[Mimedefang] Including archetypal filters to include in release?
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jan 10 21:19:28 EST 2006
Philip:
Some follow-up on your work because it mimics a lot of mine (and much of
that worked helped greatly by Joseph Brennan, Les Miksell, Mark Damrose,
Matthew van Eerde and Jan Pieter Cornet).
A) localhost tests will fail for people using norton antivirus.
B) all/many windows hosts will use helo's that do not include dots. They
simply supply the machine windows network name.
Because of A & B and at Joseph's recommendation, you have to do an
"is_authorized_user" test and avoid the tests on those. You mention that
below but perhaps I missed the logic in your attached file.
Second, I've worked on a test for valid_mx's that might be a better place to
start. I didn't see the necessity to use Net::CIDR::Lite for the tests:
http://www.peregrinehw.com/downloads/MIMEDefang/contrib/check_mx_stub.pl.
Perhaps you are going in a different direction but it might be of interest.
I am not sure your [$hostip] vs $helo test with brackets will work. I've
seen too many firewalled servers give answers that break this.
Here's the filter_sender I've been working on for quite a while now:
sub filter_sender {
my ($sender, $ip, $hostname, $helo) = @_;
my ($rv, $reason);
#md_syslog('warning', "Testing $sender, $ip, $hostname, $helo");
if (&is_authorized_sender($sender, $RelayAddr)) {
return ('CONTINUE', "ok");
}
if ($sender ne '<>') {
($rv, $reason) = &check_valid_mx($sender);
unless ($rv) {
md_syslog('warning', "Rejecting $sender - Invalid MX: $reason.");
return ('REJECT', "Sorry; $sender has an invalid MX record:
$reason.");
}
}
if ($helo =~ /^\[?(localhost|127.0.0.1)\]?$/i && $ip ne '127.0.0.1') {
md_syslog('warning', "Rejecting $sender because $helo ($ip) is invalid
localhost.");
return('REJECT', "Rejecting $sender because $ip is not localhost.");
}
if ($helo =~ /^([mx record names and machine aliases here seperated by
pipes])$/i and ($ip !~ /[your localnetwork such as 209\.225\.49\.\d{1,3}]/
and $ip ne '127.0.0.1')) {
md_syslog('warning', "Rejecting $sender because $helo ($ip) is invalidly
trying to use our machine or MX name.");
return('REJECT', "$ip / $helo is not valid.");
}
if ($helo =~ /^\[?209\.225\.49\.\d{1,3}\]?$/ && ($ip !~
/209\.225\.49\.\d{1,3}/)) {
md_syslog('warning', "Rejecting $sender because $ip is not authorized to
use helo of $helo.");
return('REJECT', "Rejecting $sender because $ip is not $helo.");
}
if ($helo =~ /^friend$/) {
md_syslog('warning', "Rejecting $sender because invalid helo of
$helo.");
return('REJECT', "$helo is not valid.");
}
if (length($helo) < 3 or $helo !~ /\./ && $ip ne '127.0.0.1') {
#NOT YET IMPLEMENTED
md_syslog('warning', "Considering Rejecting $sender because $helo ($ip)
is too short or has no periods.");
#return('REJECT', "Rejecting $sender because $helo ($ip) is invalid.");
}
return ('CONTINUE', "ok");
}
I'm interested in the answer about the reverse DNS as well, BTW.
Regards,
KAM
> I've attached what I've got now in place. Next I'll try to integrate
> Net::CIDR.
>
> BTW: In the case where there is no rDNS for an incoming connection...
> what would be the approximate false positive rate be if we were to refuse
> those connections (unless of course they were authenticated or local)?
More information about the MIMEDefang
mailing list