Re: [sa] Setting Blacklist_from and whitelist_to

Mon, 01 Mar 2010 06:54:04 -0800 

On Sun, 28 Feb 2010, damuz wrote:

Secondly, it occurred to me that all the (legit) mail to us will only be to
a handful of email addresses and much of the spam still getting through is
sent to spurious recipie...@mydomain.com.
So with this in mind, is it useful or advisable to setup those legit email
addresses as " whitelist_to " and if so, what becomes of the 'rest' of the
mail or do you have to define only receive to whitelist_to?



You have to 'fine tune' this kind of test. Keep in mind that the visible 
'To:' header is hardly more than a *comment* on the mail. It may contain 
a mailing list name, or another *valid* recipient on another domain, 
while the mail was sent to *your* domain as a 'Bcc' hidden recipient.



At the first stage of the SMTP transaction your MTA (should have) already 
rejected any mail that was actually 'addressed' to an invalid address.
So the issue you are dealing with can be described as 'mail to a 
legitimate recipient with a suspicious To: header'.



So it quickly devolves to the fact that the *only* thing you can reject is 
mail that has a 'To:' address that is @your.domain but which is not a 
valid (now or at any time in the past!) recipient on your domain. You 
can't flag mail that is 'To:' another domain. That could be valid!



Now you need to be careful that when you invoke a 'whitelist' you do so 
for the 'To:' header, and NOT for the envelope recipient, which, by 
definition will always be a 'hit'. Unfortunately, the standard 
'whitelist_to' will 'hit' on any embedded headers that your MTA adds to 
show the envelope recipient. You could essentially end up whitelisting all 
mail. So you need to whitelist on the visible headers *manually*....



So, if your list of internal recipients is not overly large, you may want 
to try the following:


header  __VALID_MYDOMAIN  ToCc =~ 
/(validuser1|validuser2|...)\...@yourdomain.com/i
header  __TO_MYDOMAIN  ToCc =~ /\...@yourdomain.com/i
meta     LOC_INVALID_MYDOMAIN ( __TO_MYDOMAIN && ( ! __VALID_MYDOMAIN ) )
describe LOC_INVALID_MYDOMAIN Address in To or Cc header to invalid address on 
our domain
score    LOC_INVALID_MYDOMAIN 1


Obivously, score modestly until we are sure there are no false positives. 
The big 'problem' with this scheme is that *any* change to the list of 
valid users requires the first rule to be updated. So I only recommend 
this approach if you have absolute control over your mail system.


- Charles






















					Reply via email to