New feature - hostname lookups in rulesets

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jun 4 21:52:12 IST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 04/06/2009 21:39, Mike M wrote:
> Julian Field wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> On 02/06/2009 17:59, Mike M wrote:
>>> Julian Field wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>>
>>>> On 31/05/2009 20:41, Alex Neuman wrote:
>>>>> Wow! This means we can whitelist (gasp!) *blackberry.com 
>>>>> <http://blackberry.com> and things like that!
>>>> You'll just need to do
>>>>      From: host:blackberry.com yes
>>>> which will do the job.
>>>>> I suggest you add to the description on the comments on the 
>>>>> MailScanner.conf file that it's imperative - for performance 
>>>>> reasons, besides the fact that it's A Good Idea (tm), that people 
>>>>> run their own local caching nameserver.
>>>> True enough, I should do that.
>>>>
>>> Please forgive my ignorance on this, because I'm sure there's 
>>> something really simple that I'm missing, but how is this any 
>>> different then whitelisting blackberry.com with a line such as:
>>>
>>> from:    @blackberry.com    yes
>>>
>>> which I have been doing for many years in my spam.whitelist.rules file?
>> That uses the "email sender address" which is trivially forgeable by 
>> the sender. It is the email address that the sender claims they are 
>> coming from. They may have their Crackberry set up to send their mail 
>> from joe at mydomain.com, in which case your rule wouldn't fire at all.
>>
>> The new "host:blackberry.com" means "match any email address the 
>> originates from an IP address which belongs to the blackberry.com 
>> domain". That is the same thing as asking "does it come from a 
>> Crackberry?" regardless of how that Crackberry is configured, and is 
>> far harder to forge. It is totally unconnected with the email address 
>> the email claims to come from.
>>
>> But do take note that it takes longer to look up and therefore will 
>> cause a performance hit.
>>
>> Does that help?
>>
>> Jules
>>
>
> Yes, thank you.   Now the next question is: Are you looking at the 
> envelope sender address, or the header sender address? or both?
MailScanner has always used the envelope addresses, not the headers. The 
envelope recipient address is the only one that is sure to be right.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Follow me at twitter.com/JulesFM

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.10.0 (Build 500)
Comment: Use PGP or Thunderbird Enigmail to verify this message
Charset: ISO-8859-1

wj8DBQFKKDP9EfZZRxQVtlQRApksAKCVeKdFvHivMEihK4J89Xowp4nTtgCaA3Rc
yiEbUNvbyMMdcGGSxGNCYlg=
=1/2/
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list