[Mimedefang] Re: Great open letter about anti-virus, emails, bounces, etc.
Matt Cramer
mscramer at armstrong.com
Tue Sep 16 17:01:02 EDT 2003
On Mon, 15 Sep 2003, David F. Skoll wrote:
> On Mon, 15 Sep 2003, Matt Cramer wrote:
>
> > It is amazing how much spam stops once you only accept aol.com, yahoo.com,
> > etc. mail from hosts which reverse resolve to something in those domains.
>
> Our CanIt marketing literature calls these rules "Mismatch Rules" and
> they are very effective for selected domains. I suggest allowing
> a set of matches -- for example, it's legitimate for mail from
> "foo at aol.com" to come via a paypal.com server.
>
> For example:
>
> >From aol.com OK-Relays = aol.com, paypal.com
> >From msn.com OK-Relays = msn.com, hotmail.com, paypal.com
>
> etc...
I do that too, although your example above implies to me that CanIt's
version is more sophisticated than what I am doing, which comes as no
surprise. :)
I've had a couple of requests for my code, so I am going to share it here.
# sender filter
sub filter_sender {
my @greylist;
push @greylist, qw(att.com
aol.com
efax.com
dell.com
earthlink.net
computerworld.com
mindspring.com
warehouse.com
jpmchase.com
gartnerinfo.com
microsoft.com
morganstanley.com
gartner.com
fedex.com
hotmail.com
yahoo.com
msn.com
freeaccess.nl
email.com
angelfire.com
netzero.net
a0l.com
bellsoth.com
bellatlantic.net
swbell.net
excite.com
yahoo.co.uk
mail.ru
);
my ($sender, $ip, $hostname, $helo) = @_;
if ($hostname eq "localhost") {
return ('CONTINUE', "ok");
}
my $check;
foreach $check (@greylist) {
if ($sender=~/\@$check>?$/i) {
if (!($hostname=~/$check/i)) {
# allow monster.com relay to forge sender
if ($ip =~ "^208\.30\.129\.") {
return ('CONTINUE', "ok");
}
# msn.com uses hotmail.com relays
if ($sender=~/\@msn\.com>?$/i) {
if ($hostname=~/hotmail\.com/i) {
return ('CONTINUE', "ok");
}
}
# morganstanley.com uses ms.com relays
if ($sender=~/\@morganstanley\.com>?$/i) {
if ($hostname=~/ms\.com/i) {
return ('CONTINUE', "ok");
}
}
# att.com uses transedge.com
if ($sender=~/\@att\.com>?$/i) {
if ($hostname=~/transedge\.com/i) {
return ('CONTINUE', "ok");
}
}
# bellatlantic.net uses verizon.net
if ($sender=~/\@bellatlantic\.net>?$/i) {
if ($hostname=~/verizon\.net/i) {
return ('CONTINUE', "ok");
}
}
# jpmchase.com uses chase.com
if ($sender=~/\@jpmchase\.com>?$/i) {
if ($hostname=~/chase\.com/i) {
return ('CONTINUE', "ok");
}
# new JPMChase mail relay, and DNS hasn't been updated yet
if ($ip =~ "^208\.44\.119\.191") {
return ('CONTINUE', "ok");
}
}
# yahoo.co.uk uses yahoo.com
if ($sender=~/\@yahoo\.co\.uk>?$/i) {
if ($hostname=~/yahoo\.com/i) {
return ('CONTINUE', "ok");
}
}
# netzero.net uses untd.com
if ($sender=~/\@netzero\.net>?$/i) {
if ($hostname=~/untd\.com/i) {
return ('CONTINUE', "ok");
}
}
# mindspring.com uses mindpsring.net
if ($sender=~/\@mindspring\.com>?$/i) {
if ($hostname=~/mindspring.net/i) {
return ('CONTINUE', "ok");
}
if ($hostname=~/earthlink\.net/i) {
return ('CONTINUE', "ok");
}
}
return ('REJECT', "We have received spam forged as $check.
Therefore we will only accept mail from $sender via a relay in the $check
address space. Your host, $ip, is not registered to $check and is instead
$hostname. If this is a legitimate mail from $sender please contact the
administrator of $ip and ask them to configure DNS appropriately.", 554);
}
}
}
return ('CONTINUE', "ok");
}
Use at your own risk. This *WILL* end up breaking some mail if you add a
domain to the array and they use some other domain for legitimate mail.
But I am very confident in the above list and the crude exceptions I put
in as of the time I am sending this email. When I first put this in I had
a few complaints from users and I worked with admins at the other sites.
E.g. NetZero was very cool. They actually *READ* the reject message I
returned, realized what I was doing, then sent me a polite note asking me
to add another domain as a legitimate relay. More often than not though
one of my users called our HellDesk and said "I can't get mail from blah
blah", then I looked in the logs and saw it was this filter stopping them,
then contacted the admin myself to get a list of legit relays.
Now that I've embarrassed myself publicly with my crude code I ought to
clean it up and use some kind of db file to keep track of my list of
domains and the exceptions. :)
Matt
--
Matthew S. Cramer <mscramer at armstrong.com> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
More information about the MIMEDefang
mailing list