through my site's mail relay hub and the following header would always appear. Received: from joseki.proulx.com (joseki.proulx.com [216.17.153.58]) by murphy.debian.org (Postfix) with ESMTP id 235FD2DE1F for <debian-user@lists.debian.org>; Mon, 20 Aug 2007 05:11:05 +0000 (UTC) Presumably we can trust murphy.debian.org sufficiently to believe the header that it places in the message saying hostname and IP of where it received the email. If the header path from there to your mailbox is continuous and trustworthy then you can believe where the email was injected into the mailing list based upon that header. In my case messages that do not come through my domain are definitely suspect. I publish SPF records to help curb some types forgeries. SPF is not perfect but it does do a good job of defining where legitimate email from a domain can appear. (Please, no discussion in this thread about the merits or lack thereof of SPF.) The actual record is a little more complicated than this (I also publish an "exists" test too) but in simple it looks like this: proulx.com "a -all" Decoding this says that email from the IP address of proulx.com is okay because it matches the "a" record. Mail from other IP addresses can be rejected. The IP address for proulx.com from DNS will be updated if this address changes. > PS: Thanks for spotting this, Florian! Thanks Florian for spotting this and calling it out! Also thanks Johannes for the email header check. I appreciate you guys looking out for me! Bob
Attachment:
signature.asc
Description: Digital signature