[Mimedefang] $RelayHostname not matchingsendmail's Receivedheader?
John Rudd
john at rudd.cc
Sun Dec 10 09:15:19 EST 2006
David F. Skoll wrote:
> John Rudd wrote:
>
>> I'm thinking about having Botnet let through hosts with valid SPF.
>
> spammer.com. 1d IN TXT "v=spf1 all"
>
You're right, I couldn't just look at if it's an SPF pass, it would have
to be an SPF record that specifically mentions the host. That check is
a bit more complex, but it could be done. I would probably want to do a
DNS lookup on the mail domain for the TXT record, instead of doing an
actual SPF check (such as via Mail::SPF::Query). So my exemptions might
look like:
a) exempt if the sender's mail domain resolves to IP addrs that include $ip
b) exempt if a TXT record for the sender's mail domain matches:
/^v=spf.*\sa:($hostname|$ip)\s/i
c) exempt if the sender's mail domain's MX records include a hostname
that matches $hostname, or a hostname that resolves to $ip.
So, the SPF record has to explicitly mention the host for me to exempt
it. A SOHO type mail server can/will probably accommodate that
requirement. A large mail domain probably wont, but probably either
wont look like a botnet, or can be handled via my other exemption
mechanisms. A botnet that uses a throw-away mail domain will probably
not be able to stuff every one of its hosts into SPF records. Though,
depending upon the TTL, they might be able to play a bit of whack-a-mole
with a record that moves rapidly among different zombies that are not
simultaneously active. It wouldn't be the same kind of botnet, but it
could work.
So, then, I guess the question is:
Checks (a) and (c) alone don't work if the mail domain uses separate
inbound and outbound mail servers (which is why I was going to add the
SPF check: in an ideal world, that would tell me the domain's outbound
mail servers). But, this exemption is aimed at helping SOHO type mail
servers. Is a SOHO mail server likely to have separate inbound and
outbound mail servers? If I tell them "include your outbound mail
servers in your MX records", is that going to be workable for them?
(and this assumes that the sender domain itself doesn't look like a botnet)
So, the code for the BOTNET_SOHO exemption subroutine starts to look like:
If ( (sender's mail domain doesn't resolve) ||
(sender's mail domain contains parts of its own IP addr) ||
(sender's mail domain contains client words) )
Then return 0
If (sender's mail domain resolves to $ip)
Then return 1
If ( (config option for checking MX records for SOHO exemption is on) &&
(any of sender's mail domain's MX record hosts resolve to $ip) )
Then return 1
return 0
And then the BOTNET metarule logic is:
(BOTNET_NORDNS || BOTNET_BADDNS || BOTNET_CLIENT) && !BOTNET_SOHO
More information about the MIMEDefang
mailing list