Trusted Sender (User Level)
Question asked by E. Keith Dodd - 7/2/2014 at 1:10 PM
Received an email which was obviously a spam and most likely from someone's hacked account. It showed however a smartermail spam of 0 as a Trusted Sender. I checked the server's logs and it shows spam skipped because it was a Trusted Sender (user level).
Checked  my whitelist and neither the full sender nor the domain (bellsouth.net) was listed.
Any ideas how such would become a false "trusted sender"?

5 Replies

Reply to Thread
E. Keith Dodd Replied
Update: I further checked the questionable email's properties and see that the sender (a yahool.com address) is on my trusted sender's list. However, the delivery logs no where show that address as what was checked for a trusted sender. The "mail from" in delivery log is from a bellsouth.net address which the logs say is a Trusted Sender (user level).
W. T. Leaver Replied
This seems like the same issue I just reported at http://portal.smartertools.com/community/a86943/some-sort-of-trusted-sender-bug-spammers-getting-spam-through-suddenly_.aspx
(I probably should have searched first and reported here instead of opening a new question.)
Employee Replied
Employee Post
If the message return-path, from, or reply-to header fields contain a trusted sender address, then the message will pass the spam checks.
Nicolas Lambert Replied
But that means that anyone could add the recipient's domain name in the reply to field and if the recipient whitelisted his own domain the messages will get through the filters, no questions asked?

Is there a way to change the filters settings so that they don't take the reply-to field in account?
Anthony Salter Replied
Bingo -seems exactly what is happening to me now, just trying to follow it through - mine is with 'system - trusted sender' rather than user level, but my guess is the same mechanism applies.

So the trusted sender whitelist is actually just a list of back doors through the spam checks, spammers can inject recipient domain into the header as 'from' , 'reply-to' or whatever and it will be let right in.

That pretty appalling really, why doesn't it explicitly check the 'sender' address that is announced on the initial smtp connection?

It obviously doesn't include the to address when checking for a trusted sender, else every email that comes in would be trusted, sure it could be restricted to sender only.

Any advice here, i have several trusted domains set

Reply to Thread