blacklisting local domain?

Mike Masse mrm at quantumcc.com
Tue Jan 13 20:55:01 GMT 2009


Thank you Julian.   This was EXACTLY the information I was looking for.

Mike


Julian Field wrote:
> Oops, sorry, just thumped "send" by mistake.
> Take 2:
> 
> MailScanner itself always uses the envelope sender address, and not the 
> From: address which is what you are looking to check.
> So you would have to do it with a SpamAssassin rule, as that is the only 
> thing which can be told to look at the From: address.
> 
> So you want to check for mail which doesn't come from your IP space but 
> does contain your domain in the From: header.
> 
> I haven't got an instant solution to that, but can you confirm that I 
> have summarised the problem correctly?
> 
> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA rule 
> which looks for your domain appearing in From: ?
> 
> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules
> 
> sa.rule.actions.rules contains
> From: 152.78.71 NON_EXISTENT_RULE=>deliver
> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store
> 
> spam.assassin.rules.conf contains an addition
> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i
> score MY_DOMAIN_IN_FROM 0.01
> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header
> 
> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in 
> the sa.rule.actions.rules file as a dummy.
> 
> The sa.rule.actions.rules file says
> If it's from my network (152.78.71 in this example) then we don't do 
> anything special (the rule name does not exist so can never fire so the 
> "deliver" action will never be executed here).
> If it's from anywhere else, and my domain name (mydomain.com in this 
> example) appears in the From: header, then store a copy and don't 
> deliver it to its original recipients.
> 
> The score of 0.01 is just some very small number as you don't actually 
> want to greatly affect the spam score, but you do want the rule to be 
> checked so it can't be zero. -0.01 might have been a better choice.
> 
> I think that should work.
> 
> You can do almost anything with SpamAssassin Rule Actions and a bit of 
> lateral thinking :-)
> 
> Jules.
> 
> 
> On 13/1/09 17:58, Michael Masse wrote:
>> Is there any way MailScanner can blacklist email that says it's from 
>> mydomain, but comes from an IP outside of my ipspace?   We force all 
>> of our clients to use our specific smtp server.
>>
>> We've been getting hit very hard with these self addressed spams 
>> latelyand MailScanner has been doing a fantastic job of tagging these 
>> as spam,but the problem is that even though our commercial email 
>> system accepts spamassassin header tags to put them in the appropriate 
>> junk folder automatically, it ignores the headers if it thinks the 
>> sender is oneself and then I get complaints about these spams getting 
>> through.
>>
>> The real solution is obviously for the commercial vendor to fix this 
>> problem and trust spamassassin all the time, but this has been going 
>> on foryears and they aren't going to change it any time soon, so I'm 
>> stuck with getting rid of these messages at the SMTP/Mailscanner stage 
>> before theyget passed on to the rest of the mail system.    I've 
>> implemented mailfromd which allows me to automatically reject any 
>> email that uses our domain as a sending domain and doesn't come from 
>> within our ip space at the SMTP negotiation envelope level and this is 
>> blocking 99% of them, but thereare a few that are still sneaking 
>> through because they use some other domain at the smtp "mail from:" 
>> envelope stage which allows them to bypass mailfromd, but then in the 
>> data portion of the email they use our domain 
> in the  from: address in the header which then confuses our email system 
> into ignoring the spamassassin header tag again.
>>
>> As I said, MailScanner/Spamassassin is properly tagging these emails 
>> asspam, but the tags get ignored by an oversight on our mail system.  
>> We force all of our clients to use our own smtp server, so there 
>> should neverbe a case of an email with a sender address of our domain 
>> coming from outside of our domain.    Is it possible for MailScanner 
>> to blacklist these?
>>
>> -Mike
>>
>>
> 
> Jules
> 
> Jules
> 



More information about the MailScanner mailing list