Possible spoofing causing problems with whitelisting?

Kevin Spicer kevins at BMRB.CO.UK
Tue Apr 15 21:09:06 IST 2003


On Tue, 2003-04-15 at 21:01, Derrick Georgiades wrote:

Thanks,
I wasn't aware that I could whitelist ip addresses.
I will change my rules from-
From: *@mydomain        yes
To this-
From: 192.168.0.1       yes
And all the other ip's of any systems that are internal that relay.
Is this the proper way?#

Yes - at least I hope so as that how I do it ;)

What do you mean by "netblock"?  I added the spammers ip to my sendmail
access list for discarding.

I just meant that if your users PC's send direct to your MS server you
could include the whole range of IP addresses you use (block as in 'big
lump' rather than as in 'prohibit'!) eg.

From: 192.168.0.        yes


-----Original Message-----
From: Kevin Spicer [mailto:kevins at BMRB.CO.UK]
Sent: Tuesday, April 15, 2003 1:41 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Possible spoofing causing problems with whitelisting?


On Tue, 2003-04-15 at 20:27, Derrick Georgiades wrote:

This is an odd one.  A user received a piece of junk mail today that was
whitelisted, I do not know why it was whitelisted.  The
user at mydomain.com is
not whitelisted nor the sender.  I do whitelist everything from
*@mydomain.com.  But what is interesting is the Received lines in the
header.  It originates from 191.146.230.212 and claims to be received
from
the ip of my server, however the next received line has my server ip but
with an ip that was resolved that is not mine, then it claims that my
server
received it from itself, then onto my internal exchange server.  This is
not
what a typical header looks like for my site.

Probably the spambot which sent this sent a HELO saying it was whatever
your
IP is.  Then send a MAIL From:user at yourdomain.com. This would set the
envelope from address (which doesn;t appear in the
header) to be 'from' your domain.  MS looks at the envelope not the
header
addresses so this would fool the whitelists. The answer is to whitelist
your
internal mail server IP's (or netblock if users send smtp mail directly
to
the MS server) rather than the domain name.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the recipient and
may
contain confidential and/or privileged material.  If you have received
this
in error, please contact the sender and delete this message immediately.
Disclosure, copying or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited accepts no
liability in relation to any personal emails, or content of any email
which
does not directly relate to our business.






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list