LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   There is a possible bug in Spamfilter ISP that might cause spammers to relay DEPENDING on the topolgy and settings on your servers. If you have whitelisted f.ex domain1.com in Spamfilter ISP, a spammer can use *@domain1.com as from-address to send spam to people outside our company IF you have the same configuration as we do...

Here's my example :

We run Spamfilter ISP 2.0.1.347

We have the followin topology in our mailsystem :

INTERNET --> SPAMFILTER ISP --> TREND IMSS --> LOTUS DOMINO

A person send mail from the Internet, the mail goes to our Spamfilter ISP server, then it goes to our Trend InterScan Messaging Security Suite server, and then to our Lotus Domino server. Trend IMSS "trusts" the Spamfilter ISP server, because we need to allow Spamfilter ISP to push the mail to Trend IMSS.

Now the possible bug ; When a domain is whitelisted in Spamfilter ISP, it passes every chech, EVEN the Local Domains setting. Even if the recepients domain is not listed in Local Domains it will pass. In my opinion the mail should be dropped here since domain1.com is not listed in Local Domains (it's only in the whitelist).

Since it pass all the checks because the senders domain is whitelisted, it goes to Trend IMSS which again trusts the Spamfilter ISP server, and then Trend IMSS relay the mail to the intended recepient f.ex idontwantspam@domain2.com. Trend IMSS is also our outbound mailserver.

There's two things that can be done to solve this.

1. Set Trend IMSS not to "trust" Spamfilter ISP. Then it will only accept mail to the domains specified in the configuration.

2. Make Spamfilter ISP drop all mail sendt to domains NOT listed in Local Domains.

I can solve it by doing #1, but I think it's important to address this issue since it might be others who have the same configuration as we do.

Logsat : Do you consider this issue as a bug? I personally think if a recepient-domain is not listed in Local Domains, it should be rejected, even if it's whitelisted.

Best regards,
Morten Authen
NSF

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Morten Authen Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Morten Authen Thanks(0) Quote Reply Topic: Possible bug / warning... Depends on how you look at it.... Posted: 08 June 2004 at 8:28am
	There is a possible bug in Spamfilter ISP that might cause spammers to relay DEPENDING on the topolgy and settings on your servers. If you have whitelisted f.ex domain1.com in Spamfilter ISP, a spammer can use *@domain1.com as from-address to send spam to people outside our company IF you have the same configuration as we do... Here's my example : We run Spamfilter ISP 2.0.1.347 We have the followin topology in our mailsystem : INTERNET --> SPAMFILTER ISP --> TREND IMSS --> LOTUS DOMINO A person send mail from the Internet, the mail goes to our Spamfilter ISP server, then it goes to our Trend InterScan Messaging Security Suite server, and then to our Lotus Domino server. Trend IMSS "trusts" the Spamfilter ISP server, because we need to allow Spamfilter ISP to push the mail to Trend IMSS. Now the possible bug ; When a domain is whitelisted in Spamfilter ISP, it passes every chech, EVEN the Local Domains setting. Even if the recepients domain is not listed in Local Domains it will pass. In my opinion the mail should be dropped here since domain1.com is not listed in Local Domains (it's only in the whitelist). Since it pass all the checks because the senders domain is whitelisted, it goes to Trend IMSS which again trusts the Spamfilter ISP server, and then Trend IMSS relay the mail to the intended recepient f.ex idontwantspam@domain2.com. Trend IMSS is also our outbound mailserver. There's two things that can be done to solve this. 1. Set Trend IMSS not to "trust" Spamfilter ISP. Then it will only accept mail to the domains specified in the configuration. 2. Make Spamfilter ISP drop all mail sendt to domains NOT listed in Local Domains. I can solve it by doing #1, but I think it's important to address this issue since it might be others who have the same configuration as we do. Logsat : Do you consider this issue as a bug? I personally think if a recepient-domain is not listed in Local Domains, it should be rejected, even if it's whitelisted. Best regards, Morten Authen NSF

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 08 June 2004 at 9:56pm
	Morten, We absolutely agree with your observation. SpamFilter ISP is not supposed to deliver any emails unless the recipient is in the local domains. We were able to verify your report, and consider this a bug. A new official release was supposed to be released tonite, we will delay it until this issue is fixed, which will happen very shortly as we consider this a big issue. Thanks for bringing this to our attention. Roberto F. LogSat Software

Morten Authen Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Morten Authen Thanks(0) Quote Reply Posted: 09 June 2004 at 4:06am
	Great, this will make things more secure :-) Thanks! Best regards Morten Authen NSF

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Possible bug / warning... Depends on how you look at it....