Blocking from my own forged domain

[Stephe Campbell]

I was hoping that the spam.assassin.prefs.conf whitelist/blacklist config
options would provide an answer, but answers from the list showed me I still
have a problem.

I am getting email to users at our domains with forged From: addresses.
These From: addresses are valid email addresses. Since I have our domains
whitelisted, they pass right on through. The maillog of one looks like this:

May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
from=<userfrom at wvgazette.co
m>, size=983, class=0, nrcpts=1, msgid=<pnakulpwbtyuagbnzqv at wvgazette.com>,
proto=
SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19]
May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
to=<userto at wvgazette.com>
, delay=00:00:00, mailer=virtual, pri=30983, stat=queued
May  3 18:47:56 kanawha MailScanner[443]: Message i43MluL16091 from
216.30.205.19
(userfrom at wvgazette.com) is whitelisted
May  3 18:48:03 kanawha sendmail[16121]: i43MluL16091:
to=<userto at wvgazette.com>
, delay=00:00:07, xdelay=00:00:00, mailer=virtual, pri=120983,
relay=wvgazette.com
, dsn=2.0.0, stat=Sent

The headers look like:

Return-Path: <g>
Received: from mailgw2.cnpapers.net (mailgw2.cnpapers.net [216.30.205.19])
by kanawha.cnpapers.net (8.11.6/linuxconf) with SMTP id i43MluL16091
for <userto at wvgazette.com>; Mon, 3 May 2004 18:47:56 -0400
Received: from Default.org ([24.196.186.68])
by mailgw2.cnpapers.net (SAVSMTP 3.1.0.29) with SMTP id M2004050318500904054
for <userto at wvgazette.com>; Mon, 03 May 2004 18:50:12 -0400
Date: Mon, 03 May 2004 18:56:21 -0500
To: "Katelong" <userto at wvgazette.com>
From: "Flipside" <userfrom at wvgazette.com>
Subject: Protected message
Message-ID: <pnakulpwbtyuagbnzqv at wvgazette.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------tczhvztzqbrmhhiumsom"

The mailgw2 is a Norton Mail Gateway AV machine outside our firewall (for
now). It is our MX for the domain and forwards to the MS/Sendmail box. I
have wvgazette.com whitelisted. Obviously, moving the mailgw2 machine inside
a firewall would allow me to block IP 24.196.186.68, but until I do, which
could take some time, is there anything obvious to anyone that would allow
me to block any of the above message types? "userto" and "userfrom" are real
addresses.

Blocking the IP address, if it is forged, though, would not solve the
problem at a firewall. They could just change the IP and beat us up all over
again. I'm thinking whitelisting IP addresses instead of domain names, but
does this need to be set up in the CustomFunctions or can I just add this
into my spam.whitelist.rules, and would this work as below?

From:    111.222.333.444    yes

Any solid solutions or ideas would be appreciated, as well as any failings
of this idea of IP blocking being brought forth and pointed out to me

Steve Campbell
campbell at cnpapers.com
Charleston Newspapers

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html