Can the null address be specified in a ruleset?

Thu Apr 20 14:21:26 IST 2006

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Dhawal Doshy
> Sent: Thursday, April 20, 2006 5:45 AM
> To: MailScanner discussion
> Subject: Re: Can the null address be specified in a ruleset?
> 
> Jim Holland wrote:
> > On Thu, 20 Apr 2006, Dhawal Doshy wrote:
> >
> >> Alex Neuman wrote:
> >>> Do you know of a good way to silently discard these messages
> selectively?
> >> Can be done if you are using simple 'mailscanner' blacklists (not SQL
> OR
> >> ByDomain) with a rules like this.
> >>
> >> Is Definitely Spam = %rules-dir%/is.definitely.spam.rules
> >> Definite Spam Is High Scoring = yes
> >>
> >> %rules-dir%/is.definitely.spam.rules
> >> ====================================
> >> From: postmaster@* and To: joe-jobbed at domain.tld yes
> >> From: mailer-daemon@* and To: joe-jobbed at domain.tld yes
> >
> > This is why I first started this thread.  The problem is that as
> > MailScanner looks at the envelope sender address, which is the null
> > address <>, the above rules simply don't work in this case.  I am
> > therefore proposing that Julian provide the additional functionality of
> > allowing rules such as:
> 
> Of course, you are right.. i didn't remember the part that mailscanner
> will only check envelope sender.
> 
> How about a meta rule at the spamassassin level to take care of such
> things? say:
> header __postmaster_rule From =~ /\bpostmaster\@*$/i
> header __joejobbed_rule To =~ /\bjoe\@domain\.tld\b/i
> meta DELME_RULE (__postmaster_rule && __joejobbed_rule)
> 
> - dhawal
> 
> > From:	<> and To: joe-jobbed at domain.tld	yes
> >
> > which would at least give them some temporary respite from the problem,
> > while unfortunately blocking any genuine bounces from other systems at
> the
> > same time.  A deliberate joe job mostly requires the person to change
> > their address, as it can go on for years in some cases.  (We had to drop
> > one of our subdomains when it was seriously joe-jobbed.)
> >
> >> Another way to do it would be at the delivery level.. say procmail /
> >> maildrop etc.. Write a rule to dump such mails in to folder (so as to
> >> not lose any valid bounces) OR simply /dev/null them.
> >
> > I think some kind of custom filter such as the above is the correct
> > solution.  For the moment however I am just using my contacts with
> > their upstream ISP to try to get it resolved.
> >
> > Regards
> >
> > Jim Holland
> > System Administrator
> > MANGO - Zimbabwe's non-profit e-mail service

The real problem is that the volume of messages (hundreds of thousands)
resulting from a joe-job can overwhelm a gateway if they are accepted by the
MTA. If a domain is getting heavily joe-jobbed and you are handling email
for several domains, the best way to survive is to setup a separate gateway
to handle email for the domain that's under attack. On the new gateway,
configure the MTA to drop email that's from "<>". We had several customers
who have survived joe-job attacks using this technique. Real email for the
domain was even delivered with little delay. 

For Sendmail the instructions on how to do this can be found in the List
Archives:
http://article.gmane.org/gmane.mail.virus.mailscanner/7776/match=joe+job. I
can probably find the mc file hack to build this the needed cf file
correctly so if you need it, please email me off list.

If you need to get a MailScanner gateway up and running real fast feel free
to download DefenderMX from our web server. It takes about an hour to
install including the OS installation. The demo license is good for 30 days.

To modify the sendmail configuration with the joe-job hack you'll need to
edit /opt/Fortress/defaults/incoming.mc to add the hack, then make the cf
file:

	cd /opt/Fortress/defaults/
	m4 incoming.mc > incoming.cf

Then restart MailScanner:

	service MailScanner restart

Hope this helps,

Steve

Stephen Swaney
Fort Systems Ltd.
stephen.swaney at fsl.com
www.fsl.com