Spam.whitelist.rules file question

Steve Hickel smhickel at CHARTERMI.NET
Fri Jan 31 01:35:46 GMT 2003 

Thanks,

Steve


On Thu, 2003-01-30 at 07:27, Julian Field wrote:
> At 12:21 30/01/2003, you wrote:
> >So you are saying that he needed to put 194.205.110.133 instead or in
> >addition to?
> 
> Instead.
> 
> Normally the thing in the rule is (a pattern matching) the email address.
> But if it doesn't contain any letters, it interprets it as (a pattern
> matching) the IP address.
> 
> There currently isn't a way of matching the hostname by name, only by number.
> 
> I think that relying on the hostname is actually not very good, as you
> leave yourself open to simple DNS attacks. Say "nasty.com" own the IP
> address range 1.2.3.*. If they setup their DNS server so that the reverse
> record for 1.2.3.4 claims to be "mail.good.com" instead of
> "mail.nasty.com", then any mail from 1.2.3.4 will be treated by your server
> as being from "mail.good.com" instead of "something.nasty.com".
> 
> To be sure this isn't happening to you, you have to do forward and reverse
> lookups and check they all match and are consistent with each other. This
> takes time to execute, and I haven't written it yet.
> 
> 
> >Steve
> >
> >On Thu, 2003-01-30 at 05:03, Julian Field wrote:
> > > At 08:30 30/01/2003, you wrote:
> > > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1)
> > > >so that it now looks like:
> > > >
> > > >   ....
> > > >   From:  *.messagelabs.com      yes
> > > >   From:  default                no
> > >
> > > So if the envelope sender address ends in ".messagelabs.com" then it is
> > > whitelisted.
> > >
> > > >However at 18:30 a message that should have been whitelisted was in fact
> > > >tagged as spam. The envelope-from address in the tagged message is given
> > > >in:
> > > >
> > > >Received: from mail9.messagelabs.com
> > >
> > > That's the name of the host, not the email address that sent the message to
> > > you.
> > >
> > > If you want to whitelist mail from specific IP addresses, then you need to
> > > whitelist those specific numeric IP's (or use a regular expression that
> > > covers them).
> > >
> > > >       (mail9.messagelabs.com [194.205.110.133])
> > > >         by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581
> > > >         for <x.x.xxx at ncl.ac.uk>; Wed, 29 Jan 2003 18:30:05 GMT
> > > >
> > > >Other whitelisted entries appear to be working OK so I am perplexed as
> > > >to why this one was tagged.
> > > >
> > > >Quentin
> > > >---
> > > >PHONE: +44 191 222 8209    Computing Service, University of Newcastle
> > > >FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
> > > >------------------------------------------------------------------------
> > > >"Any opinion expressed above is mine. The University can get its own."
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> >--
> >Steve Hickel <smhickel at chartermi.net>
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
-- 
Steve Hickel <smhickel at chartermi.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030130/97e3d98b/attachment.bin

More information about the MailScanner mailing list