Print Page | Close Window

Whitelisting problem

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5284
Printed Date: 15 December 2017 at 5:24am


Topic: Whitelisting problem
Posted By: MartinC
Subject: Whitelisting problem
Date Posted: 29 July 2005 at 7:50am
not sure if there is any way around this one..

we have some standard email addresses that we whitelist, jobs@, administrator@ and so on.
we also have the honeypot option switched on ... this seems to work well, I've spotted some junk ones that get sent regularly jerry@oursite, joe@oursite and have listed these.

I've noticed some spam getting through the last few days that I would expect to get blocked - has honeypot email addresses being used and also content that should be blocked.

however spammers are starting the smtp session with one of the whitelisted addresses (I think BCC-ed) and then the rest of the message is sent onto 5-10 other people.

any way I can stop this?

I don't mind the message going to the whitelisted users, but ideally would like to stop the spam to other users.

an example logfile looks something like this...

07/29/05 07:40:57:932 -- (1284) Resolving 218.98.202.108 - Not found
07/29/05 07:40:58:026 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:026 -- (1284) - MAPS search done... 521 The IP 218.98.202.108 is Blacklisted by sbl-xbl.spamhaus.org. http://www.spamhaus.org/query/bl?ip=2 18.98.202.108
07/29/05 07:40:58:026 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.taylor@testaddress.com will be rejected
07/29/05 07:40:58:354 -- (780) Disconnect
07/29/05 07:40:58:573 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:573 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wetherall@testaddress.com will be rejected
07/29/05 07:40:59:619 -- (1664) Disconnect
07/29/05 07:41:00:745 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:00:745 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wynne@testaddress.com will be rejected
07/29/05 07:41:00:838 -- (1664) Connection from: 80.178.152.88  -  Originating country : Israel
07/29/05 07:41:01:291 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:01:307 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.young1@testaddress.com will be rejected
07/29/05 07:41:01:870 -- (1284) Bypassed all rules for: jobs@testaddress.com from OFBZJD@yahoo.com ( Whitelisted EMail Address To)
07/29/05 07:41:02:432 -- (1284) Bypassed all rules for: jonet@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:010 -- (1284) Bypassed all rules for: k.holden@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:604 -- (1284) Bypassed all rules for: k.mckelvie@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:151 -- (1284) Bypassed all rules for: k.wright@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:745 -- (1284) Bypassed all rules for: k.wrighv@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:05:604 -- (780) Connection from: 222.140.195.81  -  Originating country : China
07/29/05 07:41:07:667 -- (1284) EMail from OFBZJD@yahoo.com to j.taylor@testaddress.com, j.wetherall@testaddress.com, j.wynne@testaddress.com, j.young1@testaddress.com, jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com, k.mckelvie@testaddress.com, k.wright@testaddress.com, k.wrighv@testaddress.com was queued. Size: 1 KB, 1024 bytes
07/29/05 07:41:07:682 -- (464) Sending email from OFBZJD@yahoo.com to j.taylor@testaddress.com, j.wetherall@testaddress.com, j.wynne@testaddress.com, j.young1@testaddress.com, jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com, k.mckelvie@testaddress.com, k.wright@testaddress.com, k.wrighv@testaddress.com




Replies:
Posted By: Guests
Date Posted: 06 September 2005 at 6:47am
anyone? we are still having this problem, spam that should be blocked getting through to us if the first recipient is set to be unfiltered in Spamfilter.

usual scenario - spammer sends to us, they get blocked..

with this, spammer sends to us... gets blocked, tries again, gets blocked, then sends to jobs@example.com - this is allowed through,
then any recipients after that seem to get through.

is this a known problem... something we can fix?


Posted By: LogSat
Date Posted: 06 September 2005 at 4:19pm
MartinC,

The original post fell thru the crack and went unanswered, sorry.

When an email arrives, and one of its recipient is whitelisted, SpamFilter will skip all filtering rules for it and will deliver it. If there are multiple recipients, they will be receiving it as well. There is no "fix" for this as this is how SpamFilter works. It is not able to "break apart" an email and forward it on to some recipients while blocking and quarantining it for others. Sorry.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Guests
Date Posted: 07 September 2005 at 5:35am
thanks Roberto.. no worries.

its a bit of a pain since I'm seeing a bit of spam like this daily but I guessed this would be normal behaviour with the other recipients being part of the message as CC or BCCs.

still its a bit of a loophole if spammers spot this behaviour and notice that postmaster and various other standard whitelisted names allow them to mail anyone else in an organisation (e.g sales, accounts, jobs, foi and similar).

am I the only person spotting this then?

is there any mileage in changing some of the smtp settings like max recipients per connection... I'm guessing the spammers try and send to a big list after the first accepted connection.


Posted By: Alan
Date Posted: 07 September 2005 at 1:25pm
Here's a thought, how about setting up a tag such as ":exclusive" so that you can set a user to be whitelisted only if they are the only recipient?  This doesn't completely solve the problem and introduces some new issues but does address the exploit that MartinC is refering to.

(I am guess this is not going to be possible but worth asking at least)



Print Page | Close Window