Strange scenario with Mailscanner + Sendmail

[Julian Field]

A better way of using a whitelist entry to avoid spam-scanning mail 
coming from your own network is to use the IP addresses of your internal 
network rather than the email domain name.

With
    Spam Checks = %rules-dir%/spam.checks.rules
and then in /etc/MailScanner/rules/spam.checks.rules put this:

From: 10.11.12. no
FromOrTo; default yes

where 10.11.12.* is the IP range of your internal network.
You can use most formats of IP range in there.

Luis Marcelo Achite wrote:
> Hi,
>
> I´m using Mailscanner with Sendmail to block spam on my network. On 
> the last days, some strange issue began to happen. Mailscanner is 
> liberating spam and saying that the email is on the whitelist. The 
> fact is that the message IS SPAM and the email IS NOT on the whitelist 
> file.
>
> Looking on the log and following the processes, I can see that on the 
> first reference of the message, it is showing the correct external 
> email, but when Mailscanner acts, it is showing that the user is on 
> the whitelist. Checking the header of the message, I can see that 
> "X-IAIBR1-MailScanner-From" has the correct email, but "From" (and 
> "X-Originating-Email" and "X-Sender") has an internal email, which is 
> obviously on the whitelist.
>
> I suppose the spammer found a way to modify these fields and deceive 
> Mailscanner.
>
> How can I protect my network from this kind of attack?
>
> Thanks in advance for any information on this.
>
> Regards.
>
> Marcelo
>

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk