Anti Spoofing Ruleset

am.lists am.lists at
Wed Apr 18 11:45:31 IST 2007

On 4/18/07, Sean O'Reilly <s.oreilly at> wrote:
>      Hi Guys,
>  Am fairly new to MailScanner and would like a little help with writing a
> ruleset that will stop internal mail (mail coming from our domain) coming
> from an external address.
>  Is it possible to do something along the lines of
>  From    'our domain'    !localnet    no
>  or have i misunderstood how rulesets work

You could create a spamassassin meta rule to accomplish this. I think
I know why you want this but here's the kicker... any time one of your
users (HR departments are famous for this) use some sort of third
party program that sends mail, even for official purposes, will
sometimes violate the laws of spoofing. A typical example is the HR
Jobs/Recruiting application, where it sends mail as the logged-in HR
user. Also if you read back a few days/weeks, this was discussed here
as well how an HR group also used a (gasp...) e-card service that
spoofed the company's real email address as the from header. Also,
many websites that have a "send this page to a friend" functionality
also misbehave in this same way.

So in short, yes, it can be done... but step carefully. As an
alternative, you might find out why these are getting through your
filters as they are now and just tweak the ones you have.  If you
haven't already, take a look at RDJ (Rules du Jour) and the Botnet
script. There are plenty of extra non-default rules there that score
the spoofed stuff pretty well (because they come from dial-up
addresses, for example).


More information about the MailScanner mailing list