Possible spoofing causing problems with whitelisting?

Kevin Spicer kevins at BMRB.CO.UK
Tue Apr 15 20:40:54 IST 2003


On Tue, 2003-04-15 at 20:27, Derrick Georgiades wrote:

This is an odd one.  A user received a piece of junk mail today that was
whitelisted, I do not know why it was whitelisted.  The
user at mydomain.com is not whitelisted nor the sender.  I do whitelist
everything from *@mydomain.com.  But what is interesting is the Received
lines in the header.  It originates from 191.146.230.212 and claims to
be received from the ip of my server, however the next received line has
my server ip but with an ip that was resolved that is not mine, then it
claims that my server received it from itself, then onto my internal
exchange server.  This is not what a typical header looks like for my
site.

Probably the spambot which sent this sent a HELO saying it was whatever
your IP is.  Then send a MAIL From:user at yourdomain.com.
This would set the envelope from address (which doesn;t appear in the
header) to be 'from' your domain.  MS looks at the envelope not the
header addresses so this would fool the whitelists.
The answer is to whitelist your internal mail server IP's (or netblock
if users send smtp mail directly to the MS server) rather than the
domain name.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list