Scott,
This goes along the lines of something that I have been wondering about recently, trying to find a pseudo-whitelisting method that isn't likely to be exploited.
The issue that I primarily find is that some open relays are that way because they will accept any local Mail From and relay for it, in fact this is the most common open-relay creating mistake that IMail users have. This means that when such a relay is being exploited, they are using an address from the same machine to send their spam. So for instance if mx1.mailpure.com was an open relay set to accept all local addresses, someone could send out spam as [EMAIL PROTECTED] This seems to make the idea of trusting a combination of HELO, MAILFROM, REVDNS and REMOTEIP unsecure, or unworthy of credit because all of these things would look exactly the same when being used legitimately as opposed to when it is being exploited. I wouldn't argue that it isn't worth a small percentage of credit, but I'm thinking right now that I can't whitelist this way. I am however unsure about how common such things are, i.e. how often are open relays exploited with local Mail From's. Any hints to the answer would be appreciated. Also note that this is an issue that SPF shares and in fact it can be worse since you can't pick and choose the systems that you are trusting. In fact, I believe that spammers may start to seek out the match for their own benefit in the future when they compromise certain systems. If SPF is successful and widely implemented, then the exploits will surely come. As things stand, static spammers are already using SPF records themselves, and that seemingly has ruined much of the value that could be provided by way of crediting a pass.
For the time being, I've started to build a DNS zone that uses not the %MAILFROM% but instead the %MAILFROMBL% which uses the whole E-mail address but replaces the @ with a dot. I'm combining this with the IP in IP4R format (reversed dotted quad). I believe that this is worthy of whitelisting with that degree of accuracy (full E-mail plus IP), but I do very much desire a way to whitelist E-mail from semi-trusted servers. Do I go with the %MAILFROM% only (the domain in combination with the IP) and just hope that the admins never become open relays? Or maybe there's a better method?
Any thoughts?
Matt
Scott Fisher wrote:
My company gets lots of e-mail from state agencies.
Here's a filter that has been working good to credit good gov (mailfrom and revdns both .us) I set the negative weight to credit enough points to counteract a one hit from a strong test like sbl/sniffer/spamcop.
I've seen virus bounces get credit, which is why I end if testsfailed contains anti-av.
# ========================================================== # # # If mailfrom and revdns both end in .us, it's looking good # # Then credit state abbreviations 60 points # # # # # # ========================================================== # # If Virus Warning don't give points # TESTSFAILED END CONTAINS ANTI-AV
# # End if not .us # MAILFROM END NOTENDSWITH .us REVDNS END NOTENDSWITH .us MAILFROM END IS <>
# # Whitelist proper states with 60 points #
MINWEIGHT -60 MAILFROM -60 ENDSWITH .al.us MAILFROM -60 ENDSWITH .ak.us MAILFROM -60 ENDSWITH .az.us MAILFROM -60 ENDSWITH .ar.us MAILFROM -60 ENDSWITH .ca.us MAILFROM -60 ENDSWITH .co.us MAILFROM -60 ENDSWITH .ct.us MAILFROM -60 ENDSWITH .dc.us MAILFROM -60 ENDSWITH .de.us MAILFROM -60 ENDSWITH .fl.us MAILFROM -60 ENDSWITH .ga.us MAILFROM -60 ENDSWITH .gu.us MAILFROM -60 ENDSWITH .hi.us MAILFROM -60 ENDSWITH .id.us MAILFROM -60 ENDSWITH .il.us MAILFROM -60 ENDSWITH .in.us MAILFROM -60 ENDSWITH .ia.us MAILFROM -60 ENDSWITH .ks.us MAILFROM -60 ENDSWITH .ky.us MAILFROM -60 ENDSWITH .la.us MAILFROM -60 ENDSWITH .me.us MAILFROM -60 ENDSWITH .md.us MAILFROM -60 ENDSWITH .ma.us MAILFROM -60 ENDSWITH .mi.us MAILFROM -60 ENDSWITH .mn.us MAILFROM -60 ENDSWITH .ms.us MAILFROM -60 ENDSWITH .mo.us MAILFROM -60 ENDSWITH .mt.us MAILFROM -60 ENDSWITH .ne.us MAILFROM -60 ENDSWITH .nv.us MAILFROM -60 ENDSWITH .nh.us MAILFROM -60 ENDSWITH .nj.us MAILFROM -60 ENDSWITH .nm.us MAILFROM -60 ENDSWITH .ny.us MAILFROM -60 ENDSWITH .nc.us MAILFROM -60 ENDSWITH .nd.us MAILFROM -60 ENDSWITH .oh.us MAILFROM -60 ENDSWITH .ok.us MAILFROM -60 ENDSWITH .or.us MAILFROM -60 ENDSWITH .pa.us MAILFROM -60 ENDSWITH .pr.us MAILFROM -60 ENDSWITH .ri.us MAILFROM -60 ENDSWITH .sc.us MAILFROM -60 ENDSWITH .sd.us MAILFROM -60 ENDSWITH .tn.us MAILFROM -60 ENDSWITH .tx.us MAILFROM -60 ENDSWITH .ut.us MAILFROM -60 ENDSWITH .vt.us MAILFROM -60 ENDSWITH .va.us MAILFROM -60 ENDSWITH .vi.us MAILFROM -60 ENDSWITH .wa.us MAILFROM -60 ENDSWITH .wv.us MAILFROM -60 ENDSWITH .wi.us MAILFROM -60 ENDSWITH .wy.us
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
