Re: forged spam emails from my own domain

[Matt Kettler <mk...@verizon.net>]

vertito wrote:
> i am receiving spam emails coming from my own domain.com
> but that email address does not existing from my own domain.com.
>
> say my domain is mydomain.com and that spam email had FROM header that
> shows
>
> whome@mydomain.com
>
> which is currently whitelisted from spamassassin global rules and
> currently does not exist from my users list.
> that is why i am receiving it from my INBOX and not from SPAM folder,
>
> anyone has idea or a script to move this to SPAM folder?
> tnx
sidenote: Do you really have to post in such a large font?

Spamassassin whitelisting rules:

Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is
a bad idea because it is easily forged. Even if your MTA rejects
forgeries, that only applies to the envelope, where SA's whitelisting
will match either the envelope or the From: address Use
whitelist_from_rcvd instead. Whitelist_from_rcvd allows you to dictate
matching part of a Received: header, and you can use this so that only
internal machines will match the whitelist, outside hosts won't.

Rule 2. Actually, don't EVER use whitelist_from for anything if you can
avoid it. whitelist_from_rcvd or whitelist_from_spf are always better to
use when possible.


And, as Craig suggested, configuring your MTA to reject forgeries of
your domain is a good idea. This will only solve those that forge the
envelope from, but this is a large chunk of forged spam and viruses.

Re: forged spam emails from my own domain

[Craig Morrison <cr...@2cah.com>]

vertito wrote:
> 
> config: SpamAssassin failed to parse line, "*@yahoo.com" is not valid 
> for "whitelist_from_rcvd", skipping: whitelist_from_rcvd *@yahoo.com
> 
> i tried your advise but i had a line of error from my maillog, which is 
> shown above.
> *@yahoo.com is just for a test.

whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net

   Use this to supplement the whitelist_from addresses with a check 
against the Received headers. The first parameter is the address to 
whitelist, and the second is a string to match the relay’s rDNS.

-- 
Craig

Re: forged spam emails from my own domain

[vertito <ve...@aim-consultants.com>]

config: SpamAssassin failed to parse line, "*@yahoo.com" is not valid 
for "whitelist_from_rcvd", skipping: whitelist_from_rcvd *@yahoo.com

i tried your advise but i had a line of error from my maillog, which is 
shown above.
*@yahoo.com is just for a test.


Matt Kettler wrote:

>vertito wrote:
>  
>
>>i am receiving spam emails coming from my own domain.com
>>but that email address does not existing from my own domain.com.
>>
>>say my domain is mydomain.com and that spam email had FROM header that
>>shows
>>
>>whome@mydomain.com
>>
>>which is currently whitelisted from spamassassin global rules and
>>currently does not exist from my users list.
>>that is why i am receiving it from my INBOX and not from SPAM folder,
>>
>>anyone has idea or a script to move this to SPAM folder?
>>tnx
>>    
>>
>sidenote: Do you really have to post in such a large font?
>
>Spamassassin whitelisting rules:
>
>Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is
>a bad idea because it is easily forged. Even if your MTA rejects
>forgeries, that only applies to the envelope, where SA's whitelisting
>will match either the envelope or the From: address Use
>whitelist_from_rcvd instead. Whitelist_from_rcvd allows you to dictate
>matching part of a Received: header, and you can use this so that only
>internal machines will match the whitelist, outside hosts won't.
>
>Rule 2. Actually, don't EVER use whitelist_from for anything if you can
>avoid it. whitelist_from_rcvd or whitelist_from_spf are always better to
>use when possible.
>
>
>And, as Craig suggested, configuring your MTA to reject forgeries of
>your domain is a good idea. This will only solve those that forge the
>envelope from, but this is a large chunk of forged spam and viruses.
>
>
>
>  
>

RE: forged spam emails from my own domain

[vertito <ve...@aim-consultants.com>]

you wake me up from this one. open community really is helpful as it is obviously a compounded
form of wisdom and knowledge base in general and details.
thanks again matt!

-----Original Message-----
From: Matt Kettler [mailto:mkettler_sa@verizon.net] 
Sent: Friday, December 01, 2006 3:36 PM
To: vertito@aim-consultants.com
Cc: users@spamassassin.apache.org
Subject: Re: forged spam emails from my own domain

vertito wrote:
> i am receiving spam emails coming from my own domain.com but that 
> email address does not existing from my own domain.com.
>
> say my domain is mydomain.com and that spam email had FROM header that 
> shows
>
> whome@mydomain.com
>
> which is currently whitelisted from spamassassin global rules and 
> currently does not exist from my users list.
> that is why i am receiving it from my INBOX and not from SPAM folder,
>
> anyone has idea or a script to move this to SPAM folder?
> tnx
sidenote: Do you really have to post in such a large font?

Spamassassin whitelisting rules:

Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is a bad idea because it is
easily forged. Even if your MTA rejects forgeries, that only applies to the envelope, where SA's
whitelisting will match either the envelope or the From: address Use whitelist_from_rcvd instead.
Whitelist_from_rcvd allows you to dictate matching part of a Received: header, and you can use this
so that only internal machines will match the whitelist, outside hosts won't.

Rule 2. Actually, don't EVER use whitelist_from for anything if you can avoid it.
whitelist_from_rcvd or whitelist_from_spf are always better to use when possible.


And, as Craig suggested, configuring your MTA to reject forgeries of your domain is a good idea.
This will only solve those that forge the envelope from, but this is a large chunk of forged spam
and viruses.