mailscanner at ecs.soton.ac.uk
Tue Nov 26 19:20:31 GMT 2002
At 19:13 26/11/2002, you wrote:
>Julian, you do realize this is about blacklists right?
>Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding
>the originating IP if the blacklist contains a DUL) is not a risk. All the
>spammer can gain by forging an IP is getting themselves blacklisted... and
>as far as I'm concerned, they can help themselves to all the blacklisting
Received: From your-first-server at you.com by your-second-server at you.com
Received: Nice-safe-domain at other.com by your-first-server at you.com
Received: Another-nice-safe at other2.com by nice-safe-domain at other.com
The 2nd and 3rd lines are fake. And so you receive the message not marking
it as spam (as it came from nice safe domains). You report the spam to the
blacklists and other.com and other2.com get blacklisted. That's going to
make them real happy. And the spammer changes to another couple of
"other.com" and "other2.com" domains that aren't in the blacklists. And
they get blacklisted too, and so on.
The spammers don't get blacklisted, "other.com" and "other2.com" do.
>Now whitelist checking, ie: bondedsender, etc, needs to only be done on
>trusted headers.. because there the spammer can do what you suggest.
>At 06:37 PM 11/26/2002 +0000, Julian Field wrote:
>>No. The only way to do that is to try and parse it out of the headers, and
>>it is trivial for spammers to fake (I'm surprised how few do at the
>>moment). All they need do is directly attack your mail server making the
>>mail appear to come from somewhere safe and you will let it all in.
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner