Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Qmail>
  3. users
mailfront : only allow allow authenticated user address as MAIL FROM (Return-Path) ?
om-lists-qmail at omx
Aug 30, 2016, 7:53 AM
Post #1 of 2 (1195 views)
Permalink
Hi,

I hope you all had a nice summer !

I just got a few cases where user accounts were compromised (weak
password or hacked pc's + stolen passwords) and then used to send
massive spams, for example last night:

tcpserver: pid 20727 from 195.223.y.y
tcpserver: ok 20727 omicron:62.48.x.x:25 :195.223.y.y::51731
mailfront[20727]: SASL AUTH LOGIN username=info sys_username=o67a123
domain=example.org
mailfront[20727]: MAIL FROM:<****@comcast.net>
mailfront[20727]: RCPT TO:<****@yahoo.com>
mailfront[20727]: RCPT TO:<****@eddy.foamex.com>
mailfront[20727]: RCPT TO:<****@lifeway.com>
(....)
mailfront[20727]: RCPT TO:<****@clorox.com>
mailfront[20727]: RCPT TO:<****@yahoo.com>
mailfront[20727]: RCPT TO:<****@yahoo.com>


As you can see, the "MAIL FROM:" part used as Return-Path is completely
forged. I just checked the docs to try to find a way to prevent this
directly with mailfront and its plugins, but with no success yet : have
anyone here using mailfront implemented this ? If yes, a short message
would be great, thanks !

Next step would be to check if the Header-"From: " field is also valid,
but this would most probably be more complex.


Kind regards & a nice week to you,
Olivier
Re: mailfront : only allow allow authenticated user address as MAIL FROM (Return-Path) ? [ In reply to ]
feh at fehcom
Sep 5, 2016, 5:18 AM
Post #2 of 2 (1170 views)
Permalink
Hi Olivier,

I think I solved that problem partially with my approach 'Mail From: Adress Verification' (MAV).

There is a separate patch against qmail available, though it is part of my former 'Spamcontrol' patch and now -- of course -- s/qmail.

http://fehcom.de/sqmail.html (-> qmail -> MAV).

Best regards.
--eh.


> Am 30.08.2016 um 16:53 schrieb Olivier Mueller <om-lists-qmail@omx.ch>:
>
> Hi,
>
> I hope you all had a nice summer !
>
> I just got a few cases where user accounts were compromised (weak password or hacked pc's + stolen passwords) and then used to send massive spams, for example last night:
>
> tcpserver: pid 20727 from 195.223.y.y
> tcpserver: ok 20727 omicron:62.48.x.x:25 :195.223.y.y::51731
> mailfront[20727]: SASL AUTH LOGIN username=info sys_username=o67a123
> domain=example.org
> mailfront[20727]: MAIL FROM:<****@comcast.net>
> mailfront[20727]: RCPT TO:<****@yahoo.com>
> mailfront[20727]: RCPT TO:<****@eddy.foamex.com>
> mailfront[20727]: RCPT TO:<****@lifeway.com>
> (....)
> mailfront[20727]: RCPT TO:<****@clorox.com>
> mailfront[20727]: RCPT TO:<****@yahoo.com>
> mailfront[20727]: RCPT TO:<****@yahoo.com>
>
>
> As you can see, the "MAIL FROM:" part used as Return-Path is completely forged. I just checked the docs to try to find a way to prevent this directly with mailfront and its plugins, but with no success yet : have anyone here using mailfront implemented this ? If yes, a short message would be great, thanks !
>
> Next step would be to check if the Header-"From: " field is also valid, but this would most probably be more complex.
>
>
> Kind regards & a nice week to you,
> Olivier
>
>

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: EE00CF65

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal