Spammers circumvent MS

Forrest Aldrich forrie at FORRIE.COM
Thu May 15 20:32:11 IST 2003

How do you deal with or handle roaming users with this ruleset.   That, as
I recall, was where I got stuck.

We use DRAC here to "authorize" remote relaying; so one presumes that the
user needs to authenticate first with IMAP or POP to get into that
database.  Then the rules would need to consult that also.

At 10:33 AM 5/10/2003 +0100, you wrote:
>At 00:22 10/05/2003, you wrote:
>>You don't want a company-wide address to be accessible from the
>>"outside".   I never did resolve this in Sendmail, but it might be
>>interesting to revisit this one.
>This can be done very easily in sendmail, if you are trying to protect
>company-wide mailing lists. You have to accept valid users in your company
>of course, as otherwise you would never accept any mail at all.
>We have a large bunch of email addresses which, for the sake of this
>example, all end in "-foo".or "-foo-0" or "-foo-1" etc up to "-foo-9". The
>"-foo-digit" ones are sublists that are used to construct each "-foo" list,
>purely because the lists are larger than the maximum record size allowed in
>aliases tables.
>In my there is this:
>KIsEcsList2 regex -a at MATCH ^.*-foo(-[0-9])?$
>R$*                     $: $>3 $1               Focus on host
>R$*                     $: $>"QualifyDomain" $1 Make fully-qualified
>R$* <@ $* $m. > $*      $1 <@ *LOCAL* >         Is recipient an ECS address?
>R$* <@ *LOCAL* > $*     $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2   ECS list?
>R at MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk
># If address is unqualified, add *LOCAL* as the destination hostname.
>R$* < @ $* > $*         $@ $1 < @ $2 > $3       Already fully qualified
>R$+                     $@ $1 < @ *LOCAL* >     Add local qualification
>Repeat the lines containing "IsEcsList2" as many times as are necessary for
>the number of regular expressions you need to create to match all your
>company-wide mailing lists. We intentionally made them all end in "-foo" so
>that this could be done more easily.
>Okay, so maybe this isn't "very easy" like I said at the top, but it sure
>works. No-one outside can spam our internal lists. Anyone on the inside
>doing it gets dropped from a great height.
>>At 04:35 PM 5/9/2003 -0600, you wrote:
>>>I have brought this up before, with no resolution.  Now spammers seem to be
>>>catching on.
>>>They are sending spam with multiple users from my domain in the To and CC
>>>fields of the envelope.
>>>The more local addresses they stuff in, the higher the chance they will hit
>>>one that is whitelisted and then the whole email is whitelisted.
>>>I know people have told me that because there is only one physical email for
>>>many recipients that we can't block for some users and not others on the
>>>same email.
>>>My question is what can we do?  I have emails with a score over 10 SA points
>>>to be deleted.  Is there a way to delete emails with a set score even if
>>>that email hits a whitelisted address?
>>>Any suggestions would be great.
>>>Derrick Georgiades
>Julian Field
>Professional Support Services at
>MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list