Relay thru sys in whitelist

Rose, Bobby brose@med.wayne.edu
Sat Jun 29 05:34:53 UTC 2002


DomainC is a subdomain of DomainB.  In my case, DomainC is med.wayne.edu
and DomainB is wayne.edu.  Main campus has a ldap directory where people
can forward their mail to wherever.  In our case, most people have a
forwarding address to their med.wayne.edu mailbox.  Various groups on
campus, eg Dept of Pub Safety, etc; send out mailings.  So this is why
the wayne.edu system is whitelisted.

Because of these, if the external system from domainA (spammer) sends
the message to the campus address, DCC doesn't rejected it when
wayne.edu forwards.  DCC seems to only look at the host that connected
to hand off the message.  I would think that you'd want to look at the
originating system when checking to see if it's in the whitelist. 

I understand that it's all about the message body, but whitelists are
primarily ip addresses not the message hash and Froms and Tos are easily
forged (Webshots is a prime example of that where they send their bulk
mail out using the TO address as the FROM address.)

Am I just way off here?  For the most part, DCC is working, it's just
that I'm seeing the gaping hole.

-----Original Message-----
From: Vernon Schryver [mailto:vjs@calcite.rhyolite.com] 
Sent: Friday, June 28, 2002 11:38 PM
To: dcc@calcite.rhyolite.com
Subject: RE: Relay thru sys in whitelist


> From: "Rose, Bobby" <brose@med.wayne.edu>

> ...
> that user@domainA has a mailForwardAddress set to user@domainC.  
> domainC

> ...
> Does this help? DomainB isn't the source of the message that was sent 
> out to the internet in bulk, domainA is so it would seem that dcc 
> would want to look for domainA.  DomainB has to be whitelisted because

> it does send internal bulk messages.

Should your system DomainC reject white-listed mail that mentions
domainA for other reasons, such as user@domainB reporting spam to
user@domainC?

Isn't the problem the same as what I wrote about below?  Does it matter
whether the forwarding is done by MX records, .forward files, or
something else?

> ...
> Spam filtering and MX forwarders is an awkward combination and not 
> just for the DCC but for any filtering system including sendmail 
> access databases.  If you white-list your MX forwarders by name or IP 
> address, then you'll not reject any spam they send.  In that case, you

> probably need to install your filters on your MX forwarders.  If you 
> don't white list your MX forwarders, you probably need to white-list 
> any legitimate bulk mail they send, again for any filtering scheme.


What do you mean by "dcc would want to look for domainA?"  As I tried to
say, the DCC is about rejecting message bodies instead of domains. The
DCC is supposed to be fast enough to run on systems that handle at least
several 100,000 messages/day (and it does today), and so it doesn't do
regular expressions as Procmail does.

I don't think there is a third solution for any spam filter system that
honors white lists besides (1) put your filters on all of yor incoming,
white-listed SMTP gateways, or (2) don't white-list your incoming SMTP
gateways.  Neither is a pleasing solution, but that comes from the
conflict between white-listing and rejecting.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
DCC mailing list
DCC@rhyolite.com
http://www.rhyolite.com/mailman/listinfo/dcc




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.