[Mimedefang] Accuracy of infected IP in mdlog

Jonas Eckerman jonas_lists at frukt.org
Mon May 17 12:26:44 EDT 2004 

On Mon, 17 May 2004 12:55:56 +0200, Jerome Tytgat wrote:

>  Maybe I'm wrong but I thought mimedefang was more than just milter
>  who pass mails to clamav/spamassassin.

It is more. But when you want to do something that hasn't allready been done you have to implement it yourself. The beauty of MIMEDefang lies in the fact that you *can* implement it yourself, usually without ever touching the main program code.

>  I thought we can do some correlation about headers, validating
>  from fields, validating Helo, and other things.

This can be done, but it's not in the *example* filter. If you check my filter at
http://whatever.frukt.org/mimedefang-filter.shtml 
you can see that I do some checking on Received headers. Here's some notes about what that filter does and doesn't:

* It checks for bad HELO in used in connections to our backup server(s). It does not do any other HELO validation on Received-lines at all. The reasons:
1: I know the backups. No stupid mail client should ever connect directly to the backups. Therefore I know that no machine should ever present themselves with certain addresses when connecting to the backups.
2: I do not know any other servers or LANs that may be present in Received-lines. Many mail clients present themselves with incorrect domains in HELO. Blocking all bad HELOs would block a lot of perfectly legal mail

* It checks for black-listed hosts. This may trigger on forged Received-lines, but I don't really care if I accidentally block a mail because someone forged a Received-line so that it looks like the mail passed through a blacklisted relay.

* You can see that the filter uses Mail::Field::Received to parse the Received-lines, but you can also see thet I had to do some extra coding because Mail::Received::Field doesn't correctly parse all received lines. In particular, it doesn't handle Received-lines from a mail backup using Exim.
Exim's Received-lines (at least in that install) are quite different from what Sendmail and lots pof other software writes, and Exim is a pretty popular piece of software.

This is something you'll be certain to run into if you want to parse a lot of Received-lines. They simply doesn't all follow one clear standard.

I would not recommend anyone to just grab that piece of code from my filter without first understanding exactly what they do. So far it's working fine here, but I'm keeping an eye on it because I can't be completely sure that the above checks never misfires due to strangely formated Received-lines. If I find that they misfire, I'll have to refine them. The fact that I haven't seen those checks misfire here does not mean that they will work on any other system without modifications.

Regards
/Jonas
-- 
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/

More information about the MIMEDefang mailing list