blacklisting local domain?

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 13 19:19:47 GMT 2009



On 13/1/09 19:06, Denis Beauchemin wrote:
> Julian Field a écrit :
>> Oops, sorry, just thumped "send" by mistake.
>> Take 2:
>>
>> MailScanner itself always uses the envelope sender address, and not 
>> the From: address which is what you are looking to check.
>> So you would have to do it with a SpamAssassin rule, as that is the 
>> only thing which can be told to look at the From: address.
>>
>> So you want to check for mail which doesn't come from your IP space 
>> but does contain your domain in the From: header.
>>
>> I haven't got an instant solution to that, but can you confirm that I 
>> have summarised the problem correctly?
>>
>> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA 
>> rule which looks for your domain appearing in From: ?
>>
>> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules
>>
>> sa.rule.actions.rules contains
>> From: 152.78.71 NON_EXISTENT_RULE=>deliver
>> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store
>>
>> spam.assassin.rules.conf contains an addition
>> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i
>> score MY_DOMAIN_IN_FROM 0.01
>> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header
>>
>> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be 
>> in the sa.rule.actions.rules file as a dummy.
>>
>> The sa.rule.actions.rules file says
>> If it's from my network (152.78.71 in this example) then we don't do 
>> anything special (the rule name does not exist so can never fire so 
>> the "deliver" action will never be executed here).
>> If it's from anywhere else, and my domain name (mydomain.com in this 
>> example) appears in the From: header, then store a copy and don't 
>> deliver it to its original recipients.
>>
>> The score of 0.01 is just some very small number as you don't 
>> actually want to greatly affect the spam score, but you do want the 
>> rule to be checked so it can't be zero. -0.01 might have been a 
>> better choice.
>>
>> I think that should work.
>>
>> You can do almost anything with SpamAssassin Rule Actions and a bit 
>> of lateral thinking :-)
>>
>> Jules.
>>
>>
>> On 13/1/09 17:58, Michael Masse wrote:
>>> Is there any way MailScanner can blacklist email that says it's from 
>>> mydomain, but comes from an IP outside of my ipspace?   We force all 
>>> of our clients to use our specific smtp server.
>>>
>>> We've been getting hit very hard with these self addressed spams 
>>> latelyand MailScanner has been doing a fantastic job of tagging 
>>> these as spam,but the problem is that even though our commercial 
>>> email system accepts spamassassin header tags to put them in the 
>>> appropriate junk folder automatically, it ignores the headers if it 
>>> thinks the sender is oneself and then I get complaints about these 
>>> spams getting through.
>>>
>>> The real solution is obviously for the commercial vendor to fix this 
>>> problem and trust spamassassin all the time, but this has been going 
>>> on foryears and they aren't going to change it any time soon, so I'm 
>>> stuck with getting rid of these messages at the SMTP/Mailscanner 
>>> stage before theyget passed on to the rest of the mail system.    
>>> I've implemented mailfromd which allows me to automatically reject 
>>> any email that uses our domain as a sending domain and doesn't come 
>>> from within our ip space at the SMTP negotiation envelope level and 
>>> this is blocking 99% of them, but thereare a few that are still 
>>> sneaking through because they use some other domain at the smtp 
>>> "mail from:" envelope stage which allows them to bypass mailfromd, 
>>> but then in the data portion of the email they use our domain in 
>>> the  from: address in the header which then confuses our email 
>>> system into ignoring the spamassassin header tag again.
>>>
>>> As I said, MailScanner/Spamassassin is properly tagging these emails 
>>> asspam, but the tags get ignored by an oversight on our mail 
>>> system.  We force all of our clients to use our own smtp server, so 
>>> there should neverbe a case of an email with a sender address of our 
>>> domain coming from outside of our domain.    Is it possible for 
>>> MailScanner to blacklist these?
>>>
>>> -Mike
>>>
>>>
>>
>> Jules
>>
>> Jules
>>
>
> Julian,
>
> What would happen if someone sent an email with a From: from my domain 
> using their home ISP smtp server?  Would that be blocked by your example?
Yes. But that was what the original request wanted to do, at least as I 
read it. The same block would happen if you published an SPF record 
saying that mail from mydomain.com could only come from 152.78.71 (in my 
example).

This is why I publish an SPF record that says "anything goes" for my own 
domain at work. SPF doesn't help me at all, for mail coming from my domain.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list