[Mimedefang] New SPAM how to identify/block
Joseph Brennan
brennan at columbia.edu
Wed Mar 29 15:14:37 EST 2006
> I guess my questions are:
> 1. Is there a mimedefang rule (or sendmail config option) that would
> detect that the Envelope and Header senders differ?
> 2. Are there "legitimate" reasons that the these headers may differ (I
> don't want to trigger false positives).
It's OK if they differ, but you might want to reject if the header
From: has no @domain in it. That's never right.
This and some other interesting tests can be done by opening HEADERS,
which can be done a few ways, but one way is just:
if (open(IN,"<./HEADERS")) {
while(<IN>) {
chomp;
if (/^From: (.*)/i) { $from = $1; }
# and other headers of interest...
}
}
close(IN);
What we do is fix this for mail from our own users, and otherwise reject
the message. $good equals 1 if the sender used smtp auth or was on our
own webmail or shell login hosts. Sendmail already tested that the
envelope $Sender was fully qualified.
# No @ in the From: line (fix it for local users)
# We also test that there is at least one dot in the string after the @
if ($from !~ /\@.*\./) {
if ($good == 1) {
md_graphdefang_log('modify',
"Bad From $from changed to $Sender");
action_change_header("From","$Sender");
}
else {
md_graphdefang_log('bounce',
"Unqualified From: $from",$RelayAddr);
action_bounce("Unqualified From: header $from");
return action_discard();
}
}
Joseph Brennan
Columbia University Information Technology
More information about the MIMEDefang
mailing list