I mean.. if I declare a from address to be blacklisted, do I really care what server it came from? If a spammer forges a from address that is blacklisted, more power to him... If an innocent bystander forges a blacklisted from address in a nonspam email, well.. Why were they forging a from address in the first place?
As far as matching bad servers, without caring about the from address, that's what DNS blacklists are for... Hence there's not much point in having a blacklist_rcvd either. Just set up a local DNSBL, or use the ones that are already in the ruleset for SA by default (you might need to use CPAN and install Net::DNS to make DNSBL's work)
At 10:14 PM 12/16/2002 +0000, you wrote:
Matt,
That makes a lot of sense. Thank you very much. I didn't see a
blacklist_from_rcvd in the config documentation so I assume there isn't one.
Similar precautions might be helpful, although it might be too much work to
try to match bad address to the servers they might be sending from. Better
to just match the bad server I guess.
Thanks,
Jonathan Duncan
Matt Kettler <[EMAIL PROTECTED]> said:
> some recommendations:
>
> 1) don't ever whitelist yourself. This kind of spammer behavior is SUPER
> common. A very noticeable portion of the spam I get is "from" my own
address.
>
> 2) If you must whitelist yourself, use a whitelist_from_rcvd not a simple
> whitelist_from.
>
> 3) In fact, if you can avoid it, don't ever use a simple whitelist_from,
> and always use a whitelist_from_rcvd whenever possible. This closes a LOT
> of loopholes like the one you found here.
>
> Basically whitelist_from_rcvd forces a check of both the from: address and
> the received headers. This makes it so the whitelist cannot be spoofed
> merely by substituting a from: line.
>
> At 07:14 PM 12/16/2002 +0000, Jonathan Duncan wrote:
> >I have gotten a couple of vile spams that came through with NO problem
> >whatsoever because of the test "USER_IN_WHITELIST". It seems that the
> >spammer used my email address in the To: field as well as the From: field.
> >If all spammers did that, with my current configuration, my install of SA
> >would be worthless. Is there a way around this? Perhaps I could change
the
> >amount of negative points the people in the whitelist get and up the number
> >of points that "FROM_SAME_AS_TO" gets. Has anyone else solved this problem
> >already?
>
________________________________________________________________
Brought to you by nacnudMail using TWIG. http://www.nacnud.com
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
