Blocking from my own forged domain

Rick Cooper rcooper at DWFORD.COM
Tue May 4 15:16:30 IST 2004


If I am getting this right userfrom at wvgazette.com is a valid user at domain
handled by mailgw2.cnpapers.net for kanawha.cnpapers.net which are your mail
servers?

Wouldn't it be prudent to block this at the mail server rather than allow it
in the first place? I assume sendmail (I use exim) has the facility to
compare sender hosts address to some kind of list of local address to make
sure they are valid within your address space(s). I would also recommend
require authenticated sending from within your domain(s) only, that would
pretty much stop this as well. I basically allow authenticated senders
(verify recipient) and then deny local sender domains not from local (our
address space(s)) host addresses.

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Stephe Campbell
> Sent: Tuesday, May 04, 2004 8:39 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Blocking from my own forged domain
>
>
> I was hoping that the spam.assassin.prefs.conf whitelist/blacklist config
> options would provide an answer, but answers from the list showed
> me I still
> have a problem.
>
> I am getting email to users at our domains with forged From: addresses.
> These From: addresses are valid email addresses. Since I have our domains
> whitelisted, they pass right on through. The maillog of one looks
> like this:
>
> May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> from=<userfrom at wvgazette.co
> m>, size=983, class=0, nrcpts=1,
> msgid=<pnakulpwbtyuagbnzqv at wvgazette.com>,
> proto=
> SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19]
> May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:00, mailer=virtual, pri=30983, stat=queued
> May  3 18:47:56 kanawha MailScanner[443]: Message i43MluL16091 from
> 216.30.205.19
> (userfrom at wvgazette.com) is whitelisted
> May  3 18:48:03 kanawha sendmail[16121]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:07, xdelay=00:00:00, mailer=virtual, pri=120983,
> relay=wvgazette.com
> , dsn=2.0.0, stat=Sent
>
> The headers look like:
>
> Return-Path: <g>
> Received: from mailgw2.cnpapers.net (mailgw2.cnpapers.net [216.30.205.19])
> by kanawha.cnpapers.net (8.11.6/linuxconf) with SMTP id i43MluL16091
> for <userto at wvgazette.com>; Mon, 3 May 2004 18:47:56 -0400
> Received: from Default.org ([24.196.186.68])
> by mailgw2.cnpapers.net (SAVSMTP 3.1.0.29) with SMTP id
> M2004050318500904054
> for <userto at wvgazette.com>; Mon, 03 May 2004 18:50:12 -0400
> Date: Mon, 03 May 2004 18:56:21 -0500
> To: "Katelong" <userto at wvgazette.com>
> From: "Flipside" <userfrom at wvgazette.com>
> Subject: Protected message
> Message-ID: <pnakulpwbtyuagbnzqv at wvgazette.com>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------tczhvztzqbrmhhiumsom"
>
> The mailgw2 is a Norton Mail Gateway AV machine outside our firewall (for
> now). It is our MX for the domain and forwards to the MS/Sendmail box. I
> have wvgazette.com whitelisted. Obviously, moving the mailgw2
> machine inside
> a firewall would allow me to block IP 24.196.186.68, but until I do, which
> could take some time, is there anything obvious to anyone that would allow
> me to block any of the above message types? "userto" and
> "userfrom" are real
> addresses.
>
> Blocking the IP address, if it is forged, though, would not solve the
> problem at a firewall. They could just change the IP and beat us
> up all over
> again. I'm thinking whitelisting IP addresses instead of domain names, but
> does this need to be set up in the CustomFunctions or can I just add this
> into my spam.whitelist.rules, and would this work as below?
>
> From:    111.222.333.444    yes
>
> Any solid solutions or ideas would be appreciated, as well as any failings
> of this idea of IP blocking being brought forth and pointed out to me
>
> Steve Campbell
> campbell at cnpapers.com
> Charleston Newspapers
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list