Blocking from my own forged domain (smtp+spf)

John Breeden jbreeden at PLUMHALL.COM
Tue May 4 19:43:57 IST 2004


I'm assuming that cnpapers.net is your domain. If so you might want to 
check out smtp+spf at http://spf.pobox.com/

jb
Hawaii

Stephe Campbell wrote:

>I was hoping that the spam.assassin.prefs.conf whitelist/blacklist config
>options would provide an answer, but answers from the list showed me I still
>have a problem.
>
>I am getting email to users at our domains with forged From: addresses.
>These From: addresses are valid email addresses. Since I have our domains
>whitelisted, they pass right on through. The maillog of one looks like this:
>
>May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
>from=<userfrom at wvgazette.co
>m>, size=983, class=0, nrcpts=1, msgid=<pnakulpwbtyuagbnzqv at wvgazette.com>,
>proto=
>SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19]
>May  3 18:47:56 kanawha sendmail[16091]: i43MluL16091:
>to=<userto at wvgazette.com>
>, delay=00:00:00, mailer=virtual, pri=30983, stat=queued
>May  3 18:47:56 kanawha MailScanner[443]: Message i43MluL16091 from
>216.30.205.19
>(userfrom at wvgazette.com) is whitelisted
>May  3 18:48:03 kanawha sendmail[16121]: i43MluL16091:
>to=<userto at wvgazette.com>
>, delay=00:00:07, xdelay=00:00:00, mailer=virtual, pri=120983,
>relay=wvgazette.com
>, dsn=2.0.0, stat=Sent
>
>The headers look like:
>
>Return-Path: <g>
>Received: from mailgw2.cnpapers.net (mailgw2.cnpapers.net [216.30.205.19])
>by kanawha.cnpapers.net (8.11.6/linuxconf) with SMTP id i43MluL16091
>for <userto at wvgazette.com>; Mon, 3 May 2004 18:47:56 -0400
>Received: from Default.org ([24.196.186.68])
>by mailgw2.cnpapers.net (SAVSMTP 3.1.0.29) with SMTP id M2004050318500904054
>for <userto at wvgazette.com>; Mon, 03 May 2004 18:50:12 -0400
>Date: Mon, 03 May 2004 18:56:21 -0500
>To: "Katelong" <userto at wvgazette.com>
>From: "Flipside" <userfrom at wvgazette.com>
>Subject: Protected message
>Message-ID: <pnakulpwbtyuagbnzqv at wvgazette.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="--------tczhvztzqbrmhhiumsom"
>
>The mailgw2 is a Norton Mail Gateway AV machine outside our firewall (for
>now). It is our MX for the domain and forwards to the MS/Sendmail box. I
>have wvgazette.com whitelisted. Obviously, moving the mailgw2 machine inside
>a firewall would allow me to block IP 24.196.186.68, but until I do, which
>could take some time, is there anything obvious to anyone that would allow
>me to block any of the above message types? "userto" and "userfrom" are real
>addresses.
>
>Blocking the IP address, if it is forged, though, would not solve the
>problem at a firewall. They could just change the IP and beat us up all over
>again. I'm thinking whitelisting IP addresses instead of domain names, but
>does this need to be set up in the CustomFunctions or can I just add this
>into my spam.whitelist.rules, and would this work as below?
>
>From:    111.222.333.444    yes
>
>Any solid solutions or ideas would be appreciated, as well as any failings
>of this idea of IP blocking being brought forth and pointed out to me
>
>Steve Campbell
>campbell at cnpapers.com
>Charleston Newspapers
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>
>  
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list