To whitelist or not...

Scott Silva ssilva at sgvwater.com
Fri Mar 17 17:51:57 GMT 2006 

James Gray spake the following on 3/16/2006 9:54 PM:
> On Thu, 16 Mar 2006 12:19 pm, Ugo Bellavance wrote:
>> James Gray wrote:
>>> I've done an experiment.  I've created a rule set for the "Use
>>> SpamAssassin" config option and moved a few of the whitelisted addresses
>>> into there with a "no" action.  IOW, the "use.sa.rules" file looks like
>>> this:
>>> From:      whitelist_add1 at domain               no
>>> From:      whitelist_add2 at another-domain       no
>>> FromOrTo:  default                             yes
>> I think it is reasonable.
>>
>> You may be more secure if you'd add one condition to your ruleset: the
>> IP of their server.  This way, you reduce the risk of getting spam with
>> a forged address (using your clients).
> 
> Good point.  The problem is some of the senders (like hp.com) have so many 
> MTA's that messages come from, it's going to be hard to include them all.  It 
> *would* be the ideal though.  I'll definitely do it for our internal machines 
> (all the senders will be in very well defined private subnets).
> 
>> In the end, your users will tell you if it has negative effect on
>> spam-filtering results.
> 
> Indeed they will :)
> 
>> You could use only IP's for e-mail generated from your systems.  Of
>> course, if one of your systems gets compromised and start sending spam,
>> you have less chance noticing it.
> 
> True, but the internal machines are fairly well controlled and firewalled 
> VM's.  So if a machine gets 0wn3d (highly unlikely) we can simply hose the 
> image and restore a known working one :)  Gotta love virtualisation!
> 
>> There are other means of lowering your load (using rbls, greylisting, etc)
>> but this one may make sense for you and other people.
> 
> Thanks Ugo.  I've done a lot of performance tuning on our MailScanner boxes.  
> The problem is that they are running on "superseded" hardware[1] - mail 
> gateways are very non-glamourous boxes that don't attract a lot of budget 
> (mail is merely a tool - not our business focus).  We make do, but anything 
> to reduce unnecessary load is a Good Thing(tm).
> 
> Thanks,
> 
> James
> [1] Superseded but still server class kit (not PC's or anything dinky like 
> that).  All are P3/Xeon > 1GHz boxes with lots of ECC RAM and SCSI drives on 
> Gigabit links.  I'd really like some Sun or Opteron kit though :)
> 
Too bad there isn't an option to whitelist by domain name IF the mail comes
from proper MX servers, or valid SPF records. IE ... From: hp.com   and
valid_mx no or something like that.

More information about the MailScanner mailing list