Strange scenario with Mailscanner + Sendmail
Alex Neuman
alex at nkpanama.com
Tue May 22 20:21:19 IST 2007
True. Nowadays you even have to (m|f)ilter out people purporting to be
from your network using whatever you have on your 220 SMTP response.
Julian Field wrote:
> A better way of using a whitelist entry to avoid spam-scanning mail
> coming from your own network is to use the IP addresses of your
> internal network rather than the email domain name.
>
> With
> Spam Checks = %rules-dir%/spam.checks.rules
> and then in /etc/MailScanner/rules/spam.checks.rules put this:
>
> From: 10.11.12. no
> FromOrTo; default yes
>
> where 10.11.12.* is the IP range of your internal network.
> You can use most formats of IP range in there.
>
> Luis Marcelo Achite wrote:
>> Hi,
>>
>> I´m using Mailscanner with Sendmail to block spam on my network. On
>> the last days, some strange issue began to happen. Mailscanner is
>> liberating spam and saying that the email is on the whitelist. The
>> fact is that the message IS SPAM and the email IS NOT on the
>> whitelist file.
>>
>> Looking on the log and following the processes, I can see that on the
>> first reference of the message, it is showing the correct external
>> email, but when Mailscanner acts, it is showing that the user is on
>> the whitelist. Checking the header of the message, I can see that
>> "X-IAIBR1-MailScanner-From" has the correct email, but "From" (and
>> "X-Originating-Email" and "X-Sender") has an internal email, which is
>> obviously on the whitelist.
>>
>> I suppose the spammer found a way to modify these fields and deceive
>> Mailscanner.
>>
>> How can I protect my network from this kind of attack?
>>
>> Thanks in advance for any information on this.
>>
>> Regards.
>>
>> Marcelo
>>
>
> Jules
>
More information about the MailScanner
mailing list