Spam from (forged) whitelist domain

Julian Field mailscanner at ecs.soton.ac.uk
Mon Dec 22 15:06:16 GMT 2003


It's really simple. MailScanner uses the envelope to and from address, as
you say. If you want to match on the IP address, then it uses the IP
address at the other end of the SMTP connection. In your case, as you
forward all mail to MailScanner from an incoming relay machine, the IP
address at the other end of the SMTP connection will always be the address
of your incoming relay machine.
SpamAssassin can look at the (quite possibly forged) IP addresses in the
rest of the headers, MailScanner can't on its own.

At 14:15 22/12/2003, you wrote:
>OK, now I'm confused.
>
>I, too, am getting these forged from addresses. I have always thought that
>the envelope 'to' and 'from' were what mattered. But when I look in my
>maillog, I only see my domain in the envelope 'to' and 'from'. Blocking by
>IP does not apply here, obviously.
>
>So I look at the headers. We use an AV relay in front of our SMTP/MS/SA
>server. This is the top-most 'Received: from' in the header. I can't block
>this obviously. The next 'Received: from' listed down in the header may work
>as this is not one of my IP addresses, but are you saying this is what is
>being used as comparison? Who is doing the comparison, MS or SA? Are any and
>all IPs in the header considered?
>
>Sorry for the long-winded question, and thanks for any light on this subject
>you may provide.
>
>Steve Campbell
>campbell at cnpapers.com
>Charleston Newspapers
>
>
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Monday, December 22, 2003 4:10 AM
>Subject: Re: Spam from (forged) whitelist domain
>
>
> > At 22:47 21/12/2003, you wrote:
> > >Does the whitelist check  look at the sending client IP, or the sending
> > >server IP?  (Assuming the my users only send from my server, and only
> > >authenticated users are allowed to send from there.)
> >
> > It looks at the IP address at the other end of the SMTP connection to the
> > MailScanner server.
> >
> >
> > >Thanks.
> > >
> > >
> > >Julian Field wrote:
> > >
> > >>Exactly what I was about to suggest. You can use pretty much any of the
> > >>standard/common ways of expressing IP ranges and network subnets.
> > >>
> > >>At 22:51 19/12/2003, you wrote:
> > >>
> > >>>Just a thought, and I'm not sure this is correct, but perhaps you can
> > >>>whitelist your domain by IP instead of by name.
> > >>>
> > >>>-Eric Rz.
> > >>>
> > >>>On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote:
> > >>> > I see a nontirvial volume of Spam that gets through to users using
> > >>> > forged headers with my domain as the from.  These are typically to:
> > >>> > user at mydomain from: user at mydomain
> > >>> >
> > >>> > My domain is whitelisted, so when a forged header comes along,  I
> > >>>get a
> > >>> > spam score that would have dealt with the spam, but it is
>whitelisted,
> > >>> > so delivered anyway.
> > >>> >
> > >>> > Is there a way to deal with this?
> > >>> >
> > >>> > Thanks.
> > >>
> > >>
> > >>--
> > >>Julian Field
> > >>www.MailScanner.info
> > >>Professional Support Services at www.MailScanner.biz
> > >>MailScanner thanks transtec Computers for their support
> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list