procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: detecting faked "From"

2001-07-19 17:27:14
from [Professional Software Engineering] [Permanent Link] 
At 16:16 2001-07-19 -0700, Dave Robbins wrote:

For security reasons, I want to limit an auto-responder
to queries from local users only (i.e. users local to my subnet).

Knowing that anyone could fake their email address
faking e.g. dave(_at_)geol(_dot_)ucsb(_dot_)edu,
This is only useful to them if they have access to the mailbox that they're forging. Of course, forging someone else's address to cause an autoreply to bomb that users mailbox is a different matter altogether. 


I want to use procmail
to determine the real source address of where their email
originated from.
Real source email address, or source IP address? You can give up on obtaining the real email address - if they're forging the from or reply addresses, then they're forged - do you really expect to find a valid email on the message? As for source IP (which I infer from your mention of "subnet", which is the domain of IP addresses, not of email addresses), that's a tricky one too. 


However, grepping the ^Received: headers of my inbox,
it doesn't look like there's really a regexp that
could be used even if e.g. formail could be of use
for this.
FTR, it is entirely too easy to forge an extra recevied header to appear before the insertion into the SMTP stream. This is common on spam. 


If the incoming mail is from geol.ucsb.edu,
I want the auto-responder to respond
otherwise ignore the request.
Q: is there really a concern that people will be sending bogus requests from OUTSIDE the netblock, but still using return addresses WITHIN the domain? 

Seems like dictating that the reply address, obtained like so:

:0h
REPLYTO=formail -b -rtzxTo:
must be within the specified FQDN, would be sufficient. If your reply is going to this address, and it's on the host you're limiting replies to, then forging an address on a sent message won't miraculously grant them access to the mailbox on the host (that they'd have to do by exploiting the server, and if they can do that, then they can forge a request FROM that server, and easily get around an IP block limitation).
Or do some users of the host in question also exist outside of your network subnet, and you want to disallow their use. What about valid users who are connected to the net from outside of your network?
Depending on why you want to limit responses, you might use a mechanism such as requiring PGP-signed messages (which you'd check the signatures against your own database of valid users). 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  detecting faked "From", Dave Robbins
Next by Date:  Re: if this - than that - else this and that ;) - X-Priority - HIGH, michab
Previous by Thread:  detecting faked "From", Dave Robbins
Next by Thread:  Re: detecting faked "From", John Conover
Indexes:  [Date] [Thread] [Top] [All Lists]