Mike Staver <[EMAIL PROTECTED]> wrote:
>
> Ok, I think I see what you man here - saying that I could use this
> procmail filter... and I could then blacklist fimble.com so any
> external mail from fimble.com gets blocked.
Well, what I'm suggesting is that you use an alternate method to
determine what mail is "internal mail". Trusting the From or To address
to say "fimble.com" is internal, doesn't work, because spammers can
forge that easily.
So I recommend that you neither whitelist nor blacklist fimble.com. Let
the other spamassassin rules do their job and determine what is spam,
and what is not.
But you probably whitelisted fimble.com because you have a problem with
false-positives. This is why I suggest that you find an alternative
method of detecting mail that was both generated internally, and
delivered internally, without ever crossing an external (internet)
gateway. If you can do this, your problem is largely solved.
My proposal is that you use procmail to examine the Received headers of
incoming messages. Of course, Received headers can be forged as well,
but spammers normally wouldn't know exactly what you're looking for.
Every site has a different path through which mail is routed.
> I just have one more newbie-like question - when you say gateway that
> mail can travel through... would that include a cisco 2600 T1 router?
> I have my MX records pointed at just my server, so I guess I don't
> know the technical details of the path mail takes to get to my server.
Here's an example set of mail headers from my own site:
Return-Path: <[EMAIL PROTECTED]>
Received: from syndra.foxtaur.com (syndra [192.168.1.1])
by fuzzy.foxtaur.com (8.12.1/8.12.1) with ESMTP id h086iBVI019647
for <[EMAIL PROTECTED]>; Wed, 8 Jan 2003 00:44:11 -0600
Received: from localhost (localhost [127.0.0.1])
by syndra.foxtaur.com (8.11.4/8.11.4) with ESMTP id h086iA403331
for <[EMAIL PROTECTED]>; Wed, 8 Jan 2003 00:44:11 -0600
Received: from mail.coserv.net
by localhost with POP3 (fetchmail-5.8.6)
for [EMAIL PROTECTED] (single-drop); Wed, 08 Jan 2003 00:44:11 -0600
Received: from bm0-3.e-dialog.com (bm0-3.e-dialog.com [64.28.75.180])
by mail.coserv.net (iPlanet Messaging Server 5.1 (built May 7 2001))
with ESMTP id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]
(ORCPT [EMAIL PROTECTED]); Wed, 08 Jan 2003 00:40:20 -0600 (CST)
Received: from localhost.localdomain (mf1.e-dialog.com [10.200.5.46])
by bm0-3.e-dialog.com (8.12.5/8.12.5) with ESMTP id h086c6P9001797
for <[EMAIL PROTECTED]>; Wed, 08 Jan 2003 01:40:20 -0500
Date: Wed, 08 Jan 2003 01:40:20 -0500
From: "VeriSign, Inc." <[EMAIL PROTECTED]>
Subject: Important Customer Update
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
[...other headers truncated...]
In answer to your question, "gateway" here refers to an SMTP gateway,
which accepts, queues, processes, then routes to another SMTP server (or
delivers the mail). This example message was processed by five mail
gateways before it reached my mailbox.
The Received headers are added by each mail gateway that processes the
mail, in reverse order. So the top Received header shows it was
received by my internal mail gateway (fuzzy). The next line shows that
it was processed by my external mail gateway (syndra). The important
part is the "by xxxxx" portion, which is always present, and indicates
which server received the mail, and generally it tells from whom.
Because of my unique mail delivery setup, I can use the presence of the
"Received: ... by syndra" header as obvious proof that the mail
originated outside of my site. There would never be any good reason for
mail from one of my users, to another of my users, to ever traverse this
external gateway.
Therefore, an easy method of avoiding false-positives is to simply NOT
scan mail that has NOT traversed the external gateway. This is done
simply by adding an extra criteria to the /etc/procmailrc:
:0fw
* < 256000
* ^Received: .*(by syndra.foxtaur.com)
| spamc
Thus, externally-originating messages will receive all of SpamAssassin's
scrutiny, while internally-originating messages will not. There is no
way that a spammer can forge his way past this. And I do not have to
implement any whitelisting or blacklisting for my domain.
In order for you to implement this, you should examine Received headers
for your own site, and see if you can also determine a set of headers
that only appear on externally-originating E-mail.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
