[Mimedefang] Rejecting forged senders - comments?

alan premselaar alien at 12inch.com
Wed Sep 20 02:28:47 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cormack, Ken wrote:
> I'd like to see if anyone has any comments on an idea to block spam from
> forged senders who claim my domain in the sender address.  I'm assuming
> something like this could (or should?) be done for both the SMTP "MAIL
> FROM:" and the "From:" in the header.
> 
> If my domains are @domain1, @domain2, and @domain3, and the IPs that I
> EXPECT to relay me mail with my domains in the SMTP FROM line are accounted
> for, would anyone expect problems with something like the following?
> 
> Lets say I have a this function, to accommodate my known Ips...
> 
> sub Relayed_FromME() {
>     if ($RelayAddr eq "127.0.0.1" || $RelayAddr eq "1.2.3.4" || $RelayAddr
> =~ /10.0.0/) {
>         return 1;
>     }
>     return 0;
> }
> 
> 
> ...And that I put this in filter_sender()...
> 
>     # If not relayed from an IP address that I EXPECT
>     # my domains to be relaying from...
>     if (!Relayed_FromME()) {
>         if ($sender =~ /@([^>]+)/) {
>             my $domain = $1;
>             # ...yet the claimed domain in the sender's
>             # SMTP address is one of mine...
>             if ($domain =~ /domain1/i
>                 || $domain =~ /domain2/i
>                 || $domain =~ /domain3/i) {
>                 # log it...
>                 md_syslog 'info', "$QueueID: Forged_Sender_SMTP: Sender SMTP
> address claims to be from $domain, but $ip not an expected source for
> $domain senders.";
>                 # and reject it...
>                 return ('REJECT', 'Sender SMTP address claims to be from
> $domain, but $ip not an expected source for $domain senders.');
>             }
>         }
>     }
> 
> Does anyone see any problems?
> 
> Ken


Ken,

  If you use this machine for both incoming and outgoing mail *AND* you
have any remote users then you'll likely start rejecting mail from those
remote users.  It might be more prudent (if possible) to implement SMTP
AUTH checks in conjunction with these checks. (i.e. if the user claims
to be from your domain but isn't authenticated, reject)

Also, you'll want to escape the @ in your tests to avoid any unexpected
results.

you should probably make your relay test look like "$RelayAddr =~
/^10\.0\.0/" as well (to anchor it to the beginning of the line) just to
make sure it doesn't mactch on some funky relay address (although it
shouldn't).

you may also want to put in some SPF tests in your filter and setup SPF
records for your domains (if possible).  That may make it a little
easier to administrate in the future.


other than that, i don't see anything jumping out at me.

HTH

Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFEN9IE2gsBSKjZHQRAsOzAKCBoQTJPQVFdBP34enYiz5Ali95ywCfWqIE
uX16D439e2pDEi6/5C4hs0g=
=FkwS
-----END PGP SIGNATURE-----



More information about the MIMEDefang mailing list