Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Whitelisting problem
  FAQ FAQ  Forum Search   Register Register  Login Login

Whitelisting problem

 Post Reply Post Reply
Author
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Topic: Whitelisting problem
    Posted: 29 July 2005 at 7:50am
not sure if there is any way around this one..

we have some standard email addresses that we whitelist, jobs@, administrator@ and so on.
we also have the honeypot option switched on ... this seems to work well, I've spotted some junk ones that get sent regularly jerry@oursite, joe@oursite and have listed these.

I've noticed some spam getting through the last few days that I would expect to get blocked - has honeypot email addresses being used and also content that should be blocked.

however spammers are starting the smtp session with one of the whitelisted addresses (I think BCC-ed) and then the rest of the message is sent onto 5-10 other people.

any way I can stop this?

I don't mind the message going to the whitelisted users, but ideally would like to stop the spam to other users.

an example logfile looks something like this...

07/29/05 07:40:57:932 -- (1284) Resolving 218.98.202.108 - Not found
07/29/05 07:40:58:026 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:026 -- (1284) - MAPS search done... 521 The IP 218.98.202.108 is Blacklisted by sbl-xbl.spamhaus.org. http://www.spamhaus.org/query/bl?ip=2 18.98.202.108
07/29/05 07:40:58:026 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.taylor@testaddress.com will be rejected
07/29/05 07:40:58:354 -- (780) Disconnect
07/29/05 07:40:58:573 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:573 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wetherall@testaddress.com will be rejected
07/29/05 07:40:59:619 -- (1664) Disconnect
07/29/05 07:41:00:745 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:00:745 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wynne@testaddress.com will be rejected
07/29/05 07:41:00:838 -- (1664) Connection from: 80.178.152.88  -  Originating country : Israel
07/29/05 07:41:01:291 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:01:307 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.young1@testaddress.com will be rejected
07/29/05 07:41:01:870 -- (1284) Bypassed all rules for: jobs@testaddress.com from OFBZJD@yahoo.com ( Whitelisted EMail Address To)
07/29/05 07:41:02:432 -- (1284) Bypassed all rules for: jonet@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:010 -- (1284) Bypassed all rules for: k.holden@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:604 -- (1284) Bypassed all rules for: k.mckelvie@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:151 -- (1284) Bypassed all rules for: k.wright@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:745 -- (1284) Bypassed all rules for: k.wrighv@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:05:604 -- (780) Connection from: 222.140.195.81  -  Originating country : China
07/29/05 07:41:07:667 -- (1284) EMail from OFBZJD@yahoo.com to j.taylor@testaddress.com, j.wetherall@testaddress.com, j.wynne@testaddress.com, j.young1@testaddress.com, jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com, k.mckelvie@testaddress.com, k.wright@testaddress.com, k.wrighv@testaddress.com was queued. Size: 1 KB, 1024 bytes
07/29/05 07:41:07:682 -- (464) Sending email from OFBZJD@yahoo.com to j.taylor@testaddress.com, j.wetherall@testaddress.com, j.wynne@testaddress.com, j.young1@testaddress.com, jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com, k.mckelvie@testaddress.com, k.wright@testaddress.com, k.wrighv@testaddress.com

Back to Top
MartinC View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 06 September 2005 at 6:47am
anyone? we are still having this problem, spam that should be blocked getting through to us if the first recipient is set to be unfiltered in Spamfilter.

usual scenario - spammer sends to us, they get blocked..

with this, spammer sends to us... gets blocked, tries again, gets blocked, then sends to jobs@example.com - this is allowed through,
then any recipients after that seem to get through.

is this a known problem... something we can fix?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 September 2005 at 4:19pm
MartinC,

The original post fell thru the crack and went unanswered, sorry.

When an email arrives, and one of its recipient is whitelisted, SpamFilter will skip all filtering rules for it and will deliver it. If there are multiple recipients, they will be receiving it as well. There is no "fix" for this as this is how SpamFilter works. It is not able to "break apart" an email and forward it on to some recipients while blocking and quarantining it for others. Sorry.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
MartinC View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 07 September 2005 at 5:35am
thanks Roberto.. no worries.

its a bit of a pain since I'm seeing a bit of spam like this daily but I guessed this would be normal behaviour with the other recipients being part of the message as CC or BCCs.

still its a bit of a loophole if spammers spot this behaviour and notice that postmaster and various other standard whitelisted names allow them to mail anyone else in an organisation (e.g sales, accounts, jobs, foi and similar).

am I the only person spotting this then?

is there any mileage in changing some of the smtp settings like max recipients per connection... I'm guessing the spammers try and send to a big list after the first accepted connection.
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 07 September 2005 at 1:25pm
Here's a thought, how about setting up a tag such as ":exclusive" so that you can set a user to be whitelisted only if they are the only recipient?  This doesn't completely solve the problem and introduces some new issues but does address the exploit that MartinC is refering to.

(I am guess this is not going to be possible but worth asking at least)
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.047 seconds.