Watermarking and spoofed sender address

Robert Lopez rlopezcnm at gmail.com
Fri Mar 22 16:50:46 GMT 2013


Martin,

> IF you are whitelisting emails by address and NOT adding in a directional
element

I have been looking at the MailScanner book.
I see the Rule Sets Example section and the "Contains a 'direction'".
It has not yet hit me how and where to write such a rule.
Would this take a custom function or do you believe it may be done with (a)
rule(s)?


On Thu, Mar 21, 2013 at 3:55 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> The point there sounds like the issue - IF you are whitelisting emails by
> address and NOT adding in a directional element, ie emails from marketing
> BUT only FROM the inside valid servers, then you'll open up holes for spam
> to get by
>
> If you're scanning outbound emails then the best way in higher volumes is
> to use a separate server(s) with the same watermarking keys as the incoming
> scanner. Then you can start to use watermarking to help resolve the invalid
> bounce back issue, but also protect all users against spam.
>
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 20 March 2013 17:35, Robert Lopez <rlopezcnm at gmail.com> wrote:
>
>> Martin,
>>
>> We do not white list the cnm.edu domain. We do white list some
>> departments (example, The Marketing and Communications Office, The
>> Office of the President, etc.) because they sent such high volume of email
>> it takes too much time to inspect them all. They are white listed via
>> .../rules/spam.whitelist.rules and not in the white list postfix uses.
>>
>> -Robert
>>
>>
>> On Wed, Mar 20, 2013 at 7:40 AM, Martin Hepworth <maxsec at gmail.com>wrote:
>>
>>> the 'watermaking' is based on the ability of mailScanner to addin an
>>> extra header containing a (I think) hash of your Org-name salted with the
>>> predefined secret in your MailScanner.conf
>>>
>>>
>>> http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header
>>>
>>> Not any use for this case and it's purely for use in MailScanner code.
>>>
>>> I would check your whitelisting rules (definitely no spam etc) and make
>>> sure you're not whitelisting your own domain, this is a common mistake and
>>> lets alot of spam through that would normally be detected. If you need to
>>> whitelist your domain then use the ip-addresses of the internal email
>>> servers and not your domain.
>>>
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>>
>>>> I understand watermarking is to defend against "joe job blowback". I
>>>> think I understand that blowback problem is when email is sent, using for
>>>> example my address, to many other domains and all the flack (blow back)
>>>> comes back to me.
>>>>
>>>> I am wondering if this watermarking is of any use in a type of SPAM we
>>>> now frequently see. It is where email is sent to a list of addresses, all
>>>> at our domain, and the from address is also the first address in the
>>>> address list. Everyone else thinks the first person sent it. Our gateways
>>>> send such email to Exchange and any communication back to the sender is
>>>> entirely within Exchange and never comes back through the gateways again.
>>>>
>>>> In this kind of SPAM I have always considered it of no use. Am I wrong
>>>> in my thinking?
>>>>
>>>> --
>>>> Robert Lopez
>>>> Unix Systems Administrator
>>>> Central New Mexico Community College (CNM)
>>>> 525 Buena Vista SE
>>>> Albuquerque, New Mexico 87106
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/696e04ca/attachment.html 


More information about the MailScanner mailing list