whitelist_to getting exploited

Alex Broens ms-list at alexb.ch
Fri Dec 29 12:26:04 CET 2006


On 12/29/2006 11:21 AM, Ramprasad wrote:
> On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
>> On Fri, 29 Dec 2006, Ramprasad wrote:
>>
>>> In our setup where we do email scanning for our clients we have a
>>> feature by which clients can opt-out some ids from spamscan
>>>
>>> So I use in Mailscanner.conf
>>>
>>> Spam Checks = spamcheck.rules
>>>
>>> This file has
>>>
>>> To: user-1 NO
>>> default YES
>>>
>>> Now a spammer marks a mail to multiple people with user-1  in BCC and
>>> the mail passes straight
>>> How can I get rid of this problem. If I use the user_in_whitelist_to
>>> feature at spamassassin then too I would have the same issue
>> MailScanner is doing exactly what you have told it to, you either 
>> whitelist user-1 or you don't, you can extend this to using the
>> format of 'from and to' but that will be a restricted list, unless you
>> are going to waste time constantly adding all the people he wants mail 
>> from in the 'and to' segment.
>>
>> The cure  Ram is to remove him from the To: whitelist
> 
> But user-1 wants all mails including spam  , not others
> 
> For eg If I want to allow abuse at mydomain to get all mail without check 
> someone sends a mail 
> To:the_top_man at domain,abuse at domain 
> 
> Then this mail would bypass spam checks and reach the_top_man at domain 
> Obviously this would be a concern to everyone , how are you folks
> getting over this issue
> 

IDEA: why not use a SA (meta?) rule instead?

something like :

header __TO_ABUSE  	To =~ /abuse at mydomain/i
header __MYDOMAIN_MANY  To =~/(\@mydomain)(2,10)/i

meta   MY_ABUSE_PASSTHRU   (__TO_ABUSE && !__MYDOMAIN_MANY)
score  MY_ABUSE_PASSTHRU   -100.0

DISCLAIMER:
This is just a "concept" rule - Regex is untested and may contain errors 
and blow up your box, step on dog's tail or pull baby's ears!!!

Happy 2007 to everyone

Alex



More information about the MailScanner mailing list