> From: Chad Stalvey [mailto:cstalvey at hcsmail.com]
>
> Is there any way to stop people that try this sort of thing?
>
>
> 1) Jan 7 14:40:38 mail sendmail[2590]: h07JeWdL002590:
> from=<akara31 at excite.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=200-207-76-198.terra.com.br [200.207.76.198] (may be
> forged)
>
I've just implemented a filter_sender that would work for cases like this. However, it's a reactionary filter, not a proactive filter. You can only put it into place after you under attack. The filter looks like this:
sub filter_sender {
my($sender, $hostip, $hostname, $helo) = @_;
if ($sender =~ /ert\d+try\@yahoo.com/) {
return(0, "Mail from $sender not permitted");
}
return (1, "OK");
}
Trying to get proactive seems to present interesting challenges. There was a filter posted in early November that looked like this:
sub filter_sender {
my($sender, $hostip, $hostname, $helo) = @_;
my($i1, $i2);
# Regularize sender to lower-case, no <> signs
$sender = lc($sender);
$sender =~ tr/<>//d;
foreach $domain qw(aol.com hotmail.com earthlink.net yahoo.com) {
$i1 = rindex($sender, $domain);
$i2 = rindex($hostname, $domain);
if ($i1 >= 0 and $i1 == length($sender) - length($domain)) {
if (length($hostname) < length($domain) or
$i2 != length($hostname) - length($domain)) {
return(0, "Mail from $domain not permitted from relay $hostip");
}
}
}
return (1, "OK");
}
excite.com won't work with this filter because it appears that all their mail comes through a domain called excitenetwork.com. The logic could be re-worked to drop the top-level domain (.com, .net, .kr, etc.) and only look for aol, hotmail, excite, etc., but would this be acceptable? How much do folks think it would be vulnerable to false positives?
Randy