puddpunk
l33t
Joined: 20 Jul 2002
Posts: 681
Location: New Zealand
|
 Posted: Thu Aug 21, 2003 12:48 am Post subject: General Email question, with a configuration question after! |
 |
|
Okay, here is the gig 
I have a mail server set up here. This mailserver pulls mail down from one account, but there are 4 "aliases" for that account. So the mail inside that account belongs to one of 4 different addresses.
Right, still with me?
I have fetchmail downloading this mail, and piping it through procmail, which has a recipie for sorting out the 4 different addresses into 4 different mailboxes on the server (based on the TO_ directive in procmail, and filters on the "for xxx" in the mail headers).
The problem is, mail that doesnt fit in gets sent to a "Lost Mail" box, which I get about 5 a day (out of about 50). I examined these mails, and there is absolutely NOTHING in the mail headers or otherwise to show _who_ the mail is for, but for some reason it ends up in my ISP's mail box.
Here is an example of headers for one of these mails:
| Code: | Return-Path: <cert-advisory-owner@cert.org>
Received: from pop3.xtra.co.nz [203.96.92.132]
by localhost with POP3 (fetchmail-6.2.2)
for root@localhost (single-drop); Thu, 14 Aug 2003 10:30:17 +1200 (NZST)
Received: from mta4-rme.xtra.co.nz ([210.86.15.143])
by mta204-rme.xtra.co.nz with ESMTP
id <20030813222957.GMFT21917.mta204-rme.xtra.co.nz@mta4-rme.xtra.co.nz>;
Thu, 14 Aug 2003 10:29:57 +1200
Received: from canaveral.indigo.cert.org ([192.88.209.169])
by mta4-rme.xtra.co.nz with ESMTP
id <20030813222542.SZSL2539.mta4-rme.xtra.co.nz@canaveral.indigo.cert.org>;
Thu, 14 Aug 2003 10:25:42 +1200
Received: from canaveral.indigo.cert.org (localhost [127.0.0.1])
by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h7DMBtGt023046;
Wed, 13 Aug 2003 18:12:01 -0400
Received: from localhost (lnchuser@localhost)
by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h7DLo059022456;
Wed, 13 Aug 2003 17:50:00 -0400
Date: Wed, 13 Aug 2003 17:50:00 -0400
Message-Id: <CA-2003-21.1@cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Organization: CERT(R) Coordination Center - +1 412-268-7090
List-Help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-Subscribe: <mailto:Majordomo@cert.org?body=subscribe%20cert-advisory>
List-Unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
List-Post: NO (posting not allowed on this list)
List-Owner: <mailto:cert-advisory-owner@cert.org>
List-Archive: <http://www.cert.org/>
Subject: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
Precedence: list
Content-Type:
X-UID: 165
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
Original issue date: August 13, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received a report that the system housing the primary
FTP servers for the GNU software project was compromised.
I. Description
The GNU Project, principally sponsored by the Free Software Foundation
(FSF), produces a variety of freely available software. The CERT/CC
has learned that the system housing the primary FTP servers for the
GNU software project, gnuftp.gnu.org, was root compromised by an
intruder. The more common host names of ftp.gnu.org and alpha.gnu.org
are aliases for the same compromised system. The compromise is
reported to have occurred in March of 2003. |
I see nothing in those headers that points the mail to my address. I assume mail like this has to go through relays, so how do the relays know where to put it? Does my ISP strip mail headers? Does Fetchmail strip mail headers?
This is really confusing, so any explanation would be welcome, then we can sit down and figure out a solution.
Thanks,
Chris. |
|
Networking & Security
