whitelist_to getting exploited

[Alex Broens]

On 12/29/2006 11:21 AM, Ramprasad wrote:
> On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
>> On Fri, 29 Dec 2006, Ramprasad wrote:
>>
>>> In our setup where we do email scanning for our clients we have a
>>> feature by which clients can opt-out some ids from spamscan
>>>
>>> So I use in Mailscanner.conf
>>>
>>> Spam Checks = spamcheck.rules
>>>
>>> This file has
>>>
>>> To: user-1 NO
>>> default YES
>>>
>>> Now a spammer marks a mail to multiple people with user-1  in BCC and
>>> the mail passes straight
>>> How can I get rid of this problem. If I use the user_in_whitelist_to
>>> feature at spamassassin then too I would have the same issue
>> MailScanner is doing exactly what you have told it to, you either 
>> whitelist user-1 or you don't, you can extend this to using the
>> format of 'from and to' but that will be a restricted list, unless you
>> are going to waste time constantly adding all the people he wants mail 
>> from in the 'and to' segment.
>>
>> The cure  Ram is to remove him from the To: whitelist
> 
> But user-1 wants all mails including spam  , not others
> 
> For eg If I want to allow abuse at mydomain to get all mail without check 
> someone sends a mail 
> To:the_top_man at domain,abuse at domain 
> 
> Then this mail would bypass spam checks and reach the_top_man at domain 
> Obviously this would be a concern to everyone , how are you folks
> getting over this issue
> 

IDEA: why not use a SA (meta?) rule instead?

something like :

header __TO_ABUSE  	To =~ /abuse at mydomain/i
header __MYDOMAIN_MANY  To =~/(\@mydomain)(2,10)/i

meta   MY_ABUSE_PASSTHRU   (__TO_ABUSE && !__MYDOMAIN_MANY)
score  MY_ABUSE_PASSTHRU   -100.0

DISCLAIMER:
This is just a "concept" rule - Regex is untested and may contain errors 
and blow up your box, step on dog's tail or pull baby's ears!!!

Happy 2007 to everyone

Alex