[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc
Juri Haberland
juri at sapienti-sat.org
Wed Mar 15 05:19:14 PDT 2017
On 2017-03-15 11:55, Dominic Raferd wrote:
The real question is, why was the From: domain 'localhost'?
> Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none (p=none
> dis=none) header.from=localhost
> 2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost
> none
even though:
> From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>
Did some software (spam filter, some other milter, the MUA) change the
From: field? Maybe because it was originally something like "From:
AppleID <root>" or "From: AppleID <root at localhost>"?
> My theory at this stage is that because the email purports to be from
> root at ourdomain1.co.uk (which is the same domain as the mail server,
> though not the same FQDN) opendmarc has considered it to be from
> 'localhost', [...]
Unlikely, currently I can't think of a way how that could happen.
Juri
More information about the opendmarc-users
mailing list