[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc

Juri Haberland juri at sapienti-sat.org
Wed Mar 15 05:19:14 PDT 2017


On 2017-03-15 11:55, Dominic Raferd wrote:

The real question is, why was the From: domain 'localhost'?

> Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none (p=none 
> dis=none) header.from=localhost

> 2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost 
> none

even though:

> From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>

Did some software (spam filter, some other milter, the MUA) change the 
 From: field? Maybe because it was originally something like "From: 
AppleID <root>" or "From: AppleID <root at localhost>"?

> My theory at this stage is that because the email purports to be from
> root at ourdomain1.co.uk (which is the same domain as the mail server,
> though not the same FQDN) opendmarc has considered it to be from
> 'localhost', [...]

Unlikely, currently I can't think of a way how that could happen.


   Juri


More information about the opendmarc-users mailing list