[Mimedefang] mimedefang filter sender using filter_sender

Mon Jan 20 02:36:33 EST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 18 Jan 2014, Prabin Acharya wrote:

> My mailserver has been compromised.

> The scenario is: bogus users are using mailing address of my company
> and sending spam messages.

Do you refer to this scenario as "My mailserver has been compromised"? Or 
is there some other problem as well?

> My mimedefang filter has included my workplace mail domain as safe
> sender. However some spam mails are such that sender fakes my
> workplace domain too.

IMHO, you should drop this whitelisting of domains. Your suggested 
filter_sender is a step in that direction.

> I'm thinking of using thing like below:
>             by using filter_sender, i'd check on legitimate email
> addresses that are allowed to pass through my mailserver. If the
> sender address contains my domain, check for ip address of the sender,
> if ip address belongs to my internal network pass it on, if not drop
> the mail.

I'd add: pass it along, too, if the sender is authentificated!

However, if your mail server is compromised and someone is sending SPAM 
from your mail server, this won't help to stop it.
However #2: if someone is sending SPAM outside your server and those 
messages bounce, you get the bounces still.

So this change does not help in neither of your problems. You could look 
into SPF or BATV.

> My filter_sender is as follows:
>
> sub filter_sender(){
> my($sender, $ip, $hostname, $helo)=@_;

> $rg='.*?(@)(pmail\\.com.np)';
> $iprg='(10)(\\.)(59)(\\.)(\\d+)(\\.)(\\d+)';

Is there a reason for all the ()'s? You should anchor $rg to the end of 
the string, probably with: \.com\.np\.?$ The .*? is not necessary then as 
well.

You should anchor $iprg to the beginning of the string, the \d+\.\d+ is 
not necessary, unless you want to process the numbers further.

> if($sender=~ m/$rg/is){
> if($ip =~ m/$iprg/is){

Why do you use variables? This drops performance. Write the strings here 
or use qr// in the assignment of the variables.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUtzSAZSHNCne69JnAQKkEQf/T3slFpyKP69TL40vojaPhJa5qWaFWuDV
QMD+z+0N4m/YQfG3IiuYkwruiwuSAqPU2GZ1y2kDskNLyFtD5AnOyaTFOr+g67PV
GoDpGrJbRnoFgW5utiwMPsR04wPi9FO3wZHmu4ZxUt95KrHoD0Ct392wzwvBKiLv
Qgq2eDkHTg1Cqx30vhKjCw5a+sJwUfYQnJYv1y77nyAbg4vbgDKG1V6SXcd9gtMl
cOnGxWZWZsafA7u1zxEjSEAVJ6t3Cmr/yrcneu51kdj1da5HlG7PlEOtOR5uDnKL
Yi9Vp9FiwVlvK1/Zx55Czu0XepQLFvqX4MQ0Lg1tQE8iO2bnjLVCFQ==
=2QGN
-----END PGP SIGNATURE-----