Spam from (forged) whitelist domain

Stephe Campbell campbell at CNPAPERS.COM
Mon Dec 22 14:15:56 GMT 2003


OK, now I'm confused.

I, too, am getting these forged from addresses. I have always thought that
the envelope 'to' and 'from' were what mattered. But when I look in my
maillog, I only see my domain in the envelope 'to' and 'from'. Blocking by
IP does not apply here, obviously.

So I look at the headers. We use an AV relay in front of our SMTP/MS/SA
server. This is the top-most 'Received: from' in the header. I can't block
this obviously. The next 'Received: from' listed down in the header may work
as this is not one of my IP addresses, but are you saying this is what is
being used as comparison? Who is doing the comparison, MS or SA? Are any and
all IPs in the header considered?

Sorry for the long-winded question, and thanks for any light on this subject
you may provide.

Steve Campbell
campbell at cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, December 22, 2003 4:10 AM
Subject: Re: Spam from (forged) whitelist domain


> At 22:47 21/12/2003, you wrote:
> >Does the whitelist check  look at the sending client IP, or the sending
> >server IP?  (Assuming the my users only send from my server, and only
> >authenticated users are allowed to send from there.)
>
> It looks at the IP address at the other end of the SMTP connection to the
> MailScanner server.
>
>
> >Thanks.
> >
> >
> >Julian Field wrote:
> >
> >>Exactly what I was about to suggest. You can use pretty much any of the
> >>standard/common ways of expressing IP ranges and network subnets.
> >>
> >>At 22:51 19/12/2003, you wrote:
> >>
> >>>Just a thought, and I'm not sure this is correct, but perhaps you can
> >>>whitelist your domain by IP instead of by name.
> >>>
> >>>-Eric Rz.
> >>>
> >>>On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote:
> >>> > I see a nontirvial volume of Spam that gets through to users using
> >>> > forged headers with my domain as the from.  These are typically to:
> >>> > user at mydomain from: user at mydomain
> >>> >
> >>> > My domain is whitelisted, so when a forged header comes along,  I
> >>>get a
> >>> > spam score that would have dealt with the spam, but it is
whitelisted,
> >>> > so delivered anyway.
> >>> >
> >>> > Is there a way to deal with this?
> >>> >
> >>> > Thanks.
> >>
> >>
> >>--
> >>Julian Field
> >>www.MailScanner.info
> >>Professional Support Services at www.MailScanner.biz
> >>MailScanner thanks transtec Computers for their support
> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list