blacklisting local domain?
MailScanner at ecs.soton.ac.uk
Tue Jan 13 18:20:26 GMT 2009
Oops, sorry, just thumped "send" by mistake.
MailScanner itself always uses the envelope sender address, and not the
From: address which is what you are looking to check.
So you would have to do it with a SpamAssassin rule, as that is the only
thing which can be told to look at the From: address.
So you want to check for mail which doesn't come from your IP space but
does contain your domain in the From: header.
I haven't got an instant solution to that, but can you confirm that I
have summarised the problem correctly?
Could we do it with a SpamAssassin Rule Actions ruleset, and an SA rule
which looks for your domain appearing in From: ?
SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules
From: 152.78.71 NON_EXISTENT_RULE=>deliver
FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store
spam.assassin.rules.conf contains an addition
header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i
score MY_DOMAIN_IN_FROM 0.01
describe MY_DOMAIN_IN_FROM My domain name appears in the From: header
The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in
the sa.rule.actions.rules file as a dummy.
The sa.rule.actions.rules file says
If it's from my network (152.78.71 in this example) then we don't do
anything special (the rule name does not exist so can never fire so the
"deliver" action will never be executed here).
If it's from anywhere else, and my domain name (mydomain.com in this
example) appears in the From: header, then store a copy and don't
deliver it to its original recipients.
The score of 0.01 is just some very small number as you don't actually
want to greatly affect the spam score, but you do want the rule to be
checked so it can't be zero. -0.01 might have been a better choice.
I think that should work.
You can do almost anything with SpamAssassin Rule Actions and a bit of
lateral thinking :-)
On 13/1/09 17:58, Michael Masse wrote:
> Is there any way MailScanner can blacklist email that says it's from mydomain, but comes from an IP outside of my ipspace? We force all of our clients to use our specific smtp server.
> We've been getting hit very hard with these self addressed spams latelyand MailScanner has been doing a fantastic job of tagging these as spam,but the problem is that even though our commercial email system accepts spamassassin header tags to put them in the appropriate junk folder automatically, it ignores the headers if it thinks the sender is oneself and then I get complaints about these spams getting through.
> The real solution is obviously for the commercial vendor to fix this problem and trust spamassassin all the time, but this has been going on foryears and they aren't going to change it any time soon, so I'm stuck with getting rid of these messages at the SMTP/Mailscanner stage before theyget passed on to the rest of the mail system. I've implemented mailfromd which allows me to automatically reject any email that uses our domain as a sending domain and doesn't come from within our ip space at the SMTP negotiation envelope level and this is blocking 99% of them, but thereare a few that are still sneaking through because they use some other domain at the smtp "mail from:" envelope stage which allows them to bypass mailfromd, but then in the data portion of the email they use our domain in the from: address in the header which then confuses our email system into ignoring the spamassassin header tag again.
> As I said, MailScanner/Spamassassin is properly tagging these emails asspam, but the tags get ignored by an oversight on our mail system. We force all of our clients to use our own smtp server, so there should neverbe a case of an email with a sender address of our domain coming from outside of our domain. Is it possible for MailScanner to blacklist these?
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner