blacklisting local domain?

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Tue Jan 13 19:40:17 GMT 2009 

Julian Field a écrit :
>
>
> On 13/1/09 19:06, Denis Beauchemin wrote:
>> Julian Field a écrit :
>>> Oops, sorry, just thumped "send" by mistake.
>>> Take 2:
>>>
>>> MailScanner itself always uses the envelope sender address, and not 
>>> the From: address which is what you are looking to check.
>>> So you would have to do it with a SpamAssassin rule, as that is the 
>>> only thing which can be told to look at the From: address.
>>>
>>> So you want to check for mail which doesn't come from your IP space 
>>> but does contain your domain in the From: header.
>>>
>>> I haven't got an instant solution to that, but can you confirm that 
>>> I have summarised the problem correctly?
>>>
>>> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA 
>>> rule which looks for your domain appearing in From: ?
>>>
>>> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules
>>>
>>> sa.rule.actions.rules contains
>>> From: 152.78.71 NON_EXISTENT_RULE=>deliver
>>> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store
>>>
>>> spam.assassin.rules.conf contains an addition
>>> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i
>>> score MY_DOMAIN_IN_FROM 0.01
>>> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header
>>>
>>> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be 
>>> in the sa.rule.actions.rules file as a dummy.
>>>
>>> The sa.rule.actions.rules file says
>>> If it's from my network (152.78.71 in this example) then we don't do 
>>> anything special (the rule name does not exist so can never fire so 
>>> the "deliver" action will never be executed here).
>>> If it's from anywhere else, and my domain name (mydomain.com in this 
>>> example) appears in the From: header, then store a copy and don't 
>>> deliver it to its original recipients.
>>>
>>> The score of 0.01 is just some very small number as you don't 
>>> actually want to greatly affect the spam score, but you do want the 
>>> rule to be checked so it can't be zero. -0.01 might have been a 
>>> better choice.
>>>
>>> I think that should work.
>>>
>>> You can do almost anything with SpamAssassin Rule Actions and a bit 
>>> of lateral thinking :-)
>>>
>>> Jules.
>>>
>>>
>>> On 13/1/09 17:58, Michael Masse wrote:
>>>> Is there any way MailScanner can blacklist email that says it's 
>>>> from mydomain, but comes from an IP outside of my ipspace?   We 
>>>> force all of our clients to use our specific smtp server.
>>>>
>>>> We've been getting hit very hard with these self addressed spams 
>>>> latelyand MailScanner has been doing a fantastic job of tagging 
>>>> these as spam,but the problem is that even though our commercial 
>>>> email system accepts spamassassin header tags to put them in the 
>>>> appropriate junk folder automatically, it ignores the headers if it 
>>>> thinks the sender is oneself and then I get complaints about these 
>>>> spams getting through.
>>>>
>>>> The real solution is obviously for the commercial vendor to fix 
>>>> this problem and trust spamassassin all the time, but this has been 
>>>> going on foryears and they aren't going to change it any time soon, 
>>>> so I'm stuck with getting rid of these messages at the 
>>>> SMTP/Mailscanner stage before theyget passed on to the rest of the 
>>>> mail system.    I've implemented mailfromd which allows me to 
>>>> automatically reject any email that uses our domain as a sending 
>>>> domain and doesn't come from within our ip space at the SMTP 
>>>> negotiation envelope level and this is blocking 99% of them, but 
>>>> thereare a few that are still sneaking through because they use 
>>>> some other domain at the smtp "mail from:" envelope stage which 
>>>> allows them to bypass mailfromd, but then in the data portion of 
>>>> the email they use our domain in the  from: address in the header 
>>>> which then confuses our email system into ignoring the spamassassin 
>>>> header tag again.
>>>>
>>>> As I said, MailScanner/Spamassassin is properly tagging these 
>>>> emails asspam, but the tags get ignored by an oversight on our mail 
>>>> system.  We force all of our clients to use our own smtp server, so 
>>>> there should neverbe a case of an email with a sender address of 
>>>> our domain coming from outside of our domain.    Is it possible for 
>>>> MailScanner to blacklist these?
>>>>
>>>> -Mike
>>>>
>>>>
>>>
>>> Jules
>>>
>>> Jules
>>>
>>
>> Julian,
>>
>> What would happen if someone sent an email with a From: from my 
>> domain using their home ISP smtp server?  Would that be blocked by 
>> your example?
> Yes. But that was what the original request wanted to do, at least as 
> I read it. The same block would happen if you published an SPF record 
> saying that mail from mydomain.com could only come from 152.78.71 (in 
> my example).
>
> This is why I publish an SPF record that says "anything goes" for my 
> own domain at work. SPF doesn't help me at all, for mail coming from 
> my domain.
>
> Jules
>

Same thing here.  So many students and staff all using their 
USherbrooke.ca email address from so many different places... bummer...

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045

More information about the MailScanner mailing list