2 spam checking issues...

Julian Field MailScanner at ecs.soton.ac.uk
Mon Mar 28 16:25:28 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Bob Jones wrote:

> Hey all,
>
>        We recently implemented spamassassin check through mailscanner
> here and
> have noticed a couple of issues that we could use some help with.  We
> have it set up a ruleset so that mail originating from our networks
> bypasses the spam checks and that mail to certain addresses (such as
> abuse, helpdesk, etc) is not checked for spam either.  We are running
> mailscanner version 4.39.6, spamassassin version 3.0.2 and sendmail
> version 8.12.11 on Solaris 9.  Now for the issues:
>
> 1.  We received a message that bypassed the spam check.  The relevant
> header info is:
>
> Received: from 168.24.195.10 ([220.77.201.250])
>        by hermes.bor.usg.edu (8.12.11/8.12.11) with SMTP id
> j2NEuQkB002299; Wed, 23 Mar 2005 09:56:35 -0500 (EST)
>
> The IP address of our mailserver (hermes.bor.usg.edu) is 168.24.195.10.
>  It seems that the spammer used our IP address as his HELO during the
> SMTP connection.  The *actual* IP address of the spammer is within the
> () in the next field.  To determine if a ruleset applies, is mailscanner
> doing a simple grep?  It seems to me that it should be grepping for what
> is within the () and ignore what the HELO was as that can be forged.  Or
> is there an issue here I'm not grasping.

With sendmail, MailScanner uses the IP address at the far end of the
SMTP connection, which should be the real address unless they are doing
some IP spoofing attack (which looks unlikely as it gives away the
220... IP address). It doesn't just use the "Received" address at all.

> 2.  The second is with skipping spam checks for certain addresses.  It
> seems that if an address we have added to the ruleset to skip spam
> checks is listed in the CC or BCC fields (maybe the TO field as well,
> but haven't seen an example of this yet), that message isn't scanned for
> *any* of the recipients.  Is this the expected behavior?  Is there a way
> to work around this issue?

There is a workaround. Currently, when faced with a message with
multiple headers, some of which want spam checks and some of which
don't, it uses the answer for the first recipient. You can change this
so that it uses any of the recipients by editing
/usr/lib/MailScanner/MailScanner/ConfigDefs.pl. Look for the line
starting "SpamChecks". If you look backwards (towards the start of the
file) from there, you will see that it is in the [First,YesNo] section.
Move that line into the [All,YesNo] section, then stop and restart
MailScanner.

May be this might be a better place for the option.
What do you think?
What does anyone else think?

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list