Re: [AMaViS-user] Whitelisting monster.com ?
This is a discussion on Re: [AMaViS-user] Whitelisting monster.com ? within the Amavis User forums, part of the Anti-Spam and Anti-Virus Related Forums category; On 8/9/07, Leone, Michael <MLeone@contributionship.com> wrote: > -> > -> Try dropping the period: &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-09-2007
|
|||
|
|||
Re: [AMaViS-user] Whitelisting monster.com ?
On 8/9/07, Leone, Michael <MLeone@contributionship.com> wrote:
> -> > -> Try dropping the period: > -> whitelist_from_rcvd *@monster.com monster.com > > I will try that, thanks After seeing the headers, this won't work. > > -> > -> AFAIK this will only look at the first 'untrusted' relay, so your > -> internal_networks must be correct. > -> > -> However, if the: > -> Envelope-Sender: or Resent-Sender: or X-Envelope-From: or From: > -> is not @monster.com, then this may not work. > > Here's a sample header: > (X-Envelope-Header changed to hide real sender's email address) > > Microsoft Mail Internet Headers Version 2.0 > X-Envelope-From: <xxxx@xxxx.xxx> > X-Envelope-To: <careers@contributionship.com> > X-Quarantine-ID: <EVot6gS6N0ku> > X-Spam-Flag: YES > X-Spam-Score: 6.361 > X-Spam-Level: ****** > X-Spam-Status: Yes, score=6.361 tag=-999 tag2=3.9 kill=3.9 > tests=[BAYES_99=2.5, HTML_MESSAGE=0.001, > HTML_TEXT_AFTER_BODY=0.115, > HTML_TITLE_EMPTY=0.214, MIME_HTML_ONLY=0.001, > NO_REAL_NAME=0.961, > SARE_HTML_HTML_BEFORE=0.718, SARE_HTML_INV_TAG3=1.365, > SARE_HTML_URI_NODOT2=0.296, SUBJ_HAS_UNIQ_ID=0.19] > Received: from cliff-claven.contributionship.com ([127.0.0.1]) > by localhost (cliff-clavin.contributionship.com [127.0.0.1]) > (amavisd-new, port 10024) > with SMTP id EVot6gS6N0ku for <careers@contributionship.com>; > Wed, 8 Aug 2007 21:49:29 -0400 (EDT) > Received: from mailman102-q0.ma.tmpw.net (mailman102-q0.ma.tmpw.net > [63.112.170.13]) > by cliff-claven.contributionship.com (Postfix) with SMTP id > B8E071B0ED > for <careers@contributionship.com>; Wed, 8 Aug 2007 21:49:28 > -0400 (EDT) It's tmpw.net that is monster's server - and it's likely the first untrusted server - hence it would go on the right hand side of whitelist_from_rcvd but since the mail is not from @monster.com, this still would not work. > Received: (qmail 23817 invoked from network); 9 Aug 2007 01:49:32 -0000 > Received: from batch102.monster.com (HELO BATCH102) (10.50.10.187) > by mailman102-q0.ma.tmpw.net with SMTP; 9 Aug 2007 01:49:32 -0000 > Received: from mail pickup service by BATCH102 with Microsoft SMTPSVC; > Wed, 8 Aug 2007 20:49:32 -0500 > thread-index: AcfaJ4eozthVJw3DQPezrQephqSy0Q== > Thread-Topic: 60932078 Corporate Controller Monster Resume #128062077 > Reply-To: <xxxx@xxxx.xxx> > From: <xxxx@xxxx.xxx> > To: <careers@contributionship.com> > Subject: 60932078 Corporate Controller Monster Resume #128062077 > Date: Wed, 8 Aug 2007 20:49:31 -0500 > Message-ID: <006801c7da27$87aab5c0$bb0a320a@ops.global.ad> > MIME-Version: 1.0 > Content-Type: text/html; > charset="iso-8859-1" > X-Mailer: Microsoft CDO for Windows 2000 > Content-Class: urn:content-classes:message > Importance: normal > Priority: normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929 > X-OriginalArrivalTime: 09 Aug 2007 01:49:32.0007 (UTC) > FILETIME=[87C9AF70:01C7DA27] > Content-Transfer-Encoding: quoted-printable > Return-Path: xxxx@xxxx.xxx > > So the only place Monster is mentioned is in one Received: line (and in > the subject). > I don't think whitelist_from_rcvd will work. > -> > -> You could probably create (in postfix) a regex (or cidr) > -> client access > -> map that sets the FILTER to a different port that has a policy bank > -> with a higher kill_level (and tag2_level). > > OK ... Bit advanced for me, but I will consider it ... > > -> > -> # change this from the original setting > -> $inet_socket_port = [10024, 10026]; > -> > -> # add these > -> $interface_policy{'10026'} = 'MONSTER'; > -> > -> $policy_bank{'MONSTER'} = { > -> spam_kill_level_maps => [15.0], > -> spam_tag2_level_maps => [15.0], > -> }; > > That's in postfix? How does postfix know about spam_kill_level_maps? I'm > confused ... > Sorry, the policy bank part would be in amavisd.conf. > -> > -> smtpd_client_restrictions = > -> check_client_access cidr:/etc/postfix/monster_cidr > -> > -> /etc/postfix/monster_cidr: > -> 63.121.29.0/24 FILTER smtp-amavis:[127.0.0.1]:10026 > > Wasn't aware that that was monster's IP range. :-) It was only an example. Don't use it verbatim. You would have to grep your logs for all the addresses. Maybe use the monster_regexp instead. > > -> > -> or > -> check_client_access regexp:/etc/postfix/monster_regexp > -> > -> with the rDNS hostname(s) in regex form in monster_regexp > > .monster.com OK > > Like that? I am unsure of what all the hosts that would send mail are > named (I see batch102.monster.com above, but who knows what all the > hosts are named ...) > > Thanks > Probably more like (but I'm sure someone else could do better - make it more specific): /^.*\..*\.tmpw.net$/ FILTER smtp-amavis:[127.0.0.1]:10026 Note: I corrected regex: to regexp: If 'postconf -m' shows 'pcre', then you may optionally substitute pcre: for regexp: -- Gary V ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ 
|
Linear Mode
