Blocking from my own forged domain
Stephe Campbell
campbell at CNPAPERS.COM
Tue May 4 17:32:27 IST 2004
Mr. Cooper,
You re right in your evaluation of the first paragraph below.
Again, you are right in thinking that blocking at the mail server would be
more effective. Unfortunately, I use linuxconf to maintain my virtual email
domains, and it is limited in some aspects of its Sendmail functions. I am
not sure if I can block based on sender host address compared to local
address. As far as authentication goes, I'm not sure how to set up sender
authentication, and this may be one of the limitations of linuxconf
sendmail. I have started looking at some sendmail stubs that work with
linuxconf.
If you have the time someday, you might point out what you could on this
subject. In the mean time, I will explore this on my own.
Thank you very much.
Steve Campbell
campbell at cnpapers.com
Charleston Newspapers
----- Original Message -----
From: "Rick Cooper" <rcooper at DWFORD.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Tuesday, May 04, 2004 10:16 AM
Subject: Re: Blocking from my own forged domain
If I am getting this right userfrom at wvgazette.com is a valid user at domain
handled by mailgw2.cnpapers.net for kanawha.cnpapers.net which are your mail
servers?
Wouldn't it be prudent to block this at the mail server rather than allow it
in the first place? I assume sendmail (I use exim) has the facility to
compare sender hosts address to some kind of list of local address to make
sure they are valid within your address space(s). I would also recommend
require authenticated sending from within your domain(s) only, that would
pretty much stop this as well. I basically allow authenticated senders
(verify recipient) and then deny local sender domains not from local (our
address space(s)) host addresses.
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Stephe Campbell
> Sent: Tuesday, May 04, 2004 8:39 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Blocking from my own forged domain
>
>
> I was hoping that the spam.assassin.prefs.conf whitelist/blacklist config
> options would provide an answer, but answers from the list showed
> me I still
> have a problem.
>
> I am getting email to users at our domains with forged From: addresses.
> These From: addresses are valid email addresses. Since I have our domains
> whitelisted, they pass right on through. The maillog of one looks
> like this:
>
> May 3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> from=<userfrom at wvgazette.co
> m>, size=983, class=0, nrcpts=1,
> msgid=<pnakulpwbtyuagbnzqv at wvgazette.com>,
> proto=
> SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19]
> May 3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:00, mailer=virtual, pri=30983, stat=queued
> May 3 18:47:56 kanawha MailScanner[443]: Message i43MluL16091 from
> 216.30.205.19
> (userfrom at wvgazette.com) is whitelisted
> May 3 18:48:03 kanawha sendmail[16121]: i43MluL16091:
> to=<userto at wvgazette.com>
> , delay=00:00:07, xdelay=00:00:00, mailer=virtual, pri=120983,
> relay=wvgazette.com
> , dsn=2.0.0, stat=Sent
>
> The headers look like:
>
> Return-Path: <g>
> Received: from mailgw2.cnpapers.net (mailgw2.cnpapers.net [216.30.205.19])
> by kanawha.cnpapers.net (8.11.6/linuxconf) with SMTP id i43MluL16091
> for <userto at wvgazette.com>; Mon, 3 May 2004 18:47:56 -0400
> Received: from Default.org ([24.196.186.68])
> by mailgw2.cnpapers.net (SAVSMTP 3.1.0.29) with SMTP id
> M2004050318500904054
> for <userto at wvgazette.com>; Mon, 03 May 2004 18:50:12 -0400
> Date: Mon, 03 May 2004 18:56:21 -0500
> To: "Katelong" <userto at wvgazette.com>
> From: "Flipside" <userfrom at wvgazette.com>
> Subject: Protected message
> Message-ID: <pnakulpwbtyuagbnzqv at wvgazette.com>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------tczhvztzqbrmhhiumsom"
>
> The mailgw2 is a Norton Mail Gateway AV machine outside our firewall (for
> now). It is our MX for the domain and forwards to the MS/Sendmail box. I
> have wvgazette.com whitelisted. Obviously, moving the mailgw2
> machine inside
> a firewall would allow me to block IP 24.196.186.68, but until I do, which
> could take some time, is there anything obvious to anyone that would allow
> me to block any of the above message types? "userto" and
> "userfrom" are real
> addresses.
>
> Blocking the IP address, if it is forged, though, would not solve the
> problem at a firewall. They could just change the IP and beat us
> up all over
> again. I'm thinking whitelisting IP addresses instead of domain names, but
> does this need to be set up in the CustomFunctions or can I just add this
> into my spam.whitelist.rules, and would this work as below?
>
> From: 111.222.333.444 yes
>
> Any solid solutions or ideas would be appreciated, as well as any failings
> of this idea of IP blocking being brought forth and pointed out to me
>
> Steve Campbell
> campbell at cnpapers.com
> Charleston Newspapers
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list