[plug] re: Email rules

Jon Miller jlmiller at mmtnetworks.com.au
Thu Feb 21 13:54:27 WST 2008

Brett, since you hit the nail on the head have you been able to come up with
a solution to combat this as the clients are getting a lot of these mails
daily and I would like to stop it.  I'm not sure if SA can stop it.


-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Bret Busby
Sent: Thursday, 21 February 2008 10:41 AM
To: plug at plug.org.au
Subject: Re: [plug] re: Email rules

On Wed, 20 Feb 2008, Patrick Coleman wrote:

> On Feb 20, 2008 9:39 AM, Jon L. Miller <jlmiller at mmtnetworks.com.au>
>> It is only from the outside that this rule needs to be applied.  If I
>> an e-mail that originated from a remote location from me to me then I
>> this to be quarantined as the only time these users are using this system
>> is from inside.
> I think SPF does something similar to this - you specify using a
> special DNS record on your domain what mail servers are permitted to
> send mail for your domain. If your system receives a message from a
> mailserver that is not listed in the From: address domain's SPF
> record, it will do something with it.
> 'Something' can be dropping it, flagging it, giving it an extra point
> in spamassassin, etc.
> -Patrick

I see two problems with that solution.

>From what I understand, the solution that you have proposed, is what is 
known as whitelisting - specifying which sources of email are accepted.

The first problem, is that it is mandatorily exclusive, so that, for 
example, if Jon's client is a company making drilling bits for mining 
companies, and the purchasing officer is trying to source components for 
the drilling heads, and sends a query to de Beers, for diamond tips for 
mining drill bits, if the de Beers domain name is not included in the 
whitelist, then, when a reply is made to the query, the reply will be 
deleted, beaten up and left to die, or wahtever, because it is not 
inluded in the whitelist.

Also, similarly, if a company is searching for driolling bits for mining 
companies, and finds Jon's clint's web site on the Internet, and makes a 
query (which could result in a supply contract worth millions of dollars 
to Jon's client), by email, the query could, by the domain name of the 
company making the query, not being included in the whitelist, be 
automatically deleted (or, beaten up and left to ie, never to be sen 
again), and so the company making the query, in not getting a response 
to its query, regards Jon's client as just another of the companies that 
has web sites on the Internet, advertising for custo, that doesn't 
respond to email (the email messages being automatically deleted before 
the addressee sees them), and so dismises the company as not being 
worthwhile, and goes elsewhere for its supplies

That is the first problem; a problem of whitelisting, where email 
addresses or domains that are not inluded in the whitelist, have any 
messages from them, not being received by the addressee.

The second problem with using whitelisting on the From address, and not 
the matching of the To and From addreses, with which Jon is concerned, 
is the problem of spoofing.

As an example, Jon has recently asked whether people have ben receiving 
messages with the "72% discount" or "February special offer" (or 
similar), malicious message subjects.

I have ben receing such messages, and the To and From fields are both 
spoofed, and are displayed as email addresses that belong to domains 
that I have registered.

As an example, let us say that I am hosting a web site for an 
organisation named PLUG, within my domain name busby.net, and that I 
have an email address for queries relating to that web site, of 
plug at busby.net.

I have been receiving multuple email messages, with the header fields 
TO:plug at busby.net From:plug at busby.net Subject:Special February offer.

Now I do not have a PLUG web site, or that email address, but I have ben 
similarly receiving multiple email messages for different web sites, 
within different domain names that I have.

So the second problem with the proposal, is spoofing.

While the proposal refers to the mailserver from which a message is 
sent, rather than the From address field, I asume that, as other 
information in the message headers can be spoofed, so also can the 
mailserver identifier.

Thus, I think that the solution (if achievable) goes back to the 
original query that Jon put up; filtering messages where the To and From 
field values are the same.

Bret Busby
West Australia

"So once you do know what the question actually is,
  you'll know what the answer means."
- Deep Thought,
   Chapter 28 of Book 1 of
   "The Hitchhiker's Guide to the Galaxy:
   A Trilogy In Four Parts",
   written by Douglas Adams,
   published by Pan Books, 1992

PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list