Strange scenario with Mailscanner + Sendmail

Ken A ka at pacific.net
Tue May 22 19:08:54 IST 2007


Luis Marcelo Achite wrote:
> Hi,
> 
> I´m using Mailscanner with Sendmail to block spam on my network. On the 
> last days, some strange issue began to happen. Mailscanner is liberating 
> spam and saying that the email is on the whitelist. The fact is that the 
> message IS SPAM and the email IS NOT on the whitelist file.
> 
> Looking on the log and following the processes, I can see that on the 
> first reference of the message, it is showing the correct external 
> email, but when Mailscanner acts, it is showing that the user is on the 
> whitelist. Checking the header of the message, I can see that 
> "X-IAIBR1-MailScanner-From" has the correct email, but "From" (and 
> "X-Originating-Email" and "X-Sender") has an internal email, which is 
> obviously on the whitelist.
> 
> I suppose the spammer found a way to modify these fields and deceive 
> Mailscanner.
> 
> How can I protect my network from this kind of attack?

Are you splitting incoming email to one recipient per message before it 
reaches sendmail, using queue groups?

If not, have you looked for this message ID in sendmail log and verified 
that there is not a whitelist entry for this "X-IAIBR1-MailScanner-From" 
for the envelope To: address?

Ken Anderson
Pacific.Net

> 
> Thanks in advance for any information on this.
> 
> Regards.
> 
> Marcelo
> 


-- 
Ken Anderson
Pacific.Net


More information about the MailScanner mailing list