Blocking from my own forged domain

David Hooton david at PLATFORMHOSTING.COM
Tue May 4 14:47:26 IST 2004 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Stephe Campbell
> Sent: Tuesday, 4 May 2004 11:39 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Blocking from my own forged domain
> 
> I was hoping that the spam.assassin.prefs.conf whitelist/blacklist config
> options would provide an answer, but answers from the list showed me I
> still
> have a problem.
> 
> I am getting email to users at our domains with forged From: addresses.
> These From: addresses are valid email addresses. Since I have our domains
> whitelisted, they pass right on through. The maillog of one looks like
> this:
> 
> May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> from=<userfrom at wvgazette.co
> m>, size=983, class=0, nrcpts=1,
> msgid=<pnakulpwbtyuagbnzqv at wvgazette.com>,
> proto=
> SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19]
> May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:00, mailer=virtual, pri=30983, stat=queued
> May  3 18:47:56 kanawha MailScanner[443]: Message i43MluL16091 from
> 216.30.205.19
> (userfrom at wvgazette.com) is whitelisted
> May  3 18:48:03 kanawha sendmail[16121]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:07, xdelay=00:00:00, mailer=virtual, pri=120983,
> relay=wvgazette.com
> , dsn=2.0.0, stat=Sent
> 
> The headers look like:
> 
> Return-Path: <g>
> Received: from mailgw2.cnpapers.net (mailgw2.cnpapers.net [216.30.205.19])
> by kanawha.cnpapers.net (8.11.6/linuxconf) with SMTP id i43MluL16091
> for <userto at wvgazette.com>; Mon, 3 May 2004 18:47:56 -0400
> Received: from Default.org ([24.196.186.68])
> by mailgw2.cnpapers.net (SAVSMTP 3.1.0.29) with SMTP id
> M2004050318500904054
> for <userto at wvgazette.com>; Mon, 03 May 2004 18:50:12 -0400
> Date: Mon, 03 May 2004 18:56:21 -0500
> To: "Katelong" <userto at wvgazette.com>
> From: "Flipside" <userfrom at wvgazette.com>
> Subject: Protected message
> Message-ID: <pnakulpwbtyuagbnzqv at wvgazette.com>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------tczhvztzqbrmhhiumsom"
> 
> The mailgw2 is a Norton Mail Gateway AV machine outside our firewall (for
> now). It is our MX for the domain and forwards to the MS/Sendmail box. I
> have wvgazette.com whitelisted. Obviously, moving the mailgw2 machine
> inside
> a firewall would allow me to block IP 24.196.186.68, but until I do, which
> could take some time, is there anything obvious to anyone that would allow
> me to block any of the above message types? "userto" and "userfrom" are
> real
> addresses.
> 
> Blocking the IP address, if it is forged, though, would not solve the
> problem at a firewall. They could just change the IP and beat us up all
> over
> again. I'm thinking whitelisting IP addresses instead of domain names, but
> does this need to be set up in the CustomFunctions or can I just add this
> into my spam.whitelist.rules, and would this work as below?
> 
> From:    111.222.333.444    yes
> 
> Any solid solutions or ideas would be appreciated, as well as any failings
> of this idea of IP blocking being brought forth and pointed out to me


How about a spamassassin rule?  Are there any commonalities between all the
message bodies, headers & subjects?

You could create a meta rule that if more than X number of meta rules are
hit, a high score is added to the message.

We have had a few similar issues with joe jobbed customers, however it took
a very large sample of messages for us to develop a good ruleset.

Cheers,

Dave


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam at mailsecurity.net.au
========================================================================

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list