Mailing List Archive: SpamAssassin: users

Block all incoming mail from domain except certain users?

Index | Next | Previous | View Threaded

liam at printingautomation

Oct 10, 2008, 8:05 AM

Post #1 of 15 (386 views)
Permalink

Block all incoming mail from domain except certain users?

I'm noticing we're getting a lot of spam coming through with a from
address of our own domain. This gives spamassassin an automatic -100 on
the score pretty much guaranteeing that it'll not get flagged as spam.
Since we have a limited number of people using that domain, is there a
way to tell spamassassin to block or at least give a really bad score ot
any email with a FROM as coming from our domain but is not a user (left
of @ sign) that isn't one of these X addresses?

Thanks for any advice!
Liam

mouss at netoyen

Oct 10, 2008, 8:14 AM

Post #2 of 15 (379 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

Liam-PrintingAutomation a écrit :
> I'm noticing we're getting a lot of spam coming through with a from
> address of our own domain. This gives spamassassin an automatic -100 on
> the score pretty much guaranteeing that it'll not get flagged as spam.
>

Please repost you mail "correctly". do not hijack unrelated threads: do
not reply to an urelated message. compaose a new message instead.

> Since we have a limited number of people using that domain, is there a
> way to tell spamassassin to block or at least give a really bad score ot
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?
>

This is a common configuration error. don't whitelist mail from your
domain.

ned at unixmail

Oct 10, 2008, 8:27 AM

Post #3 of 15 (379 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

Liam-PrintingAutomation wrote:
> I'm noticing we're getting a lot of spam coming through with a from
> address of our own domain. This gives spamassassin an automatic -100 on
> the score pretty much guaranteeing that it'll not get flagged as spam.
> Since we have a limited number of people using that domain, is there a
> way to tell spamassassin to block or at least give a really bad score ot
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?
>
> Thanks for any advice!
> Liam
>

Presumably this is because you've whitelisted your whole domain. For
example:

whitelist_from *@mydomain.tld

but some more information as to exactly how these mails are being
assigned -100 would be useful. Assuming the above, IMHO this is a Bad
Idea for the reasons you've just discovered.

If you're going to whitelist like this, maybe try *only* whitelisting
legitimate accounts:

whitelist_from user1[at]mydomain.tld
whitelist_from user2[at]mydomain.tld
etc...

which would achieve what you've asked for.

Personally, I don't whitelist any of my domains and just leave SA to get
on with it and scan my mail as normal. If I get any problematic mails
then I add a rule on a case by case basis (usually a meta rule). For
example, if the MD always sends a "monthly sales figures" mail that gets
snagged by SA I'd write a meta rule to detect mail from the MD with the
subject containing "monthly sales figures" and give it a negative score
as appropriate.

Other measures like SPF would allow you to specify servers allowed to
send mail for your domain(s) but they're not going to help when a
whitelisting score of -100 is arbitrarily applied to all mails.

liam at printingautomation

Oct 10, 2008, 8:42 AM

Post #4 of 15 (378 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

mouss wrote:
> Liam-PrintingAutomation a écrit :
>
>> I'm noticing we're getting a lot of spam coming through with a from
>> address of our own domain. This gives spamassassin an automatic -100 on
>> the score pretty much guaranteeing that it'll not get flagged as spam.
>>
>>
>
> Please repost you mail "correctly". do not hijack unrelated threads: do
> not reply to an urelated message. compaose a new message instead.
>
>
Sorry. I didn't realize I was hijacking anything since I completely
replaced the subject line and used all new text body.
I had no idea that doing that was somehow not creating a "new" message
for all intents and purposes.
Sorry.
Liam

mouss at netoyen

Oct 10, 2008, 8:55 AM

Post #5 of 15 (378 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

Liam-PrintingAutomation a écrit :
> Sorry. I didn't realize I was hijacking anything since I completely
> replaced the subject line and used all new text body.
> I had no idea that doing that was somehow not creating a "new" message
> for all intents and purposes.
>

now you know ;-p google for "thread hijacking" to learn more.

your mailer probably has distinct "new" and a "reply to" buttons. you
don't think the mailer developpers did so because they like adding
buttons :)

hamann.w at t-online

Oct 10, 2008, 11:41 AM

Post #6 of 15 (369 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

>>
>> I'm noticing we're getting a lot of spam coming through with a from
>> address of our own domain. This gives spamassassin an automatic -100 on
>> the score pretty much guaranteeing that it'll not get flagged as spam.
>> Since we have a limited number of people using that domain, is there a
>> way to tell spamassassin to block or at least give a really bad score ot
>> any email with a FROM as coming from our domain but is not a user (left
>> of @ sign) that isn't one of these X addresses?
>>
>> Thanks for any advice!
>> Liam

Hi Liam,

why not outright block these messages at the MTA? Suppose you use SPF or DKIM,
then these mails would fail for policy

Wolfgang

me at junc

Oct 10, 2008, 12:01 PM

Post #7 of 15 (369 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?

what rule gives -100 ?

there is a number of ways to make sure its not giveing -100 to own domains
that is sent outside of localhost or even from localhost olso

adjust the score -100 to something like -0.01 and make use of dkim/spf to
compensate for real users thar send correct not just have your domain in
sender from

how is your

trusted_networks
internal_networks
msa_networks

?

perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::DKIM
perldoc Mail::SpamAssassin::Plugin::SPF

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

me at junc

Oct 10, 2008, 12:03 PM

Post #8 of 15 (369 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

On Fri, October 10, 2008 17:14, mouss wrote:

> This is a common configuration error. don't whitelist mail from your
> domain.

olso wroung advice without known config, whitelist is ok if it cant be abused

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

guenther at rudersport

Oct 10, 2008, 12:09 PM

Post #9 of 15 (369 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

On Fri, 2008-10-10 at 21:03 +0200, Benny Pedersen wrote:
> On Fri, October 10, 2008 17:14, mouss wrote:
>
> > This is a common configuration error. don't whitelist mail from your
> > domain.
>
> olso wroung advice without known config, whitelist is ok if it cant be abused

Err. Did you read the original question? Obviously, it is being abused.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

guenther at rudersport

Oct 10, 2008, 1:39 PM

Post #10 of 15 (369 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

On Fri, 2008-10-10 at 17:14 +0200, mouss wrote:
> Liam-PrintingAutomation a Ã©crit :

> > I'm noticing we're getting a lot of spam coming through with a from
> > address of our own domain. This gives spamassassin an automatic -100 on
> > the score pretty much guaranteeing that it'll not get flagged as spam.

> > Since we have a limited number of people using that domain, is there a
> > way to tell spamassassin to block or at least give a really bad score ot
> > any email with a FROM as coming from our domain but is not a user (left
> > of @ sign) that isn't one of these X addresses?
>
> This is a common configuration error. don't whitelist mail from your
> domain.

Ah, finally found the wiki page explaining to use whitelist_from_rcvd
rather than whitelist_from.
http://wiki.apache.org/spamassassin/WhitelistingEverybody

If you properly constrain your whitelisting, you can do so for the
entire domain, instead of adding one line per user. Also have a look
here:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options

HTH

guenther

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

uhlar at fantomas

Oct 11, 2008, 6:27 AM

Post #11 of 15 (365 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
> > any email with a FROM as coming from our domain but is not a user (left
> > of @ sign) that isn't one of these X addresses?

On 10.10.08 21:01, Benny Pedersen wrote:
> what rule gives -100 ?

whitelist, of course: "any email with a FROM as coming from our domain"
That's common mistake of adding local domain to whitelist_from, often used
by spammers to get mail through.

> there is a number of ways to make sure its not giveing -100 to own domains
> that is sent outside of localhost or even from localhost olso
>
> adjust the score -100 to something like -0.01 and make use of dkim/spf to
> compensate for real users thar send correct not just have your domain in
> sender from

simply using whitelist_auth or whitelist_from_rcvd instead of whitelist_from
should be enough
--
Matus UHLAR - fantomas, uhlar[at]fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.

karlp at ourldsfamily

Oct 11, 2008, 10:37 AM

Post #12 of 15 (354 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

On Sat, 11 Oct 2008, Matus UHLAR - fantomas wrote:

>> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
>>> any email with a FROM as coming from our domain but is not a user (left
>>> of @ sign) that isn't one of these X addresses?
>
> On 10.10.08 21:01, Benny Pedersen wrote:
>> what rule gives -100 ?
>
> whitelist, of course: "any email with a FROM as coming from our domain"
> That's common mistake of adding local domain to whitelist_from, often used
> by spammers to get mail through.
>
>> there is a number of ways to make sure its not giveing -100 to own domains
>> that is sent outside of localhost or even from localhost olso
>>
>> adjust the score -100 to something like -0.01 and make use of dkim/spf to
>> compensate for real users thar send correct not just have your domain in
>> sender from
>
> simply using whitelist_auth or whitelist_from_rcvd instead of whitelist_from
> should be enough

I use whitelist_from_rcvd but am not sure I use it right:

whitelist_from_rcvd root[at]mail.ourldsfamily.com ourldsfamily.com

Is that right?

Also, I've never heard of whitelist_auth and am curious to see an example.
Would using both _auth and _from_rcvd be good/better/worse?

Karl

> --
> Matus UHLAR - fantomas, uhlar[at]fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> - Holmes, what kind of school did you study to be a detective?
> - Elementary, Watson.
>

---
_/ _/ _/ _/_/_/ ____________ __o
_/ _/ _/ _/ _/ ____________ _-\\<._
_/_/ _/ _/_/_/ (_)/ (_)
_/ _/ _/ _/ ......................
_/ _/ arl _/_/_/ _/ earson KarlP[at]ourldsfamily.com
---
http://consulting.ourldsfamily.com
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---

mouss at netoyen

Oct 11, 2008, 3:35 PM

Post #13 of 15 (349 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

Karl Pearson a écrit :
> On Sat, 11 Oct 2008, Matus UHLAR - fantomas wrote:
>
>>> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
>>>> any email with a FROM as coming from our domain but is not a user
>>>> (left
>>>> of @ sign) that isn't one of these X addresses?
>>
>> On 10.10.08 21:01, Benny Pedersen wrote:
>>> what rule gives -100 ?
>>
>> whitelist, of course: "any email with a FROM as coming from our domain"
>> That's common mistake of adding local domain to whitelist_from, often
>> used
>> by spammers to get mail through.
>>
>>> there is a number of ways to make sure its not giveing -100 to own
>>> domains
>>> that is sent outside of localhost or even from localhost olso
>>>
>>> adjust the score -100 to something like -0.01 and make use of
>>> dkim/spf to
>>> compensate for real users thar send correct not just have your
>>> domain in
>>> sender from
>>
>> simply using whitelist_auth or whitelist_from_rcvd instead of
>> whitelist_from
>> should be enough
>
> I use whitelist_from_rcvd but am not sure I use it right:
>
> whitelist_from_rcvd root[at]mail.ourldsfamily.com ourldsfamily.com
>
> Is that right?

In general, yes.

This wouldn't be right if ourldsfamily.com is a large domain with "bad"
clients. for example, you wouldn't do that with a (large) ISP.

>
> Also, I've never heard of whitelist_auth and am curious to see an
> example. Would using both _auth and _from_rcvd be good/better/worse?

whitelist_auth whitelists the message under SPF or DKIM or DK success.

The right combination depends on the domain.

brennan at columbia

Oct 11, 2008, 9:10 PM

Post #14 of 15 (346 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

>> any email with a FROM as coming from our domain but is not a user (left
>> of @ sign)

You might be able to get your MTA to check that, the same as it does
for recipients. You know what addresses are valid @ your own domain,
so it's reasonable to refuse mail from any others. We have sendmail
doing this during check_mail. It stops 2% of our incoming. You use
postfix and I am not familiar with how it might be done with that.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

mouss at netoyen

Oct 12, 2008, 2:31 AM

Post #15 of 15 (342 views)
Permalink

Re: Block all incoming mail from domain except certain users? [In reply to]

Joseph Brennan a écrit :
>
>>> any email with a FROM as coming from our domain but is not a user (left
>>> of @ sign)
>
> You might be able to get your MTA to check that, the same as it does
> for recipients. You know what addresses are valid @ your own domain,
> so it's reasonable to refuse mail from any others. We have sendmail
> doing this during check_mail. It stops 2% of our incoming. You use
> postfix and I am not familiar with how it might be done with that.

smtpd_reject_unlisted_sender = yes

in some cases, you may want to accept "unlisted" senders from your own
machines (software installed on few machines that send mail as their own
user, but this user not added on the mail server). if so, instead of the
above, use
reject_unlisted_sender
in smtpd restrictions, after having allowed "trusted" mail
(permit_mynetworks, ...).

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com