[Top] [All Lists]

Re: Bounce/System Notification Address Verification

2005-07-02 09:47:03
On Thu, 30 Jun 2005 07:30:24 EDT, Hector Santos said:

Here's another one.  This is the server:

220 ESMTP Sendmail Switch-3.1.7/Switch-3.1.7;
        Thu, 30 Jun 2005  03:55:50 -0700
250 Hello [],
ed to meet you

See the problem?  [Hint: Spoofing]

Lets check Claus's server:

220 ESMTP sendmail X.0.0.Alpha4.0
250 Hi there
mail from: <>
501 5.1.7 Bad sender's mailbox address syntax.

Wonderful!  Its worry about a space, but it doesn't protect its own local
domains! <g>

What can I say? Claus is a standards-conforming kind of guy :)

In what sense is the handling of the HELO parameter failing to "protect"
the domain?

Note that (a) the HELO isn't usually *used* for anything, (b) will get you a
nice little notation in the Received: header, and (c) the relevant RFCs
specifically say that bouncing mail solely because the machine is confused
about its name is prohibited (2821, section 4.1.4)

   An SMTP server MAY verify that the domain name parameter in the EHLO
   command actually corresponds to the IP address of the client.
   However, the server MUST NOT refuse to accept a message for this
   reason if the verification fails: the information about verification
   failure is for logging and tracing only.

And sure enough, if you were to proceed with valid MAIL FROM/RCPT TO, you'd
find that the Received: header would contain *3* fields - your claimed HELO
name, the IP you *actually* came from, and the PTR that IP has.  In addition,
if the hostname claimed by the PTR doesn't have an A record matching the IP,
there will be a 'might be forged' notation).

And rest assured, if you had tried to claim the same domain address on the
MAIL FROM, Claus's servers would have told you exactly what you could do with 

Attachment: pgp4Cp9Ne5k7N.pgp
Description: PGP signature