Possible spoofing causing problems with whitelisting?

Derrick Georgiades dgeorgiades at POWERENG.COM
Tue Apr 15 21:01:55 IST 2003


Thanks,
I wasn't aware that I could whitelist ip addresses.
I will change my rules from-
From: *@mydomain        yes
To this-
From: 192.168.0.1       yes
And all the other ip's of any systems that are internal that relay.
Is this the proper way?
What do you mean by "netblock"?  I added the spammers ip to my sendmail
access list for discarding.


-----Original Message-----
From: Kevin Spicer [mailto:kevins at BMRB.CO.UK]
Sent: Tuesday, April 15, 2003 1:41 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Possible spoofing causing problems with whitelisting?


On Tue, 2003-04-15 at 20:27, Derrick Georgiades wrote:

This is an odd one.  A user received a piece of junk mail today that was
whitelisted, I do not know why it was whitelisted.  The user at mydomain.com is
not whitelisted nor the sender.  I do whitelist everything from
*@mydomain.com.  But what is interesting is the Received lines in the
header.  It originates from 191.146.230.212 and claims to be received from
the ip of my server, however the next received line has my server ip but
with an ip that was resolved that is not mine, then it claims that my server
received it from itself, then onto my internal exchange server.  This is not
what a typical header looks like for my site.

Probably the spambot which sent this sent a HELO saying it was whatever your
IP is.  Then send a MAIL From:user at yourdomain.com. This would set the
envelope from address (which doesn;t appear in the
header) to be 'from' your domain.  MS looks at the envelope not the header
addresses so this would fool the whitelists. The answer is to whitelist your
internal mail server IP's (or netblock if users send smtp mail directly to
the MS server) rather than the domain name.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the recipient and may
contain confidential and/or privileged material.  If you have received this
in error, please contact the sender and delete this message immediately.
Disclosure, copying or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited accepts no
liability in relation to any personal emails, or content of any email which
does not directly relate to our business.



More information about the MailScanner mailing list