Spam.whitelist.rules file question

Thu Jan 30 12:27:57 GMT 2003

At 12:21 30/01/2003, you wrote:
>So you are saying that he needed to put 194.205.110.133 instead or in
>addition to?

Instead.

Normally the thing in the rule is (a pattern matching) the email address.
But if it doesn't contain any letters, it interprets it as (a pattern
matching) the IP address.

There currently isn't a way of matching the hostname by name, only by number.

I think that relying on the hostname is actually not very good, as you
leave yourself open to simple DNS attacks. Say "nasty.com" own the IP
address range 1.2.3.*. If they setup their DNS server so that the reverse
record for 1.2.3.4 claims to be "mail.good.com" instead of
"mail.nasty.com", then any mail from 1.2.3.4 will be treated by your server
as being from "mail.good.com" instead of "something.nasty.com".

To be sure this isn't happening to you, you have to do forward and reverse
lookups and check they all match and are consistent with each other. This
takes time to execute, and I haven't written it yet.

>Steve
>
>On Thu, 2003-01-30 at 05:03, Julian Field wrote:
> > At 08:30 30/01/2003, you wrote:
> > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1)
> > >so that it now looks like:
> > >
> > >   ....
> > >   From:  *.messagelabs.com      yes
> > >   From:  default                no
> >
> > So if the envelope sender address ends in ".messagelabs.com" then it is
> > whitelisted.
> >
> > >However at 18:30 a message that should have been whitelisted was in fact
> > >tagged as spam. The envelope-from address in the tagged message is given
> > >in:
> > >
> > >Received: from mail9.messagelabs.com
> >
> > That's the name of the host, not the email address that sent the message to
> > you.
> >
> > If you want to whitelist mail from specific IP addresses, then you need to
> > whitelist those specific numeric IP's (or use a regular expression that
> > covers them).
> >
> > >       (mail9.messagelabs.com [194.205.110.133])
> > >         by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581
> > >         for <x.x.xxx at ncl.ac.uk>; Wed, 29 Jan 2003 18:30:05 GMT
> > >
> > >Other whitelisted entries appear to be working OK so I am perplexed as
> > >to why this one was tagged.
> > >
> > >Quentin
> > >---
> > >PHONE: +44 191 222 8209    Computing Service, University of Newcastle
> > >FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
> > >------------------------------------------------------------------------
> > >"Any opinion expressed above is mine. The University can get its own."
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
>--
>Steve Hickel <smhickel at chartermi.net>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support