Detecting forwarded spam

Julian Field MailScanner at ecs.soton.ac.uk
Wed May 16 16:24:07 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MailScanner has never actually relied on the contents of the headers for 
anything, except for the feature
Sign Messages Already Processed = no
as the only way that can work is to guess whether it has already been 
run through your MailScanner setup on a different server.

MailScanner has *never* trusted the contents of the headers to actually 
skip any scanning or other processing of the message.

One of the main reasons for the %org-name% was to try to pursuade people 
to customise their setups a bit, so when I get sent the headers of a 
message I stand a fighting chance of being able to find out which 
MailScanner installation in the world actually generated the headers. It 
also made the "Sign Messages Already Processed" work better as it would 
look for *your* MailScanner header rather than any old MailScanner 
header added by someone else's setup.

Martin.Hepworth wrote:
> Daniel
>
> We had a similar situation a few years back (3?).
>
> The X-MailScanner headers could be used as trust mechanism - ie it's got
> the "X-MailScanner: Found to be clean", so we'll trust that and allow
> the email through.
>
> Now the virus writers found out about this and inserted this header into
> the emails they send out, in order to circumvent MailScanner doing
> checks on the email. Jules had to rush a new release quickly where the
> %org-name% was inserted into the headers to try and make this a little
> unique, so there was some chance of the header being actually inserted
> by MS. Can't see anything in the changelog, but it was around version
> 4.22 from memory
>
> *IF* you trust this you may hold yourself open to false positives, ie
> just because someone else's system says its spam doesn't mean yours
> will.
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Michael Masse
>> Sent: 15 May 2007 18:21
>> To: <MailScanner discussion
>> Subject: Detecting forwarded spam
>>
>> Is there a way for MailScanner to detect if a forwarded message has
>> already been detected as spam by another system, therefore not needing
>>     
> to
>   
>> run it's own spam check?
>>
>> We have a large number of users who used to use a separate email
>>     
> provider
>   
>> and they now just have that email forwarded to their account here.
>> Their old system detects spam and creates a header entry like:
>> X-Spam-Report: IsSpam=yes
>>
>> Right now our system just ignores that, so I was wondering if I can
>>     
> get
>   
>> our Mailscanner to take this into account and not bother with
>>     
> spamassassin
>   
>> checks if it sees this in the header?     I'm sure I could make a
>> spamassassin rule to assign points if it saw this, but the whole point
>>     
> is
>   
>> to not have to get spamassassin involved.
>>
>> Is this possible, or should I just stick with a spamassassin rule?
>>
>> Mike
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>     
>
>
>
>
> **********************************************************************
> Confidentiality : This e-mail and any attachments are intended for the 
> addressee only and may be confidential. If they come to you in error 
> you must take no action based on them, nor must you copy or show them 
> to anyone. Please advise the sender by replying to this e-mail 
> immediately and then delete the original from your computer.
>
> Opinion : Any opinions expressed in this e-mail are entirely those of 
> the author and unless specifically stated to the contrary, are not 
> necessarily those of the author's employer.
>
> Security Warning : Internet e-mail is not necessarily a secure 
> communications medium and can be subject to data corruption. We advise 
> that you consider this fact when e-mailing us. 
>
> Viruses : We have taken steps to ensure that this e-mail and any 
> attachments are free from known viruses but in keeping with good 
> computing practice, you should ensure that they are virus free.
>
> Red Lion 49 Ltd T/A Solid State Logic
> Registered as a limited company in England and Wales 
> (Company No:5362730)
> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
> United Kingdom
> **********************************************************************
>
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
Charset: ISO-8859-1

wj8DBQFGSyKsEfZZRxQVtlQRAn7YAKCTh+krWSETxvlMVVeH/zknwbbeTACg8Kbu
dKOdVCs2ZjOAJ51q+b1T6SA=
=n4fw
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list