[Mimedefang] MessageID anti-impersonation function for sub filter()

Cormack, Ken kcormack at acs.roadway.com
Wed May 26 08:49:24 EDT 2004


All,

Yesterday, I had a spam come in, in which I noticed the MessageID contained
my own domain.  Since the originating MTA is responsible for generating the
MessageID, and since the message came from the outside, I added the
following in sub filter() of my mimedefang-filter last night.  Over night,
it caught about 20 messages.

    if ($MessageID =~ /\@roadway.com\>$/i && !Exclude_FromInternal() &&
!Exclude_FromDmz()) {
        md_syslog 'info', "bogus_MessageID: Originating MTA claims to be us
in MessageID $MessageID.";
        return ('REJECT', 'Originating MTA can not claim to be us in
MessageID.');
    }

While I'm on the subject, here's a nice CheckMessageId rule, for sendmail.
Add this to the LOCAL_RULESETS section of your sendmail.mc, and regenerate
your .cf file.  This rule ensures that a MessageID is present, and is of the
correct format.  It also checks the RHS (right hand side) against access.db.

As always, watch out for line-wrap...

# Check for valid Message ID
# Check message id for valid hostname (after @)
HMessage-Id:    $>CheckMessageId

SCheckMessageId
# Record the presence of the header
R$*             $: $(storage {MessageIdCheck} $@ OK $) $1
# check for local Message-Id: header for non-local headers
# Put client hostname in an initial lookup focus
# anything      ->         < lookup focus >    anything
R$*                     $: < $&{client_name} > < $1 >
# test if client hostname in lookup focus ends with one of our
#       domains, $=m, if so the message is locally generated and all
#       Message-Id: header are OK
R< localhost > < $+ >           $@ OK
# reject all other locally generated Message-Id: headers because
#       client hostname is not local
R< $+ > < $+ @ $j >     $#error $: "553 Delivery blocked; HMessage-ID:
indicates local generation but client is not local (may be forged)"
# strip trash lookup focus leaving the original header
R< $+ > < $+ >          < $2 >

# Check MessageID for blocked domain names
R< $+ @ $+ >            $: $(access $2 $: OK $)
ROK$*                   $@ OK
RREJECT$*               $#error $: "553 Delivery blocked; HMessage-ID:
failed access database lookup"
RDISCARD$*              $#discard $: discard
RERROR:$*               $#error $: $1
R< $+ @ $+ >            $@ OK
# Valid messageIDs should not get this far
R$*                     $#error $: "553 Delivery blocked; HMessage-ID:
indicated invalid format"


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
    Open Systems Group
Sr. Software Analyst,
    TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.



More information about the MIMEDefang mailing list