Whitelisting of spam - forged From field in MS FE MailWatch

[azile]

Hi,

Unsure if this is a Mailscanner FE / Mailscanner topic, so I've gone for FE as this is where the logs were

I've just been reviewing my Mailscanner FE - MailWatch logs, and found an entry that is spam whitelisted from one of my domains in MailWatch:
myserver is my email server
oneofmydomains is, well one of my domains

Code: Select all

Message Headers:
Received: from dsl-243-50-76.telkomadsl dot co dot za ([41.243.50.76])
     by myserver with smtp (Exim 4.69)
     (envelope-from <arxtap@oneofmydomains>)
     id 1S31eo-0001mN-L2
     for arxtap@oneofmydomains Thu, 01 Mar 2012 08:46:42 +0000
To: <arxtap@oneofmydomains>
Subject: arxtap@oneofmydomains Pf|zer Discount ID8308045
From: <arxtap@oneofmydomains>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
From: arxtaponeofmydomains
To:	arxtap@oneofmydomains
Subject:	arxtap@oneofmydomains Pf|zer Discount ID8308045
Size:	1.1Kb

I have whitelisting set for *@oneofmydomains, but only if it is "From:"

My question is, is there anything I can do to prevent this whitelisting, as arxtap is not a user account on oneofmydomains (In fact, there are only two email accounts on that domain, one is mine, one is the default cpanel one).

I have gone through logs, and can see no intrusion via ssh/whm etc from that IP address in South Africa.

So, is this just a case of a spammer forging the 'From:' field and there is nothing I can do about it ? (As it gets whitelisted due to the forging of the field?) or is there some configuration in Mailscanner FE that I have missed that could prevent/flag this appropriately ?

Thanks for any help

Andy

[Sarah]

This is a case of a spammer forging the "from" field, as you have surmised. There is little you can do about this unless you stop whitelisting the domain or email address. If you are whitelisting the address because legitimate email was being identified as spam, then you can try to find some other way around that. There are some suggestions for investigating and reducing false oositives in this FAQ:
http://www.configserver.com/techfaq/index.php?faqid=52

Regards,
Sarah

[Sergio]

Actually you can stop that using MCP rules.

With MCP rules you can block anything that suits your needs, here is how you can do it:

1. Go to /usr/mailscanner/etc/mcp and create a file that you can call any name but ending with ".cf"
2. In that file write any regex expression that you want to block, in your case if you want to block for "From:" you can do something like this:

header FROM_DOMAINS09 From =~ /arxtap\@oneofmydomains\.com/i
describe FROM_DOMAINS09 SPAM FORGING
score FROM_DOMAINS09 11

save the file and MCP will start working right away.

But in order for this to work, you have to configure your MailScanner to work with MCP.
The score that I wrote "11" could be any number, but that number has to be higher than what you write in your MailScanner under:
MCP High SpamAssassin Score.

For me MCP has been a really nice option to create my own antispam rules, here is one that blocks a lot of domains that I don't like in my server:

header FROM_DOMAINS04 From =~
/gfbvans|gifts4gals|guateenvios|guateoferta|guserluket|havenovembercount|hfccars|hostalmiraflores|hostingforceinc|hudsonia|
i1877nogrout|ibshypnotherapyworkshops|idletiger|imc\-ip.pt|includingsharp|innovinve|isachiropractors|itemyunput|jesyson|
joyouscomputer|kelkom|kenvencadav|ketchupfiber|lamejorpubli/i
describe FROM_DOMAINS04 SPAM FROM DOMAINS 04
score FROM_DOMAINS04 11

with this rule I block about 25 domains.

The best thing of all is that the rules can be adjusted any time, I mean you can add more or delete any white positive.

Sergio