blacklisting local domain?

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Tue Jan 13 19:06:55 GMT 2009


Julian Field a écrit :
> Oops, sorry, just thumped "send" by mistake.
> Take 2:
>
> MailScanner itself always uses the envelope sender address, and not 
> the From: address which is what you are looking to check.
> So you would have to do it with a SpamAssassin rule, as that is the 
> only thing which can be told to look at the From: address.
>
> So you want to check for mail which doesn't come from your IP space 
> but does contain your domain in the From: header.
>
> I haven't got an instant solution to that, but can you confirm that I 
> have summarised the problem correctly?
>
> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA 
> rule which looks for your domain appearing in From: ?
>
> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules
>
> sa.rule.actions.rules contains
> From: 152.78.71 NON_EXISTENT_RULE=>deliver
> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store
>
> spam.assassin.rules.conf contains an addition
> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i
> score MY_DOMAIN_IN_FROM 0.01
> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header
>
> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in 
> the sa.rule.actions.rules file as a dummy.
>
> The sa.rule.actions.rules file says
> If it's from my network (152.78.71 in this example) then we don't do 
> anything special (the rule name does not exist so can never fire so 
> the "deliver" action will never be executed here).
> If it's from anywhere else, and my domain name (mydomain.com in this 
> example) appears in the From: header, then store a copy and don't 
> deliver it to its original recipients.
>
> The score of 0.01 is just some very small number as you don't actually 
> want to greatly affect the spam score, but you do want the rule to be 
> checked so it can't be zero. -0.01 might have been a better choice.
>
> I think that should work.
>
> You can do almost anything with SpamAssassin Rule Actions and a bit of 
> lateral thinking :-)
>
> Jules.
>
>
> On 13/1/09 17:58, Michael Masse wrote:
>> Is there any way MailScanner can blacklist email that says it's from 
>> mydomain, but comes from an IP outside of my ipspace?   We force all 
>> of our clients to use our specific smtp server.
>>
>> We've been getting hit very hard with these self addressed spams 
>> latelyand MailScanner has been doing a fantastic job of tagging these 
>> as spam,but the problem is that even though our commercial email 
>> system accepts spamassassin header tags to put them in the 
>> appropriate junk folder automatically, it ignores the headers if it 
>> thinks the sender is oneself and then I get complaints about these 
>> spams getting through.
>>
>> The real solution is obviously for the commercial vendor to fix this 
>> problem and trust spamassassin all the time, but this has been going 
>> on foryears and they aren't going to change it any time soon, so I'm 
>> stuck with getting rid of these messages at the SMTP/Mailscanner 
>> stage before theyget passed on to the rest of the mail system.    
>> I've implemented mailfromd which allows me to automatically reject 
>> any email that uses our domain as a sending domain and doesn't come 
>> from within our ip space at the SMTP negotiation envelope level and 
>> this is blocking 99% of them, but thereare a few that are still 
>> sneaking through because they use some other domain at the smtp "mail 
>> from:" envelope stage which allows them to bypass mailfromd, but then 
>> in the data portion of the email they use our domain in the  from: 
>> address in the header which then confuses our email system into 
>> ignoring the spamassassin header tag again.
>>
>> As I said, MailScanner/Spamassassin is properly tagging these emails 
>> asspam, but the tags get ignored by an oversight on our mail system.  
>> We force all of our clients to use our own smtp server, so there 
>> should neverbe a case of an email with a sender address of our domain 
>> coming from outside of our domain.    Is it possible for MailScanner 
>> to blacklist these?
>>
>> -Mike
>>
>>
>
> Jules
>
> Jules
>

Julian,

What would happen if someone sent an email with a From: from my domain 
using their home ISP smtp server?  Would that be blocked by your example?

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045




More information about the MailScanner mailing list