[Mimedefang] RE: MIMEDefang Digest, Vol 24, Issue 9
M Jerome Garrett
jgarrett at techsolutions.cc
Wed Sep 7 10:06:14 EDT 2005
Actually I want to block the email address not the IP address of the relay.
And yes it is harsh, but I don't make the rules. I enforce them. Got any
ideas on how to add a line to the database?
Jerome
-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of
mimedefang-request at lists.roaringpenguin.com
Sent: Wednesday, September 07, 2005 8:05 AM
To: mimedefang at lists.roaringpenguin.com
Subject: MIMEDefang Digest, Vol 24, Issue 9
Send MIMEDefang mailing list submissions to
mimedefang at lists.roaringpenguin.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
or, via email, send a message with subject or body 'help' to
mimedefang-request at lists.roaringpenguin.com
You can reach the person managing the list at
mimedefang-owner at lists.roaringpenguin.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MIMEDefang digest..."
Today's Topics:
1. Re: Re: exiting the filter before any processing (Rolf)
2. Re: Spam with more than one recipient - reject or not?
(Steffen Kaiser)
3. brainstorming this topic: Re: [Mimedefang] Spam with more
than one recipient - reject or not? (Steffen Kaiser)
4. Re: OT: Email web form exploits (John Nemeth)
5. Re: OT: Email web form exploits (John Nemeth)
6. Re: Re: exiting the filter before any processing (John Nemeth)
7. Re: Spam with more than one recipient - reject or not?
(David F. Skoll)
8. RE: Blacklisting senders of forbidden phrases. (Cormack, Ken)
----------------------------------------------------------------------
Message: 1
Date: Wed, 7 Sep 2005 12:29:39 +1000
From: Rolf <rolf at ses.tas.gov.au>
Subject: Re: [Mimedefang] Re: exiting the filter before any processing
To: mimedefang at lists.roaringpenguin.com
Message-ID: <d0537c9f2cbbbed231bff09b2c4b69ea at ses.tas.gov.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Yes that is a good point and I have decided not to skip some checks on
outgoing mail.
thanks.
r.
> On Jan 27, 5:57pm, Rolf wrote:
> }
> } If $RelayAddr is the address of the ISP mail server then processing
> } continues as usual. If, however, it is the address of the LAN mail
> } server then spam, attachments, size, and so on that the filter checks
> } are all to be ignored, but append_text_boilerplate() is to be
> applied.
> } I can easily apply the boilerplate routine to the right msgs, but I
> } can't find a simple way to ignore the rest of the processing for the
> } same msg.
>
> In addition to what everybody else has said, I just have to point
> out that this is dangerous. At the very least, you should virus check
> outgoing mail. This will help to catch internal machines that get
> viruses early on, and it will help prevent you from attacking others,
> which will affect your reputation.
>
> }-- End of excerpt from Rolf
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
------------------------------
Message: 2
Date: Wed, 7 Sep 2005 08:13:10 +0200 (CEST)
From: Steffen Kaiser <skmimedefang at smail.inf.fh-bonn-rhein-sieg.de>
Subject: Re: [Mimedefang] Spam with more than one recipient - reject
or not?
To: mimedefang at lists.roaringpenguin.com
Message-ID:
<Pine.LNX.4.63.0509070800000.14722 at pc-2m63.inf.fh-bonn-rhein-sieg.de>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Tue, 6 Sep 2005, Wesley Peters wrote:
> On Wed, 2005-08-17 at 07:54 -0400, David F. Skoll wrote:
>> Michal Jankowski wrote:
>>
>>> I have received a suggestion to stream by recipient.
>>
>>> But that's a big no-no. Once you do that, you have effectively
>>> accepted the smtp transaction. So you cannot 'bounce' and the only way
>>> to notify sender is by mail, which should be avoided at all cost.
>>
>> Well, in that case, you just discard instead of bounce.
>>
>> Can you suggest a viable alternative? (Other than re-writing SMTP, of
course.)
>
> Tempfail all the recipients who use different rules than the first?
That's falls into the field of "re-writing SMTP"; because the recipients
are sent amd acknowledged (or rejected) _before_ the contents comes in,
you can't tempfail individual recipients based on the contents.
Also, another idea:
+ tempfail the message awhole, &
+ when the mail transfer is attempted again, you know the old score and
tempfail the recipients, who does not like the mail.
Well, won't work as well, because when the recipients are sent, you only
know the connecting host, the HELO string and the envelope sender. Not
enough information to reliably identify a message.
Some (mostly larger hosters) have mail clusters, where, possibly, a
message is retried from another host, which should use another HELO string
as well.
So one can only act on the tuple (sender, recipient), and, you can't even
rely on that the order of the recipients keeps the same on retry.
-> Well, this is much like conditional greylisting, where you hope that
the attempt for re-transfer is a good sign for non-SPAM.
Bye,
--
Steffen Kaiser
------------------------------
Message: 3
Date: Wed, 7 Sep 2005 08:39:53 +0200 (CEST)
From: Steffen Kaiser <skmimedefang at smail.inf.fh-bonn-rhein-sieg.de>
Subject: brainstorming this topic: Re: [Mimedefang] Spam with more
than one recipient - reject or not?
To: mimedefang at lists.roaringpenguin.com
Message-ID:
<Pine.LNX.4.63.0509070813180.14722 at pc-2m63.inf.fh-bonn-rhein-sieg.de>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Tue, 6 Sep 2005, Wesley Peters wrote:
While writing the former reply, some idea developed, it tries to extend
Greylisting:
Consider a message for multiple recipients, some do like it, some do not.
+ During filter_end() you score why the recipients don't like it (e.g.
some reasons might not be appropriate for this idea); then you save the
pair (envelope sender, envelope recipient) into a database.
+ The whole message is tempfailed.
+ When a message arrives, you check in filter_recipient(), if the DB
contains the pair (sender, recipient), if so, the recipient is tempfailed.
+ The database entries are deleted after, say, one hour.
+ Eventually within the grace time of 1h, the message with the mixed
recipients is retried, the recipients, who don't like the message, get
tempfailed, the others pass.
+ When the message is retried again after the grace time, all recipients
don't like the mail and it is bounced.
The basic idea is to assume that a sender will send SPAM the next time,
too.
This assumption is also the weak point because of all the faked sender
addresses. There will be well-known senders that, when arriving from
certain hosts, are no SPAM mostly, so they can be exempted from this
technique.
There will be several scenarios, that make this technique cumbersome,
because it is possible that a mail gets tempfailed forever without being
scanned at all.
E.g.:
+ Mail A of faked sender S arrives has multiple recipients, recipient R
don't like the message; the pair (S, R) is stored into the DB.
+ Mail B arrives from real sender S to R (single recipient) within grace
time. But it is tempfailed. You don't know whether this is message has one
or recipients, hence, you must honor the DB any time.
--> When message A is never retried _within_ the grace time, it will
tempfailed forever and possibly prevent scanning and delivery of Mail B
that way.
Does anybody has some idea to eliminate the weak points?
Bye,
--
Steffen Kaiser
------------------------------
Message: 4
Date: Wed, 7 Sep 2005 00:19:39 -0700
From: jnemeth at victoria.tc.ca (John Nemeth)
Subject: Re: [Mimedefang] OT: Email web form exploits
To: mimedefang at lists.roaringpenguin.com
Message-ID: <200509070719.j877JdlJ006175 at vtn1.victoria.tc.ca>
On Jan 27, 1:21am, John wrote:
} At 11:23 PM 9/5/2005, you wrote:
} >On Jan 26, 5:16pm, John wrote:
} >}
} >} I am a System Administrator in Billings, MT. I am having the same
issue,
} >} however I do not feel this is to be taken lightly. Mine started with
IP's
} >} in Egypt & Iran. I have attempted to contact the FBI & Dept. of
Homeland
} >} Security. Also have alerted AOL's Fraud Dept. as that's where the test
} >} emails were sent originally while testing.
} >}
} >} I attempted Federal contact Saturday when I realized what was
} >} transpiring. Unfortunately, they are an 8-5 system unless someone's
life
} >} is at stake.
} >
} > Contacted them for what purpose? To tell them that you're a lousy
} >programmer? Or perhaps to tell them that you stick random unverified
} >code on your system (i.e. you're a lousy sysadmin)?
}
} We also, are an ISP. We, as a company, do not control content. We
should,
} I agree, but company policy says "Not"...
I can understand that as an ISP that you don't control the
contents of the websites that you host. However can you not disable
insecure CGI scripts or at least tell the owner to do something about
them? If not, then there is a serious problem with your policies.
} >} This has been a continuous, saturated attack, not at all like a simple
} >} spammer or script kiddy. Think about what would happen if a subversive
} >} group like, and including, Bin Laden's boys found open mail forms that
} >} could be used to send coded messages in plain text with impunity and
being
} >} relatively anonymous.
} >
} > The people running insecure web sites should be nailed.
}
} I agree 100%. However, in the real world, when you have hundreds of sites
} and may be 75-80 developers, that's what happens.
It certainly does and when it does you deal with it.
} > There is
} >a ton of information out there on how to write secure forms! This is
} >not a new attack.
}
} Not like this one has been.
From the way you describe it there is nothing new here. Go google
"formmail.cgi".
} > This is old stuff.
} >
} >} I want some answers from the Feds on this issue and I can assure you I
will
} >} be on the phone at 8:00 in the morning...
} >
} > If I was the Feds I would simply tell you to go away and secure
} >your system. And, if you are working for an organisation where your
} >systems must be secure by law, I would sic the appropriate agency on
} >you.
}
} And, you already sound like a government worker. Totally bad attitude. I
} expect to speak to someone like you today. I am sure I will find a way
} around the front guard, then maybe not. There are plenty of folks like
you
} in the government.
No, I do not work for the government nor have I ever worked for
the government. But, I do live in the real world and have real world
knowledge. I won't claim to be a security expert but I have studied it
and know the basics. Also, I won't let my ego deceive me into
beleiving that I have discovered something new when in fact it is
common place and really simple.
}-- End of excerpt from John
------------------------------
Message: 5
Date: Wed, 7 Sep 2005 00:28:30 -0700
From: jnemeth at victoria.tc.ca (John Nemeth)
Subject: Re: [Mimedefang] OT: Email web form exploits
To: mimedefang at lists.roaringpenguin.com
Message-ID: <200509070728.j877SVXu007422 at vtn1.victoria.tc.ca>
On Jan 27, 4:00am, John wrote:
} At 08:42 AM 9/6/2005, you wrote:
} >On Tue, 2005-09-06 at 07:45, John wrote:
} > > >
} > > > Contacted them for what purpose? To tell them that you're a
lousy
} > > >programmer? Or perhaps to tell them that you stick random unverified
} > > >code on your system (i.e. you're a lousy sysadmin)?
} > >
} > > We also, are an ISP. We, as a company, do not control content. We
} > should,
} > > I agree, but company policy says "Not"...
} >
} >So what is it that you expect someone else to do about it? Shouldn't
} >you be contacting the clients that do control this made-to-exploit
} >content?
}
} I don't expect them to do anything about it. I have already contacted
} clients and shut down scripts.
}
} I have been doing this for years. I have seen the kiddie scripters come
} and go. They are not an issue. These are much different than what I have
} seen in the past. I am going to make the Feds aware of this, just in case
} there is something here that is not apparent on the surface. Expect them
} to shut something down? Nada, on the contrary, I want them to see if
} something on the dark side is up (If they are interested).
I've got news for you. The people that deal with this stuff
haven't been living in caves for the last ten years. They knew about
it along time ago. There is nothing here that is of remote interest.
} > > > If I was the Feds I would simply tell you to go away and secure
} > > >your system. And, if you are working for an organisation where your
} > > >systems must be secure by law, I would sic the appropriate agency on
} > > >you.
} > >
} > > And, you already sound like a government worker. Totally bad
attitude. I
} > > expect to speak to someone like you today. I am sure I will find a
way
} > > around the front guard, then maybe not. There are plenty of folks
like
} > you
} > > in the government.
} >
} >What would you like them to do?
}
} Be aware. None of us have an overall picture of the security issues of
our
} Nation. Only selected groups have that knowledge. I am just going to
feed
Guess what! The group that you are apparently trying to reach is
one of those "selected groups". They probably don't know everything
but they would certainly know about buggy web forms.
} them some data. What they do with it is up to them. The persistence of
} this issue is the key factor here. I personally have never had a spammer
No, it isn't. It isn't even remotely of interest.
} piss around for days on end. Too many other easy marks out there. Maybe
} somebody in a more dense area of the world with more top site exposure is
} used to this, but here in Blgs, we are not. Maybe it's just our turn in
} the barrel, but it is extremely unusual activity in our little pew.
Then count your lucky stars. On the Internet being in the
backwater is determined by your connectivity and your bandwidth. To
the spammers, etc. you are just another IP address. They couldn't care
less about your geographical location or anything other then how much
spam they can pump through you.
} Noteworthy to say the least.
Not even remotely.
}-- End of excerpt from John
------------------------------
Message: 6
Date: Wed, 7 Sep 2005 01:06:38 -0700
From: jnemeth at victoria.tc.ca (John Nemeth)
Subject: Re: [Mimedefang] Re: exiting the filter before any processing
To: mimedefang at lists.roaringpenguin.com
Message-ID: <200509070806.j8786cvb029081 at vtn1.victoria.tc.ca>
On Jan 28, 5:44am, Rolf wrote:
}
} > The supplied filter is just an example. MIMEDefang
} > admins are expected to modify it to suit local requirements. But if
} > you know Perl, it shouldn't take you more than a minute to make the
} > changes
}
} Yes, I only know basic perl, but given the supplied filter is so
} suitable out-of-the-box and is perfectly easy to understand, I have
} been able to modify it variously thus far.
} I only asked in the first place in the hope that there was some
} non-obvious way to get a specific, I would have thought common,
} behaviour (mail travelling from the internet to the LAN is treated
} differently from mail in the opposite direction).
You have to keep in mind that milters (including MIMEDefang) are
intimately connected with sendmail and that sendmail is a Mail TRANSFER
Agent. In other words, all sendmail does is move mail from one place
to another. As far as sendmail is concerned every piece of mail comes
into it, gets processed, and goes out again. There is no "inbound" or
"outbound". These are distinctions that are attached to messages by
system admins. There is no easy way for sendmail to distinguish one
from the other since the rules for distinguishing them are site
specific.
}-- End of excerpt from Rolf
------------------------------
Message: 7
Date: Wed, 07 Sep 2005 07:09:40 -0400
From: "David F. Skoll" <dfs at roaringpenguin.com>
Subject: Re: [Mimedefang] Spam with more than one recipient - reject
or not?
To: mimedefang at lists.roaringpenguin.com
Message-ID: <431ECA74.50206 at roaringpenguin.com>
Content-Type: text/plain; charset=ISO-8859-1
Steffen Kaiser wrote:
> Wes Peters wrote:
>> Tempfail all the recipients who use different rules than the first?
> That's falls into the field of "re-writing SMTP"; because the recipients
> are sent amd acknowledged (or rejected) _before_ the contents comes in,
> you can't tempfail individual recipients based on the contents.
No, you misunderstand. You tempfail all but the first recipient;
this lets you filter the mail knowing only one recipient will get it.
On the next transmission, do the same thing. Eventually, all the recipients
will take turns being "first" and the mail will be completely processed.
There are, of course, serious practical problems with this. In fact,
it's not feasible for real-world situations.
Regards,
David.
------------------------------
Message: 8
Date: Wed, 7 Sep 2005 09:00:22 -0400
From: "Cormack, Ken" <Ken.Cormack at roadway.com>
Subject: RE: [Mimedefang] Blacklisting senders of forbidden phrases.
To: "'mimedefang at lists.roaringpenguin.com'"
<mimedefang at lists.roaringpenguin.com>
Message-ID: <1F40E45EADB48C48A3EB6003EAF84532159FA603 at exmail03>
Content-Type: text/plain
Are you saying that every time you flag a message for having a forbidden
subject, you also want that logic to automatically add the IP address of
ther relay to your blacklist? That seems pretty harsh... "One Strike -
You're Out!"
-----Original Message-----
From: M Jerome Garrett [mailto:jgarrett at techsolutions.cc]
Sent: Tuesday, September 06, 2005 9:19 PM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] Blacklisting senders of forbidden phrases.
I stole some code off of somebody on here that posted a script to add to the
mimedefang-filter file. This script goes into a subjects.db file and
searches for words/phrases in the subject line that are in the subjects.db
database. If they are then the messages is rejected and management is
happy. I call the search like this.
if (lookup_subject() && $auto_whitelist < 1) {
action_bounce("Access denied. Subject \"$Subject\" suggests MSG may
contain SPAM/WORM/VIRUS/HOAX.", "553", "5.7.1");
return action_discard();
}
I want to be able to add a line in the (lookup_subject) function (something
like addline to /etc/mail/blacklist "$Sender REJECT" )to be able to add a
line to my blacklist.db file (which is very similar to the (lookup_subjects)
function) But I do not know perl well enough to know how to complete this
task. Does anybody know how to add a line to a file in this case?
Attached is the (lookup_subjects) function:
$DBFilenameSUBS = "/etc/mail/subjects.db";
sub lookup_subject() {
# convert incoming subject to lower-case
my $lc_subject = lc($Subject);
my $subject_result = 0;
my %GDB;
if (tie(%GDB,'DB_File', $DBFilenameSUBS, O_RDONLY)) {
# remove white space from the middle so that
# "free s t u f f here" becomes "free s t u f f here"
$lc_subject =~ s/(\s)\s+/$1/g;
# next 2 lines collapse "free s t u f f here" into "free stuff
here"
$lc_subject =~ s!((^|\s)\S\s(\S(\s|$)){2,})!
my $lc_subject_x=$1;$lc_subject_x=~s/\s//g;sprintf
"%s","$lc_subject_x ";!ego;
$lc_subject =~ s/^\s+//; # Trim leading whitespace
$lc_subject =~ s/\s+$//; # Trim trailing whitespace
$lc_subject =~ s/^re://; # Trim leading "re:"
$lc_subject =~ s/^fw://; # Trim leading "fw:"
$lc_subject =~ s/^fwd://; # Trim leading "fwd:"
$lc_subject =~ s/\s+/./g; # Collapse whitespace into periods
# Scan database for a complete match (only)
if ($GDB{$lc_subject}) {
$subject_result = 1;
md_graphdefang_log("Subject_Line", "Subject-line found in
subjects.db");
} else {
# See if any one word in the subject appears as a record
@subject_array = split (/\./, $lc_subject);
foreach $subject_word (@subject_array)
{
if ($GDB{$subject_word}) {
$subject_result = 1;
md_graphdefang_log("Subject_Word",
"Subject-word \"$subject_word\" found in
subjects.db");
last;
}
}
}
if (!$subject_result)
{
# here we reverse the logic... see if any record in the database
# is found as a substring in the subject. if a record contains
# "free.stuff" and the subject says "get your free stuff here",
# then flag it as a hit.
my $subject_record;
foreach $subject_record (keys %GDB)
{
if ($lc_subject =~ m/(^|\.)\Q$subject_record\E($|\.)/)
{
$subject_result = 1;
md_graphdefang_log("Subject_Substring",
"Subject-substring \"$subject_record\" found in
subject line");
last;
}
}
}
untie %GDB;
} else {
md_syslog('warning', "subject: Cannot open file $DBFilenameSUBS");
}
return $subject_result;
}
#############################
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
------------------------------
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
End of MIMEDefang Digest, Vol 24, Issue 9
*****************************************
More information about the MIMEDefang
mailing list