James Stephens

February 13, 2006

A Workaround In Spamassassin For Dealing With Spam To Spoofed Email Addresses

Filed under: Spam Filtering — James Stephens @ 11:22 am

This post documents a workaround I have put in place in spamassassin for the increasing amount of spam being receiving to the spoofed address all@ourdomain. Some users are receiving over 20 such messages a day .. all spam. The workaround is equally relevant for other addresses where mail isn’t expected from offsite.

Most of the spam being received To: all@ourdomain is actually addressed to individuals and the letter header of the message has just been altered to appear as if the message is To: all@ourdomain. Only a handful of messages are sent directly To: all@ourdomain and this is a mailing list for which messages have to be approved before going out and spam can be filtered out by eye.

These spoofed messages aren’t being flagged as spam in part because the spammers have gotten too good for our filters, and in part because the users are whitelisting addresses within the domain such as all@domain to which the spam is coming.

Workaround

The workaround is based on the fact that all legitimate mail which is To: all@ourdomain (i.e. in the envelope headers) arrives internally, or via the SMTPauth server whereby it is treated as internal. Since a header can be added to internal mail one can whitelist messages on detection of that header. I set things up so that the whitelist has a larger value than a global blacklist placed on messages to all@domain. The procedure to set this up was as follows:

  • Add a custom header to all messages that are sent within the domain. This is accomplished within the following line in the sendmail.mc file from which sendmail.cf is built:
    HX-SNS: School Of Natural Sciences

  • Whitelist on detection of the header. In /etc/mail/spamassassin/local.cf we add: 
    header SENT_FROM_SNS           X-SNS =~ /School\ of\ Natural\ Sciences/
describe SENT_FROM_SNS         We know this message was sent from SNS
score SENT_FROM_IAS            -110.0
  • Blacklist messages To: all@ourdomain. In /etc/mail/spamassassin/local.cf we add: 
    blacklist_to  all@domain
score USER_IN_BLACKLIST +100

Workflow

All messages which are addressed To: all@ourdomain in the envelope header are sent to a mailing list for approval. The messages which are spam are deleted at this stage. The messages which are not spam are approved.

All messages which are addressed To: all@ourdomain in the letter header are blacklisted unless an X-SNS header is found, upon which a larger whitelist value is applied so that they make it to the user’s Inbox.

2 Comments »

  1. better ways like what?

    Comment by Risto — August 29, 2006 @ 2:04 pm

  2. Risto,

    That text you see is a trackback. Chris wrote a post on How to Improve Whitelists (click his comment to see it). In it he references my post “there are better ways of dealing with that issue”. Its a product of the way trackbacks work that you see the text of that reference he made to my post.

    Best,

    James

    Comment by James Stephens — August 29, 2006 @ 2:20 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.

Powered by WordPress

of StatCounter Code -->