Whitelisting.

Richard Mealing richard at fastnet.co.uk
Wed Sep 16 15:39:03 IST 2009


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Glenn
Steen
Sent: 11 September 2009 17:04
To: MailScanner discussion
Subject: Re: Whitelisting.

2009/9/11 Richard Mealing <richard at fastnet.co.uk>:
> Hello everyone,
>
>
>
> I have had some strangeness happening on our whitelists per domain. A
few
> weeks ago I turned this on (from a global list) and it's been working
great.
> Unfortunately I've just seen this -
>
>
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> from=<geoff.**@example1.co.uk>, size=92755, class=0, nrcpts=2,
> msgid=<200909100815.n8A8FpvA014176 at mailfilter7.**>, proto=ESMTP,
> daemon=IPv4, relay=adsl-** [**] (may be forged)
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> to=<spares at example2.com>, delay=00:00:01, mailer=esmtp, pri=152755,
> stat=queued
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> to=<joe.tavani at example1.co.uk>, delay=00:00:01, mailer=esmtp,
pri=152755,
> stat=queued
>
> Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176
from
> ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam,
> SpamAssassin (not cached, score=6.561, required 3.5,
autolearn=disabled,
> DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00,
HTML_IMAGE_ONLY_12
> 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL
0.84,
> MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10)
>
> Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message
> n8A8FpvA014176 actions are spam at example1.co.uk,forward
>
> Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176:
> to=<spam at example1.co.uk>, delay=00:00:06, xdelay=00:00:00,
mailer=esmtp,
> pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent
> (n8A8FvcY083874 Message accepted for delivery)
>
>
>
>
>
> My whitelist -
>
>
>
> grep example1
/**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk
>
> *@example1.co.uk
>
>
>
> (I've replaced some things but you get the point..)
>
>
>
> Basically, most of the time this works great, some of the time I see
stuff
> getting through, not being whitelisted etc. When I grep for whitelist
in the
> maillog it shows as stopping and starting all the time. For example
here is
> the period that mailscanner should have found the whitelist entry -
>
>
>
> Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain
spam
> whitelist
>
> Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain
spam
> whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist
>
> Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736
from
> 15***** (craig.**@**.com) is whitelisted
>
> Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for
1165
> domains
>
> Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572
from
> *** (havant@**.co.uk) is whitelisted
>
> Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076
from
> *** (yourmessages@**.co.uk) is whitelisted
>
>
>
> I've been searching and this whitelist works usually for my entry, I
can see
> other email addresses being white listed fine from the same domain.
This
> leaves me to believe it's something to do with the stopping and
starting of
> the by-domain spam white list.?
>
> Does anyone else see this in their logs?
>
>
>
>
>
>
>
> Rich
>
IIUC what you are doing, this is actually expected;-).
Both the envelope from and From: message header (which are _not_ the
same thing) are easily forged. There simply are no good ways of
validating them in plain (E-)SMTP, so therefore you cannot under any
circumstances rely on that information for whitelisting. At least not
that info alone.
What you need do is use something that cannot be forged so easily,
like the sending servers IP address, or using some TLS measure, and
whitelist on that.
Just using the domain... will only give you grief. Regardless where
you whitelist (MTA, MS or SA). The only place where a small whitelist
bonus (negative score) would make some sense is likely in SA, and even
there it is best to rely on sending server, or similar.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



Hi Glen, sorry to bother you again.

I think I understand this, but I want to be able to white list a domain
name even if they might get spoofed. I've tried white listing an IP
address and still some get through. Most of the time it's fine but some
creep through. I really don't understand why this is.

Please see following - 

Sep 16 10:53:25 mailfilter6 MailScanner[41379]: Message n8G9rMKW091060
from *.*.34.19 (matt.blah at somedomain.com) to somedomain.com is spam,
SpamAssassin (not cached, score=5.265, required 5, autolearn=disabled,
DC_IMAGE_SPAM_HTML 0.00, DC_IMAGE_SPAM_TEXT 0.00, DC_PNG_UNO_LARGO 2.09,
DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00,
HTML_IMAGE_ONLY_28 1.52, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00,
RDNS_DYNAMIC 0.10)


grep *.*.34.19
/**/customer_rulesets/spam.bydomain/whitelist/channel-c.com
*.*.34.19

Note, the IP is a real IP address and not just ***.. It's their IP
address.


I was having no problems when we had just 1 whitelist for everyone, now
I have changed it as a per/domain white list, for each domain, I'm
seeing many issues with white listed mail getting tagged as spam.

Is there something I need to look for in mailscanner to fix this?
Many thanks,
Rich


More information about the MailScanner mailing list