Watermarking and spoofed sender address

Martin Hepworth maxsec at gmail.com
Thu Mar 21 09:55:32 GMT 2013


The point there sounds like the issue - IF you are whitelisting emails by
address and NOT adding in a directional element, ie emails from marketing
BUT only FROM the inside valid servers, then you'll open up holes for spam
to get by

If you're scanning outbound emails then the best way in higher volumes is
to use a separate server(s) with the same watermarking keys as the incoming
scanner. Then you can start to use watermarking to help resolve the invalid
bounce back issue, but also protect all users against spam.


-- 
Martin Hepworth, CISSP
Oxford, UK


On 20 March 2013 17:35, Robert Lopez <rlopezcnm at gmail.com> wrote:

> Martin,
>
> We do not white list the cnm.edu domain. We do white list some
> departments (example, The Marketing and Communications Office, The Office
> of the President, etc.) because they sent such high volume of email it
> takes too much time to inspect them all. They are white listed via
> .../rules/spam.whitelist.rules and not in the white list postfix uses.
>
> -Robert
>
>
> On Wed, Mar 20, 2013 at 7:40 AM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> the 'watermaking' is based on the ability of mailScanner to addin an
>> extra header containing a (I think) hash of your Org-name salted with the
>> predefined secret in your MailScanner.conf
>>
>> http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header
>>
>> Not any use for this case and it's purely for use in MailScanner code.
>>
>> I would check your whitelisting rules (definitely no spam etc) and make
>> sure you're not whitelisting your own domain, this is a common mistake and
>> lets alot of spam through that would normally be detected. If you need to
>> whitelist your domain then use the ip-addresses of the internal email
>> servers and not your domain.
>>
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>
>>> I understand watermarking is to defend against "joe job blowback". I
>>> think I understand that blowback problem is when email is sent, using for
>>> example my address, to many other domains and all the flack (blow back)
>>> comes back to me.
>>>
>>> I am wondering if this watermarking is of any use in a type of SPAM we
>>> now frequently see. It is where email is sent to a list of addresses, all
>>> at our domain, and the from address is also the first address in the
>>> address list. Everyone else thinks the first person sent it. Our gateways
>>> send such email to Exchange and any communication back to the sender is
>>> entirely within Exchange and never comes back through the gateways again.
>>>
>>> In this kind of SPAM I have always considered it of no use. Am I wrong
>>> in my thinking?
>>>
>>> --
>>> Robert Lopez
>>> Unix Systems Administrator
>>> Central New Mexico Community College (CNM)
>>> 525 Buena Vista SE
>>> Albuquerque, New Mexico 87106
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130321/ac612ad3/attachment.html 


More information about the MailScanner mailing list