[Mimedefang] $RelayHostname not matchingsendmail's Receivedheader?

John Rudd john at rudd.cc
Sun Dec 10 09:15:19 EST 2006 

David F. Skoll wrote:
> John Rudd wrote:
> 
>> I'm thinking about having Botnet let through hosts with valid SPF.
> 
> spammer.com.   1d    IN	    TXT	   "v=spf1 all"
> 

You're right, I couldn't just look at if it's an SPF pass, it would have 
to be an SPF record that specifically mentions the host.  That check is 
a bit more complex, but it could be done.  I would probably want to do a 
DNS lookup on the mail domain for the TXT record, instead of doing an 
actual SPF check (such as via Mail::SPF::Query).  So my exemptions might 
look like:


a) exempt if the sender's mail domain resolves to IP addrs that include $ip

b) exempt if a TXT record for the sender's mail domain matches: 
/^v=spf.*\sa:($hostname|$ip)\s/i

c) exempt if the sender's mail domain's MX records include a hostname 
that matches $hostname, or a hostname that resolves to $ip.



So, the SPF record has to explicitly mention the host for me to exempt 
it.  A SOHO type mail server can/will probably accommodate that 
requirement.  A large mail domain probably wont, but probably either 
wont look like a botnet, or can be handled via my other exemption 
mechanisms.  A botnet that uses a throw-away mail domain will probably 
not be able to stuff every one of its hosts into SPF records.  Though, 
depending upon the TTL, they might be able to play a bit of whack-a-mole 
with a record that moves rapidly among different zombies that are not 
simultaneously active.  It wouldn't be the same kind of botnet, but it 
could work.

So, then, I guess the question is:

Checks (a) and (c) alone don't work if the mail domain uses separate 
inbound and outbound mail servers (which is why I was going to add the 
SPF check: in an ideal world, that would tell me the domain's outbound 
mail servers).  But, this exemption is aimed at helping SOHO type mail 
servers.  Is a SOHO mail server likely to have separate inbound and 
outbound mail servers?  If I tell them "include your outbound mail 
servers in your MX records", is that going to be workable for them?

(and this assumes that the sender domain itself doesn't look like a botnet)

So, the code for the BOTNET_SOHO exemption subroutine starts to look like:

If ( (sender's mail domain doesn't resolve) ||
      (sender's mail domain contains parts of its own IP addr) ||
      (sender's mail domain contains client words) )
Then return 0

If (sender's mail domain resolves to $ip)
Then return 1

If ( (config option for checking MX records for SOHO exemption is on) &&
      (any of sender's mail domain's MX record hosts resolve to $ip) )
Then return 1

return 0


And then the BOTNET metarule logic is:
    (BOTNET_NORDNS || BOTNET_BADDNS || BOTNET_CLIENT) && !BOTNET_SOHO

More information about the MIMEDefang mailing list