Spam.whitelist.rules file question
mailscanner at ecs.soton.ac.uk
Thu Jan 30 12:27:57 GMT 2003
At 12:21 30/01/2003, you wrote:
>So you are saying that he needed to put 188.8.131.52 instead or in
Normally the thing in the rule is (a pattern matching) the email address.
But if it doesn't contain any letters, it interprets it as (a pattern
matching) the IP address.
There currently isn't a way of matching the hostname by name, only by number.
I think that relying on the hostname is actually not very good, as you
leave yourself open to simple DNS attacks. Say "nasty.com" own the IP
address range 1.2.3.*. If they setup their DNS server so that the reverse
record for 184.108.40.206 claims to be "mail.good.com" instead of
"mail.nasty.com", then any mail from 220.127.116.11 will be treated by your server
as being from "mail.good.com" instead of "something.nasty.com".
To be sure this isn't happening to you, you have to do forward and reverse
lookups and check they all match and are consistent with each other. This
takes time to execute, and I haven't written it yet.
>On Thu, 2003-01-30 at 05:03, Julian Field wrote:
> > At 08:30 30/01/2003, you wrote:
> > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1)
> > >so that it now looks like:
> > >
> > > ....
> > > From: *.messagelabs.com yes
> > > From: default no
> > So if the envelope sender address ends in ".messagelabs.com" then it is
> > whitelisted.
> > >However at 18:30 a message that should have been whitelisted was in fact
> > >tagged as spam. The envelope-from address in the tagged message is given
> > >in:
> > >
> > >Received: from mail9.messagelabs.com
> > That's the name of the host, not the email address that sent the message to
> > you.
> > If you want to whitelist mail from specific IP addresses, then you need to
> > whitelist those specific numeric IP's (or use a regular expression that
> > covers them).
> > > (mail9.messagelabs.com [18.104.22.168])
> > > by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581
> > > for <x.x.xxx at ncl.ac.uk>; Wed, 29 Jan 2003 18:30:05 GMT
> > >
> > >Other whitelisted entries appear to be working OK so I am perplexed as
> > >to why this one was tagged.
> > >
> > >Quentin
> > >---
> > >PHONE: +44 191 222 8209 Computing Service, University of Newcastle
> > >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU.
> > >------------------------------------------------------------------------
> > >"Any opinion expressed above is mine. The University can get its own."
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
>Steve Hickel <smhickel at chartermi.net>
MailScanner thanks transtec Computers for their support
More information about the MailScanner