Mailing List Archive

On Tue, 25 Jun 2002, Robert Lister wrote:

> Is there anyway I can configure exim 3.36 only to accept mail "From:"
> my local_domains ONLY from hosts permitted in host_accept_relay?


condition = \
${if and match{$h_from:}{my.domain} match{$sender_host_address}{10.0.0.1} }

i'm actually too lazy to fight with the braces being placed correctly
(count here every syntactical and semantical aspect as well ;) but you
get idea... *g*


--
[-]

I keep the entire message as quoting.
I have to say that what you are tryng to do, and also TT- help is
extremely dangerous.
You could do it on a list_by_list basis, if you know that messages
to the list can come only from internal network (in that case you
caould just make an IP check)
YOU CANNOT DO for regular user.
Suppose two scenarios [very common ..]
Two of your users subscribe to a list, outside your domain, so everi
message sent by one of them is sent to the other. so the list
processed message will come from aoutside, whit a local from.
You cannot set an exception list, since you should know all
possible routings for any possible list.
This message would be bounced and some server (say yahoo, for
example) would just kick out the user generating bounces, without
his/her cause, just due your settings !!

On 25 Jun 2002, at 15:34, Robert Lister wrote:
>
> Hi,
>
> I am getting a lot of spam recently that is making it to my mailing
> lists, because the From: header is forged as coming from my domain,
> which is on the mailing list's allowed whitelist of domains to accept
> mail to send to.
>
> I have to have domain whitelists because many of the entries on the
> mailing list are local exploders for each site, so for this list I
> can't have specific entries, but people need to be able to post to the
> list from a specific domain even though they are not subscribed to the
> list.
>
> Problem is when a spam comes in:
>
> From: some.list@lentil.org
> To: some.list@lentil.org
>
> The From: header is a permitted domain on the whitelist, so the spam
> goes to the entire list.
>
> Is there anyway I can configure exim 3.36 only to accept mail "From:"
> my local_domains ONLY from hosts permitted in host_accept_relay?
>
> I.e. if somebody attempts to forge a message From my domain and it
> wasn't generated locally, bin it?
>
> I kinda think you should be able to do this using a filter, and at the
> moment have specific recpients in there, but is there a more global
> way of doing it?
>
> Any help would be most appreciated.
>
>
> Rob
>
>
>
> --
> Robert Lister - robl@lentil.org -
> http://www.lentil.org
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ##
>


Leonardo Boselli
nucleo informatico e telematico
Dipartimento Ingegneria Civile
Universita` di Firenze
V. S. Marta 3 - I-50139 Firenze
tel +39()0554796431
cel +39 3488605348
fax +39()055495333
http://www.dicea.unifi.it/~leo

On Tue, Jun 25, 2002 at 05:18:34PM +0200, Leonardo Boselli wrote:
> I keep the entire message as quoting.
> I have to say that what you are tryng to do, and also TT- help is
> extremely dangerous.
> You could do it on a list_by_list basis, if you know that messages
> to the list can come only from internal network (in that case you
> caould just make an IP check)
> YOU CANNOT DO for regular user.
> Suppose two scenarios [very common ..]
> Two of your users subscribe to a list, outside your domain, so everi
> message sent by one of them is sent to the other. so the list
> processed message will come from aoutside, whit a local from.
> You cannot set an exception list, since you should know all
> possible routings for any possible list.
> This message would be bounced and some server (say yahoo, for
> example) would just kick out the user generating bounces, without
> his/her cause, just due your settings !!

I don't really understand what you mean.

No users should send "from" my domain unless they were on a client from an
IP address authorized to do so, inside this network. period.

If they're outside my network, they shouldn't be sending me e-mail with my
own domain in the "From:" headers. I want a filter to pick this up and
throw it away (not reject it, but discard it, as the sender/From: header
is of course forged, and so the bounce message goes to the list, usually
quoting the spam.)

*sigh*


F*&^*&^*&ing spammers making life complicated!

This is clearly abuse of the system. So damned underhand. And the spammers
wonder why we get so annoyed with them.

The lists that live on this box are being abused by spammers who forge the
from: headers because our own domain is allowed to post to the lists, it
would seem, unconditionally, by our config.

For reasons too complicated to go into here, I have to have a whitelist of
domains rather than subscribe users to the list directly. (My lists are a
"lists of lists" with locally administered exploders, any of the people at
any of the sites subscribed to the exploder may wish to post to the list,
so to allow that, their entire domain must be on the whitelist of allowed
posters.)

This domain whitelist system has worked perfectly for years with no
problems whatsoever. Now the spammers have this trick, and somehow all my
list addresses have got on to a load of their spam lists.

The list software receives the e-mail with the forged sender/From: faked
(usually to the same address at the To: header). The From: header is on
the whitelist, and the spam gets re-distributed to the list, much to the
annoyance of my list subscribers!

Anybody got a global site config that says "if you're pretending to be
from this domain and you're not inside this network" then reject the SMTP
transaction." ??

Rob


--
Robert Lister - robl@lentil.org - http://www.lentil.org

> > YOU CANNOT DO for regular user.
> > Suppose two scenarios [very common ..]
> > Two of your users subscribe to a list, outside your domain, so everi
> > message sent by one of them is sent to the other. so the list
> > processed message will come from aoutside, whit a local from.
> > You cannot set an exception list, since you should know all
> > possible routings for any possible list.
> > This message would be bounced and some server (say yahoo, for
> > example) would just kick out the user generating bounces, without
> > his/her cause, just due your settings !!
>
> I don't really understand what you mean.

Okay. I've read this again. What I think you mean is the possibility of a
list posting (aside from my own list problem.)

The original 'From:' header of that list posting will come back in for a
user who is subscribed to the same list at this site, and so it may reject
it on that basis.

Thanks. I see.

Damn.

But the "From " envelope header (as opposed to "From:") in the transaction
will presumably be from the owner address of the list, which we can allow
for I suppose.

But I only want to really apply it to things going to the lists, which
appear to be "from:" my domain but aren't from something in this network.


Rob



--
Robert Lister - robl@lentil.org - http://www.lentil.org

On Tue, 25 Jun 2002, Robert Lister wrote:

> On Tue, Jun 25, 2002 at 05:18:34PM +0200, Leonardo Boselli wrote:
> > I keep the entire message as quoting.
> > I have to say that what you are tryng to do, and also TT- help is
> > extremely dangerous.
> > You could do it on a list_by_list basis, if you know that messages
> > to the list can come only from internal network (in that case you
> > caould just make an IP check)
> > YOU CANNOT DO for regular user.
> > Suppose two scenarios [very common ..]
> > Two of your users subscribe to a list, outside your domain, so everi
> > message sent by one of them is sent to the other. so the list
> > processed message will come from aoutside, whit a local from.
> > You cannot set an exception list, since you should know all
> > possible routings for any possible list.
> > This message would be bounced and some server (say yahoo, for
> > example) would just kick out the user generating bounces, without
> > his/her cause, just due your settings !!
>
> I don't really understand what you mean.
>
> No users should send "from" my domain unless they were on a client from an
> IP address authorized to do so, inside this network. period.
>
> If they're outside my network, they shouldn't be sending me e-mail with my
> own domain in the "From:" headers. I want a filter to pick this up and
> throw it away (not reject it, but discard it, as the sender/From: header
> is of course forged, and so the bounce message goes to the list, usually
> quoting the spam.)
>

Yes, but you are forgetting the case where one of your local users sends
a perfectly valid message, to an address an some 'other' system that has
a .forward that ends up directing the message back to an address on your
server. Then, this message, coming from this 'other' server,
legitimately has a From header (and envelope sender even), in your
domain

> Yes, but you are forgetting the case where one of your local users sends
> a perfectly valid message, to an address an some 'other' system that has
> a .forward that ends up directing the message back to an address on your
> server. Then, this message, coming from this 'other' server,
> legitimately has a From header (and envelope sender even), in your
> domain

Hmm. In our setup, the likelihood of that happening is virtually zero.
I'd deal with that on a case by case basis.

So I think what I want is:

1. For things going to selected list addresses (not all users)
2. Is the "From:" address from our domain?
3. If it is, is the IP address one that is internal to us?
4. If all these match, then send, if not, freeze it (or discard it)

So in fact I want something not to apply to regular users, just things
that are directed to the mailing lists. Which will not have any funny
forward files etc.

Rob



--
Robert Lister - robl@lentil.org - http://www.lentil.org
tel: 07973-815198

On Tue, 25 Jun 2002, Robert Lister wrote:

> > Yes, but you are forgetting the case where one of your local users sends
> > a perfectly valid message, to an address an some 'other' system that has
> > a .forward that ends up directing the message back to an address on your
> > server. Then, this message, coming from this 'other' server,
> > legitimately has a From header (and envelope sender even), in your
> > domain
>
> Hmm. In our setup, the likelihood of that happening is virtually zero.
> I'd deal with that on a case by case basis.
>
> So I think what I want is:
>
> 1. For things going to selected list addresses (not all users)

Ah #1 is the saving condition there. Its not likely that someone at a
remote site is going to .forward their mail to your list(s)

> 2. Is the "From:" address from our domain?
> 3. If it is, is the IP address one that is internal to us?
> 4. If all these match, then send, if not, freeze it (or discard it)

The following bit of smtp_rcpt ACL would do the trick, substituting your
actual data (possibly with file lookups/etc, as needed) in the correct
formats. Note this cant look at the "From:" header, only the envelope
sender address..


deny senders = yourdomain.com
recipients = selected@list_address.com
!hosts = your_internal_IP's
message = Forged mail not permitted


>
> So in fact I want something not to apply to regular users, just things
> that are directed to the mailing lists. Which will not have any funny
> forward files etc.
>
> Rob
>
>
>
>

--

> The following bit of smtp_rcpt ACL would do the trick, substituting your
> actual data (possibly with file lookups/etc, as needed) in the correct
> formats. Note this cant look at the "From:" header, only the envelope
> sender address..
>
>
> deny senders = yourdomain.com
> recipients = selected@list_address.com
> !hosts = your_internal_IP's
> message = Forged mail not permitted
>

Is this exim 4? We're on exim 3.34/3.36 right now. (Not quite ready to
upgrade and make that leap yet, but soon hopefully.)

I was after somebody that's done similar with an exim 3.x filter.

(But I will keep this handy for when wI do have exim 4.x)


Rob


--
Robert Lister - robl@lentil.org - http://www.lentil.org

On Tue, 25 Jun 2002, Robert Lister wrote:

> > The following bit of smtp_rcpt ACL would do the trick, substituting your
> > actual data (possibly with file lookups/etc, as needed) in the correct
> > formats. Note this cant look at the "From:" header, only the envelope
> > sender address..
> >
> >
> > deny senders = yourdomain.com
> > recipients = selected@list_address.com
> > !hosts = your_internal_IP's
> > message = Forged mail not permitted
> >
>
> Is this exim 4? We're on exim 3.34/3.36 right now. (Not quite ready to
> upgrade and make that leap yet, but soon hopefully.)

Ohyeah.. Hrm


Use a smartuser director.


foo:
driver = smartuser
domains = the domain of your list addresses
local_parts = the local part(s) of the list addresses
senders = *@your_domain
condition = (a suitable condition using $sender_host_address and ending up with "no" if its from one of your IP's)
fail_verify
new_address = :fail:

>
> I was after somebody that's done similar with an exim 3.x filter.
>
> (But I will keep this handy for when wI do have exim 4.x)
>
>
> Rob
>
>
>

--

> Use a smartuser director.
>
> foo:
> driver = smartuser
> domains = the domain of your list addresses
> local_parts = the local part(s) of the list addresses
> senders = *@your_domain
> condition =
(a suitable condition using $sender_host_address and ending up with
"no" if its from one of your IP's)
> fail_verify
> new_address = :fail:

Hmm. Probably failing it wouldn't work because it would cause a bounce
message to go back to the faked sender address, and hence the list.

Never had to do any conditions in directors before, any examples you can give?

I'll have a look at the docs too.


Rob

--
Robert Lister - robl@lentil.org - http://www.lentil.org

On Tue, 25 Jun 2002, Robert Lister wrote:

> > Use a smartuser director.
> >
> > foo:
> > driver = smartuser
> > domains = the domain of your list addresses
> > local_parts = the local part(s) of the list addresses
> > senders = *@your_domain
> > condition =
> (a suitable condition using $sender_host_address and ending up with
> "no" if its from one of your IP's)
> > fail_verify
> > new_address = :fail:
>
> Hmm. Probably failing it wouldn't work because it would cause a bounce
> message to go back to the faked sender address, and hence the list.


Hrm.. Well, use

new_address = :blackhole:

then, which will just throw it on the floor.

Alternatively, you could forward it to yourself if you want to reveiw
them by hand..

>
> Never had to do any conditions in directors before, any examples you can give?
>
> I'll have a look at the docs too.
>
>
> Rob
>
>

--

--
On Tue, Jun 25, 2002 at 09:56:56PM +0100, Robert Lister wrote:

| > Use a smartuser director.

| > condition =
| (a suitable condition using $sender_host_address and ending up with
| "no" if its from one of your IP's)

| Never had to do any conditions in directors before, any examples you can give?
|
| I'll have a look at the docs too.

Look at the chapter on string expansions.

-D

--

Trust in the Lord with all your heart and lean not on your own
understanding; in all your ways acknowledge Him, and He will make your
paths straight.
Proverbs 3:5-6

http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--

Robert Lister wrote:
>
> No users should send "from" my domain unless they were on a client from an
> IP address authorized to do so, inside this network. period.
>
> If they're outside my network, they shouldn't be sending me e-mail with my
> own domain in the "From:" headers. I want a filter to pick this up and
> throw it away (not reject it, but discard it, as the sender/From: header
> is of course forged, and so the bounce message goes to the list, usually
> quoting the spam.)
>

How about this:

I've got users who travel. They have a corporate email
account, but access is provided by an ISP, so their email
does not come from the corporate LAN, but they use their
corporate email address as their "From:".

Worse yet, many times they are sending to a customer, not
another employee, so it's actually relay mail with a forged
sender, since their outgoing mail is set to the corporate
mail server. But yet, legitimate.

Even myself - I have a laptop. I use an ISP at home to
access work. If can't send email using my corporate account,
I would have to keep juggling mail profiles. Not to mention
that even using the "Reply-To", some response email will
end up going to the ISP email account instead of the corporate.
Most of my users don't even bother to check their ISP email
account - they don't use it.

--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

On Thu, Jul 11, 2002 at 04:14:56PM -0500, David L. Harfst wrote:
> Robert Lister wrote:
> >
> > No users should send "from" my domain unless they were on a client from an
> > IP address authorized to do so, inside this network. period.
> >
> > If they're outside my network, they shouldn't be sending me e-mail with my
> > own domain in the "From:" headers. I want a filter to pick this up and
> > throw it away (not reject it, but discard it, as the sender/From: header
> > is of course forged, and so the bounce message goes to the list, usually
> > quoting the spam.)
> >
>
> How about this:
>
> I've got users who travel. They have a corporate email
> account, but access is provided by an ISP, so their email
> does not come from the corporate LAN, but they use their
> corporate email address as their "From:".

We have roaming users. All of our users come in from IP addresses we know
about because they SSH or VPN in to our network. Therefore, I don't want
any mail claiming to be "From: " us because of the mailing list problem
where our domains are on a whitelist which sends e-mail "From:" our domain
to the mailing list.

Most users have SSH. Their e-mail profile (if they insist on using Outlook
or a Windows e-mail client!) is set to send and receive mail from
"localhost" which goes down the SSH tunnel for ports 25 and pop/imap.

If they've not logged on to the server with the SSH client, it won't work,
so they've got to do it. This has the added benefit of encrypting
everything, including our POP passwords etc, down the SSH tunnel, rather
than sending it over an untrusted network in the clear.

Consider a spam like this:

From: mailinglist@mydomain.com
To: mailinglist@mydomain.com
Subject: spam....

Because mydomain.com is on the whitelist of allowed domains, it
will cause that spam to get sent to the mailing list.

It is not as easy as I thought it was going to be!

Rob


--
Robert Lister - robl@lentil.org - http://www.lentil.org
tel: 07973-815198