Mailing List Archive

On 17 Jul 2002, Jeremy Koch wrote:

> What I need to do is check the senders domain against my list of local
> domains. If a match is found check the senders IP against
> host_accept_relay. If the senders domain is considered local and
> senders IP matches host_accept_relay the message is accepted. Clear as
> mud? To put it anther way - If the senders IP is not found in
> host_accept_relay and the senders domain is local the message gets
> rejected.

you're crying out loud to shoot yourself in the foot.



--
[-]

On 17 Jul 2002, Jeremy Koch wrote:

>
> Hello,
>
> First, thanks to everyone who helped make Exim possbile. It is a
> wonderful MTA.
>
> It seems the latest ugly trend in spamming is forging the sender address
> so it appears as though the mail is originating in from the local
> domain. Example: Mail is addressed to jjk@psouth.net from
> jjk@psouth.net.
>
> What I need to do is check the senders domain against my list of local
> domains. If a match is found check the senders IP against
> host_accept_relay. If the senders domain is considered local and
> senders IP matches host_accept_relay the message is accepted. Clear as
> mud? To put it anther way - If the senders IP is not found in
> host_accept_relay and the senders domain is local the message gets
> rejected.
>
> Any advice/thoughts would be appreciated

You'd also need to allow for SMTP AUTH from arbitrary IP's, if you
support it (or if you plan to)..

You'd also need to allow for mail posted to mailing lists by your users,
which might leave the sender as your user when sending it to the
subscribers (which would presumably often include the person making the
post)

>
> Thanks,
>
> --
>
> -Jeremy
>
> [ 1cd63c5ddff1bf8ce844237f580e9cf3 ]
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>

On 17 Jul 2002, Jeremy Koch wrote:

> First, thanks to everyone who helped make Exim possbile. It is a
> wonderful MTA.

Thank you.

> What I need to do is check the senders domain against my list of local
> domains. If a match is found check the senders IP against
> host_accept_relay. If the senders domain is considered local and
> senders IP matches host_accept_relay the message is accepted. Clear as
> mud? To put it anther way - If the senders IP is not found in
> host_accept_relay and the senders domain is local the message gets
> rejected.

So if one of your users sends a message to another host, where the
recipient happens to have forwarded their mail to another user at your
site, you refuse it. Do you want to do that?

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Thu, Jul 18, 2002 at 11:16:30AM +0100, Philip Hazel wrote:
> On 17 Jul 2002, Jeremy Koch wrote:
>
> > First, thanks to everyone who helped make Exim possbile. It is a
> > wonderful MTA.
>
> Thank you.
>
> > What I need to do is check the senders domain against my list of local
> > domains. If a match is found check the senders IP against
> > host_accept_relay. If the senders domain is considered local and
> > senders IP matches host_accept_relay the message is accepted. Clear as
> > mud? To put it anther way - If the senders IP is not found in
> > host_accept_relay and the senders domain is local the message gets
> > rejected.
>
> So if one of your users sends a message to another host, where the
> recipient happens to have forwarded their mail to another user at your
> site, you refuse it. Do you want to do that?

Ugh...there goes my latest great idea. :(

I don't suppose anybody has come up with a good way of implementing at
least a limited version of this? Like, if the email did not at some point
originate from something in host_accept_relay then deny it? What I guess I
want is something that looks through the recieved lines for a match to one
of my systems (not that those can't be forged, but I haven't seen that
yet).

--
// Miles Davis - miles@cs.stanford.edu - http://www.cs.stanford.edu/~miles
// Computer Science Department - Computer Facilities
// Stanford University

We're also seeing a large number of spammers impersonating local
addresses. The headaches caused by this have no end, as customers think
their email has been "hacked", people think you allow spammers on your
system, customers get massive amounts of failure notices and spam
complaints, etc.

If anyone finds a good solution, please post it. We did the "reject if
not local" bounce for a day, but it caused problems with forwards and
mailing lists, as mentioned below.

What if you reject a message when the number of RCPT's is more than 1,
the IP address is not in relays, and the MAIL FROM is a local address?
Since forwards, and mailing lists, usually address messages to 1 RCPT
only.

Rich
richs@whidbey.net

-----Original Message-----
From: exim-users-admin@exim.org [mailto:exim-users-admin@exim.org] On
Behalf Of Miles Davis
Sent: Tuesday, July 23, 2002 9:32 AM
To: exim-users@exim.org
Cc: Jeremy Koch
Subject: Re: [Exim] Rejecting forged local addresses


On Thu, Jul 18, 2002 at 11:16:30AM +0100, Philip Hazel wrote:
> On 17 Jul 2002, Jeremy Koch wrote:
>
> > First, thanks to everyone who helped make Exim possbile. It is a
> > wonderful MTA.
>
> Thank you.
>
> > What I need to do is check the senders domain against my list of
> > local domains. If a match is found check the senders IP against
> > host_accept_relay. If the senders domain is considered local and
> > senders IP matches host_accept_relay the message is accepted. Clear

> > as mud? To put it anther way - If the senders IP is not found in
> > host_accept_relay and the senders domain is local the message gets
> > rejected.
>
> So if one of your users sends a message to another host, where the
> recipient happens to have forwarded their mail to another user at your

> site, you refuse it. Do you want to do that?

Ugh...there goes my latest great idea. :(

I don't suppose anybody has come up with a good way of implementing at
least a limited version of this? Like, if the email did not at some
point originate from something in host_accept_relay then deny it? What I
guess I want is something that looks through the recieved lines for a
match to one of my systems (not that those can't be forged, but I
haven't seen that yet).

--
// Miles Davis - miles@cs.stanford.edu -
http://www.cs.stanford.edu/~miles // Computer Science Department -
Computer Facilities // Stanford University

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##

On Tue, 23 Jul 2002, Richard, WhidbeyNet NOC wrote:

> What if you reject a message when the number of RCPT's is more than 1,
> the IP address is not in relays, and the MAIL FROM is a local address?
> Since forwards, and mailing lists, usually address messages to 1 RCPT
> only.

I've personally received two spams today pupporting to be sent by me
which were only sent to me, so I doubt that the number of RCPT's will
help.

Looking at the headers in my pile of spam, I see that several of
the ones to and from me have an out of order Received header
pporting to havbe come through a non-existant host in my domain, eg:

Received: from dpmms.cam.ac.uk by 619U5T.dpmms.cam.ac.uk with SMTP for
a.c.aitchison@dpmms.cam.ac.uk; Tue, 23 Jul 2002 04:08:40 -0500

I don't have, and never have had a host 619U5T.dpmms.cam.ac.uk.
I also note that that machine is in a different time zone from me.

However these signs of a spam would appear more appropriate for
something like spam assassin than a simple filter :-(.

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna

On Tue, 23 Jul 2002, Miles Davis wrote:

> I don't suppose anybody has come up with a good way of implementing at
> least a limited version of this? Like, if the email did not at some point
> originate from something in host_accept_relay then deny it? What I guess I
> want is something that looks through the recieved lines for a match to one
> of my systems (not that those can't be forged, but I haven't seen that
> yet).

Forged Received: lines have been seen, so I don't think there's any hope
there. The only possibilty I can think of would be something
cryptographic, but I'm not a crypto person, so haven't any concrete
ideas.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

At 18:38 +0100 7/23/2002, Dr Andrew C Aitchison wrote:
>I've personally received two spams today pupporting to be sent by me
>which were only sent to me, so I doubt that the number of RCPT's will
>help.

These seem to be the "second wave". If the recipient is failed (for not
existing), the engine that produces this one seems to use the next name on
its list as the replacement recipient. Since the lists used are quite old
(we're seeing addresses in a form we rewrote outbound addresses to for a
while years ago), there is a fair amount of that. Good luck writing a
filter which without false positives stops a@example.com sending to
ab@example.com. (Although a sender verify would get these.)

--John

--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA

At 20:48 +0100 7/23/2002, Philip Hazel wrote:
>Forged Received: lines have been seen, so I don't think there's any hope
>there. The only possibilty I can think of would be something
>cryptographic, but I'm not a crypto person, so haven't any concrete
>ideas.

I see the spammers marginalizing "classic" SMTP in a fairly short time
(before 2005), with the replacement being some sort of crypto-signed
permission-based system.

Which I have not intent to design myself--my crypto knowledge stops not
long after wrapping strips of paper in spirals around rods. ;-)

--John (who had a top-secret but not a top-secret/crypto clearance in his
youth)

--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA