[Mimedefang] Faked relay?
Jonas Eckerman
jonas_lists at frukt.org
Fri Jan 2 12:43:57 EST 2004
On Fri, 02 Jan 2004 11:03:06 -0600, Mike Grau wrote:
> In filter_relay I've blocked an entire netblock
[...]
> Now, however, a ton of mail is getting through because
> the relay host.domain resolves to an IP that is not within
> the Atriks netblock even though the domain does.
Is the actual IP of the relay in that netblock? If you do reject based on IP, it seems a lor more correct to base on the actual IP of the relay rather than whatever the hostname resolvs to. Remember that there is not a 1-1 connection between reverse-lookups and hostnames, they are quite separate.
If you have your own DNS server, it's just as easy to fake the DNS lookups (reverse and forward) as it is to fake the HELO or or Mail from:, and it's just as easy to fake the forward lookup.
Block IPs based on the relays IP, and block domains based on both the reverse-looked-up hostname and the HELO.
> These all resolve to 216.204.150.230 or another IP within the
> netblock I block, but the Received header does not:
> Received: by hostdafpqkpadf01r.faxmailserver.com
> (hostdafpqkpadf01r.faxmailserver.com [61.50.230.156]) with Will
> Mail (version 9.0) Thu, 1 Jan 2004 01:45:27 -0500
Is that Received header inserted by your system? If not, don't trust it. The only Received headers you can trust are those inserted by servers you trust.
> Depending on the message, the host.domain resolves to a variety
> of addresses outside Atriks' netblock, yet the domain itself
> (faxmailserver.com) resolves to an Atriks' address
> (216.204.151.247 in this case.)
That's nothing strange. As an example:
resolv mmm.truls.org and note the IP
resolv www.truls.org and note that IP
mmm.truls.org is in a netblock owned by Bredbandsbolaget. Actually, if you do a reverse-lookup on the IP that mmm.truls.org pints to, you'll see something like c-a3ad72d5.017-32-73746f30.cust.bredbandsbolaget.se.
www.truls.org is in a small classless subnet owned by Telia (or one of it's daughter companies) and delegated to Fruktträdet. Most IPs in that block resolvs to *.frukt.org.
There's absolutely no reason for all machines with the same domain to be in the same netblock.
Regards
/Jonas
--
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/
More information about the MIMEDefang
mailing list