Spammers circumvent MS

Julian Field mailscanner at ecs.soton.ac.uk
Sat May 10 10:33:39 IST 2003 

At 00:22 10/05/2003, you wrote:
>You don't want a company-wide address to be accessible from the
>"outside".   I never did resolve this in Sendmail, but it might be
>interesting to revisit this one.

This can be done very easily in sendmail, if you are trying to protect
company-wide mailing lists. You have to accept valid users in your company
of course, as otherwise you would never accept any mail at all.

We have a large bunch of email addresses which, for the sake of this
example, all end in "-foo".or "-foo-0" or "-foo-1" etc up to "-foo-9". The
"-foo-digit" ones are sublists that are used to construct each "-foo" list,
purely because the lists are larger than the maximum record size allowed in
aliases tables.

In my sendmail.mc there is this:

KIsEcsList2 regex -a at MATCH ^.*-foo(-[0-9])?$

LOCAL_RULESETS

SLocal_check_rcpt
R$*                     $: $>3 $1               Focus on host
R$*                     $: $>"QualifyDomain" $1 Make fully-qualified
R$* <@ $* $m. > $*      $1 <@ *LOCAL* >         Is recipient an ECS address?
R$* <@ *LOCAL* > $*     $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2   ECS list?
R at MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk

# If address is unqualified, add *LOCAL* as the destination hostname.
SQualifyDomain
R$* < @ $* > $*         $@ $1 < @ $2 > $3       Already fully qualified
R$+                     $@ $1 < @ *LOCAL* >     Add local qualification

Repeat the lines containing "IsEcsList2" as many times as are necessary for
the number of regular expressions you need to create to match all your
company-wide mailing lists. We intentionally made them all end in "-foo" so
that this could be done more easily.

Okay, so maybe this isn't "very easy" like I said at the top, but it sure
works. No-one outside can spam our internal lists. Anyone on the inside
doing it gets dropped from a great height.

>At 04:35 PM 5/9/2003 -0600, you wrote:
>>I have brought this up before, with no resolution.  Now spammers seem to be
>>catching on.
>>They are sending spam with multiple users from my domain in the To and CC
>>fields of the envelope.
>>The more local addresses they stuff in, the higher the chance they will hit
>>one that is whitelisted and then the whole email is whitelisted.
>>I know people have told me that because there is only one physical email for
>>many recipients that we can't block for some users and not others on the
>>same email.
>>My question is what can we do?  I have emails with a score over 10 SA points
>>to be deleted.  Is there a way to delete emails with a set score even if
>>that email hits a whitelisted address?
>>Any suggestions would be great.
>>
>>Thanks
>>Derrick Georgiades

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list