[Mimedefang] Blocking messages spoofed with my own e-mailladdress

Fox, Randy Randy_Fox at csgsystems.com
Mon Nov 17 14:01:29 EST 2003 

> [mailto:mimedefang-bounces at lists.roaringpenguin.com]On Behalf 
> Of Jon R. Kibler
> Sent: Monday, November 17, 2003 8:33 AM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Blocking messages spoofed with my own
> e-mailladdress
> 
> 

snip....

> Stefano, your suggestion works great for a local domain whose 
> incoming mail server does not do internal relay, but it falls 
> apart here, because:
>    1)   xyc.com has legit need to send to ourserver.net, and
>    2)   all the virtual domains communicate amongst 
> themselves through these same mail servers.
> 
> We were looking into setting up a database in sendmail that 
> would filter domains that are in /etc/mail/virtuser-domains 
> based upon the connecting system's netblock, but a brief 
> examination showed that was not practical because too many 
> users connect from remote locations, or have multiple ISPs 
> around the world and use their mail servers, but use their 
> local domain as the From: address.
> 
> Any suggestions on the best way to handle this?
> 
> TIA for all thoughts!
> 
> Sincerely,
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
> 

I'd have to study if this works completely for Jon but it should work for Jeff.  It's a combination of two filters that effectively work together.  We have some departments farm out customer surveys and some trusted venders that do not get checked (thus the filter_relay). We also have a few trusted senders that coming in from outside that we allow (thus the filter_sender).  The last filter also enforces a proper usage of a few public email domains.

Hope this helps,
Randy

I used the following two filters:

#***********************************************************************
# The following are trusted locations and should not have filters checked.
sub filter_relay {
        my($hostip, $hostname, $helo) = @_;
        if (($hostip eq "127.0.0.1") ||                 # localhost
                ($hostip eq "xxx.xx.xx.xxx") ||         # Customer Surveys
                ($hostip eq "xxx.xxx.xxx.xxx") ||        # Customer Surveys
                ($hostname =~ /trustedvender.com/))     # vender we trust
                {
                md_syslog ("notice","$QueueID: trusted site, skipping further filters");
                return ('ACCEPT_AND_NO_MORE_FILTERING','ok');
                } else {
        return ('CONTINUE','ok');
        }
}

#***********************************************************************
# Only allow from certain domains if relay hostname ends in same domain
sub filter_sender {
    my($sender, $hostip, $hostname, $helo) = @_;
    my($i1, $i2);

    # Regularize sender to lower-case, no <> signs
    $sender = lc($sender);
    $sender =~ tr/<>//d;
    if (($sender !~ /user1\@ourdomain.com/) &&         # salesman
        ($sender !~ /user2\@alternatedomain.com/) &&   # another salesman
        ($hostname !~ /customer.com/)) {               # trusted customer
        # do not check for alternatedomain.com in following because the contractors are spread throughout the Internet
        foreach $domain qw(aol.com hotmail.com earthlink.net yahoo.com ourdomain.com) {
            $i1 = rindex($sender, $domain);
            $i2 = rindex($hostname, $domain);
            if ($i1 >= 0 and $i1 == length($sender) - length($domain)) {
                if (length($hostname) < length($domain) or
                    $i2 != length($hostname) - length($domain)) {
                    return(0, "Mail from $domain not permitted from relay $hostip");
                }
            }
        }
    }
    return (1, "OK");
}
#***********************************************************************

More information about the MIMEDefang mailing list