[Mimedefang] mimedefang filter sender using filter_sender

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Mon Jan 20 02:36:33 EST 2014

Hash: SHA1

On Sat, 18 Jan 2014, Prabin Acharya wrote:

> My mailserver has been compromised.

> The scenario is: bogus users are using mailing address of my company
> and sending spam messages.

Do you refer to this scenario as "My mailserver has been compromised"? Or 
is there some other problem as well?

> My mimedefang filter has included my workplace mail domain as safe
> sender. However some spam mails are such that sender fakes my
> workplace domain too.

IMHO, you should drop this whitelisting of domains. Your suggested 
filter_sender is a step in that direction.

> I'm thinking of using thing like below:
>             by using filter_sender, i'd check on legitimate email
> addresses that are allowed to pass through my mailserver. If the
> sender address contains my domain, check for ip address of the sender,
> if ip address belongs to my internal network pass it on, if not drop
> the mail.

I'd add: pass it along, too, if the sender is authentificated!

However, if your mail server is compromised and someone is sending SPAM 
from your mail server, this won't help to stop it.
However #2: if someone is sending SPAM outside your server and those 
messages bounce, you get the bounces still.

So this change does not help in neither of your problems. You could look 
into SPF or BATV.

> My filter_sender is as follows:
> sub filter_sender(){
> my($sender, $ip, $hostname, $helo)=@_;

> $rg='.*?(@)(pmail\\.com.np)';
> $iprg='(10)(\\.)(59)(\\.)(\\d+)(\\.)(\\d+)';

Is there a reason for all the ()'s? You should anchor $rg to the end of 
the string, probably with: \.com\.np\.?$ The .*? is not necessary then as 

You should anchor $iprg to the beginning of the string, the \d+\.\d+ is 
not necessary, unless you want to process the numbers further.

> if($sender=~ m/$rg/is){
> if($ip =~ m/$iprg/is){

Why do you use variables? This drops performance. Write the strings here 
or use qr// in the assignment of the variables.

- -- 
Steffen Kaiser
Version: GnuPG v1.4.11 (GNU/Linux)


More information about the MIMEDefang mailing list