Re: [Declude.JunkMail] blocking spam faked as coming from local address

[Matthew Bramble]

Bill, It depends on your customer makup.  My FP rate with a MAILFROM filter would be close to 90% if not more because of several sites that are configured to send form submissions as being an account from the same domain.  SPAMDOMAINS would be a better test because the Web sites and domain based E-mail often shares the same reverse DNS lookup, but not in cases where they are just using aliases for forwarding.  I have several customers that have software that sends out automated messages claiming to be from their own domains, such as firewalls and the like, and then I have some customers with sites hosted in different facilities that forge the From address for ecommerce.  All of this is before you get the refer-a-friend and gift card stuff.  I see all of this with less than 250 actual accounts and just 50 domains hosted on my server at present. If you don't do a lot of Web hosting, you might not see much of a problem, or if you do hosting for sites without forms configured in that way, you also wouldn't notice it.  I personally don't want to be whitelisting E-mail as the result of being alerted to the problem by a customer that rightfully assumed that the From address should be their own when setting up a script on a Web site.  Spam that forges the from address is likely to fail many technical tests because forging isn't generally limited to the from address, typically they forge the HELO and screw many other things up in the headers.  I almost never get spam that passes the filters that uses my own address anymore. As my own sample of FP's seen in the last 5,000 or so messages would be the following: - Used Vehicle Inquiry - [name removed] (about 20 of these) - New Vehicle Inquiry - [name removed] (about 20 of these) - Parts Inquiry - [name removed] (about 5 of these) - Website Contact Form (2 of these) - New firmware available. (1 of these, sent from a SonicWall) - From your friend: [name removed] (2 of these sent through SendAFriend) - Internet Order # [numbers] (3 of these) In addition to these there are GM and Mazda corporate Internet lead notifications that fake the from address as the address they are sending them to (these have problems with these poorly configured servers).  Again though, depending on your customer makup, your mileage may vary.  SPAMDOMAINS would have not FP'd on a few of the first 4 examples because they are locally hosted on the same domain as the receiver, but would have FP'd on MAILFROM..  Everything else would have FP'd on both tests. Matt Bill Landry wrote: We whitelist the IP address of any system we permit to relay through our IMail server, and all of our customer either use SMTP Auth or we whitelist their IP address space.  So the only time we have see a problem is with some mailing lists and e-card services, which we accommodate via filtering.   As a quick test, I separated out my hosted domains from the SPAMDOMAINS file and created a new spamdomains test called FORGED-DOMAINS.  Here are the subjects of the messages I have flagged with this test within the past 5 minutes:         2 Subject: Complimentary 30 Day Supply of Phentermine!       1 Subject: [NAME WITHHELD] Where to deposit your Payroll?       1 Subject: Someone wants to date you       1 Subject: Self-paced degree programs for busy adults       1 Subject: Please claim your gift       1 Subject: Lowest Mortgage Rates in 45 Years!       1 Subject: Get a Proven Anti - Aging Creme at No Charge       1 Subject: Credit Relief       1 Subject: Complimentary 30 Day Supply of Phentermine!       1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets       1 Subject: 4 F r e e Airline Tickets + $100 Cash Back       1 Subject: 3 months of FREE Satellite TV       1 Subject: 0% Auto Loans!       1 Subject:  you are *approved already. No credit check   Looks like a very effective test to me.   Bill ----- Original Message ----- From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:16 PM Subject: Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress Bill, It's because it is very rare that you see spam faking your address, 0.1% from a recent test, and much more common that false positives will be created as was noted.  I was able to monitor this behavior because unfortunately the DYNAMIC filter catches but doesn't score intra-server domain E-mail, and I searched for this knowing they would all be in there.  In other words, filtering for from addresses faked to say they are from your own domain would have a false positive rate of around 75%, or at least that would be so on my server.  One prime example is that many of my customer's Web sites with forms will send the submission as if it came from the customer's own domain, and thus fail the test.  Lots of ecommerce is done this way.  It's a very bad idea in my opinion.  Maybe I'm missing something though??? Using SPAMDOMAINS to filter for local domains would also be just as problematic I would think.  You might not have issues based on the makeup of your customers and maybe not caring too much about gray area commercial stuff like greeting cards which might fail the filters.  No way would I start whitelisting stuff either based on something which would properly add points so rarely.  Are you not seeing the same very low incidence of this type of thing?  or is that unique to my own customer base? Matt Bill Landry wrote: ----- Original Message ----- From: Matthew Bramble I highly recommend not filtering the fake MAILFROM for your local domains. Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I don't see a problem doing it with MAILFROM in a filter file either. Bill