Question Return Path Being tampered with

Discussion in 'SmarterMail' started by Tigerlady, Apr 2, 2012.

  1. Tigerlady

    Tigerlady Member

    SmarterMail Enterprise 9.2

    Hello, one of our clients gets mail from cdtechno.com when we receive the email it looks like the Return Path has been tampered with. when it comes in it has extra characters in it.

    Here are the headers of one that i received I have replaced the actual email addresses but i have no idea if they are putting somethnig in the return path or if smarter mail is.

    Return-Path: <btv1==439923b1921==replaced@cdtechno.com>
    Received: from barracuda.cdtechno.com (cdmail1.cdtechno.com [67.129.127.133]) by mail3.centricweb.net with SMTP;
    Mon, 2 Apr 2012 10:22:02 -0500
    X-ASG-Debug-ID: 1333380176-0360e43004c0290001-eGLhjY
    Received: from cd-backmail.corp.cdtechno.com (cd-backmail.corp.cdtechno.com [192.168.0.86]) by barracuda.cdtechno.com with ESMTP id sZHLr0q0lmtDm7gg for <barbara@centricweb.com>; Mon, 02 Apr 2012 11:22:56 -0400 (EDT)
    X-Barracuda-Envelope-From: replaced @cdtechno.com
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----_=_NextPart_001_01CD10E4.7B272AFF"
    Subject: email issue
    Date: Mon, 2 Apr 2012 11:22:56 -0400
    X-ASG-Orig-Subj: email issue
    Message-ID: <DCC154A0C9E9EE4FAF2E6F4310C0ECDF04762A9A@cd-backmail.corp.cdtechno.com>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: email issue
    Thread-Index: Ac0Q5DViF2K+YQVMTpuBLpfDrbrcPA==
    From: "Wheeler, Red" <replaced @cdtechno.com>
    To: <replaced@replaced.com>

    X-Barracuda-Connect: cd-backmail.corp.cdtechno.com[192.168.0.86]
    X-Barracuda-Start-Time: 1333380176
    X-Barracuda-URL: http://10.14.0.13:8000/cgi-mod/mark.cgi
    X-Virus-Scanned: by bsmtpd at cdtechno.com
    X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210
    X-Barracuda-Spam-Score: -2.02
    X-Barracuda-Spam-Status: No, SCORE=-2.02 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=HTML_MESSAGE
    X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92981
    Rule breakdown below
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.00 HTML_MESSAGE BODY: HTML included in message
    X-CTCH-RefId: str=0001.0A010208.4F79C464.0078,ss=1,pt=R_264747,fgs=0
    X-CTCH-AVLevel: Unknown
    X-SmarterMail-Spam: SPF_Pass, Commtouch 0 [value: Unknown], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None
    X-SmarterMail-TotalSpamWeight: 0
  2. DXD

    DXD Product Expert

    Google will tell you anything you need to know :) Based on the below I would say it's them not SmarterMail

    http://www.shamrock-software.eu/spam.htm

    Something similar to SRS but less common is BATV (Bounce Address Tag Validation). It adds a 9- to 11-digit key to the localpart of the sender address and "prvs=" (private signature) in front of it. The first digit is a key number, the next three are a day count since 1970 modulo 1000, followed by 6 hex digits calculated from the local address part using a private algorithm. Unfortunately, standardization of BATV was not very successful: Some implementations put the key first and the local part behind it, some do it vice versa. Two samples:
    prvs=info=12312A46F3[​IMG]example.com
    prvs=12312A46F3=info[​IMG]example.com
    To make things totally weird, some use a slash instead of the second equal sign. Others use btv1 instead of prvs and two equal signs instead of one as a delimiter.
  3. dandickson

    dandickson Active Member

    Our barracuda does this also, it is to prevent invalid message bounce spam and it works incredibly well.