Possible spoofing causing problems with whitelisting?

Julian Field mailscanner at ecs.soton.ac.uk
Tue Apr 15 21:41:45 IST 2003 

The docs on what you can put in rulesets are at
http://www.sng.ecs.soton.ac.uk/mailscanner/man/MailScanner.conf.3.html#RULESETS

There are examples there of netblocks and IP expressions.

At 21:09 15/04/2003, you wrote:
>On Tue, 2003-04-15 at 21:01, Derrick Georgiades wrote:
>
>Thanks,
>I wasn't aware that I could whitelist ip addresses.
>I will change my rules from-
>From: *@mydomain        yes
>To this-
>From: 192.168.0.1       yes
>And all the other ip's of any systems that are internal that relay.
>Is this the proper way?#
>
>Yes - at least I hope so as that how I do it ;)
>
>What do you mean by "netblock"?  I added the spammers ip to my sendmail
>access list for discarding.
>
>I just meant that if your users PC's send direct to your MS server you
>could include the whole range of IP addresses you use (block as in 'big
>lump' rather than as in 'prohibit'!) eg.
>
>From: 192.168.0.        yes
>
>
>-----Original Message-----
>From: Kevin Spicer [mailto:kevins at BMRB.CO.UK]
>Sent: Tuesday, April 15, 2003 1:41 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Possible spoofing causing problems with whitelisting?
>
>
>On Tue, 2003-04-15 at 20:27, Derrick Georgiades wrote:
>
>This is an odd one.  A user received a piece of junk mail today that was
>whitelisted, I do not know why it was whitelisted.  The
>user at mydomain.com is
>not whitelisted nor the sender.  I do whitelist everything from
>*@mydomain.com.  But what is interesting is the Received lines in the
>header.  It originates from 191.146.230.212 and claims to be received
>from
>the ip of my server, however the next received line has my server ip but
>with an ip that was resolved that is not mine, then it claims that my
>server
>received it from itself, then onto my internal exchange server.  This is
>not
>what a typical header looks like for my site.
>
>Probably the spambot which sent this sent a HELO saying it was whatever
>your
>IP is.  Then send a MAIL From:user at yourdomain.com. This would set the
>envelope from address (which doesn;t appear in the
>header) to be 'from' your domain.  MS looks at the envelope not the
>header
>addresses so this would fool the whitelists. The answer is to whitelist
>your
>internal mail server IP's (or netblock if users send smtp mail directly
>to
>the MS server) rather than the domain name.
>
>
>
>
>BMRB International
>http://www.bmrb.co.uk
>+44 (0)20 8566 5000
>_________________________________________________________________
>This message (and any attachment) is intended only for the recipient and
>may
>contain confidential and/or privileged material.  If you have received
>this
>in error, please contact the sender and delete this message immediately.
>Disclosure, copying or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited accepts no
>liability in relation to any personal emails, or content of any email
>which
>does not directly relate to our business.
>
>
>
>
>
>
>BMRB International
>http://www.bmrb.co.uk
>+44 (0)20 8566 5000
>_________________________________________________________________
>This message (and any attachment) is intended only for the
>recipient and may contain confidential and/or privileged
>material.  If you have received this in error, please contact the
>sender and delete this message immediately.  Disclosure, copying
>or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited
>accepts no liability in relation to any personal emails, or
>content of any email which does not directly relate to our
>business.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list