selecting message that should go into MailScanner

Martin Hepworth maxsec at gmail.com
Thu Feb 12 15:08:11 GMT 2009


2009/2/12 Martin Hepworth <maxsec at gmail.com>:
> 2009/2/12 Alessandro Dentella <sandro at e-den.it>:
>> On Thu, Feb 12, 2009 at 01:26:41PM +0100, Glenn Steen wrote:
>>> 2009/2/12 Kai Schaetzl <maillists at conactive.com>:
>>> > I think you should direct your question to a postfix list if you want to
>>> > do this in postfix. If you want to exemt mail in MS from scanning you want
>>> > to use
>>> > Scan Messages = %rules-dir%/scan.messages.rules
>>> >
>>> > Kai
>>> Actually.... SInce Hugo van der Koij has made a very successful
>>> "selective postfix" setup, and posted it here... this list isn't a bad
>>> choice:-). At least not when it comes to finding that solution.
>>> Basically one would replace the header checks with a rather specific
>>> access map instead... Lets see if I can find the reference...
>>> Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD
>>>
>>> (and yes, this was addressed both to Alessandro and you Kai:-):-)
>>> Cheers
>>
>> ehm... sure, that's the link I reported in my original mail that I tried to
>> implement. I tried to follow it but I can't really get it working. I don't
>> think that's fault of the recepe but I must be doing something silly so that
>> no messages gets into the rule even if I use:
>>
>>  /.*/                                    HOLD
>>  /^$/                                    HOLD
>>
>> I admit this is almost a postfix question but I thuoght this is interesting
>> for this list and probably there is real knowledge on this subject here.
>>
>> Personally I don't like the idea of letting it into MailScanner. There's no
>> point in Scanning 50.000 email in a newsletter not even just for
>> phishing/virus: the're all the same!!!
>>
>
> depends on the the risk you define if the 50,000 emails all have same
> same malware/phishing/... issue!
>

Actually - let me put that..

suppose scammer/spammer uses the 'from' as that of the news
letter....all of a sudden you're letting everything bad through, with
no checks what-so-ever.

Now I've mentioned it I'm surprised that malware people don't use it
in order to circumvent mail filters in that way that
from:me at domain.com to: me at domain spam tries to do.

ie if many people are whitelisting a 'from: *@newsletter.domain.com'
there's an easy vector around mail scanners.

This is the reason why I suggested you just skip the MailScanner spam
tests and not all others.

-- 
Martin Hepworth
Oxford, UK


More information about the MailScanner mailing list