procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Local domain forgery detection?

2002-08-27 19:10:45
from [Paul Chvostek] [Permanent Link] 
On Wed, Aug 28, 2002 at 12:48:14AM -0000, John Conover wrote:


Is there any way of detecting if *_ANY_* "Received: " record does
*_NOT_* have a local FQDN following the " from " tag in a sendmail(1)
produced e-mail header?


Anything can be detected.  But not all MTAs are sendmail, and there ARE
valid Received line formats which do not conform to sendmail's format.

But I think what you'd want would be something more like:

 COUNTReceived=`sed '/^$/q' | grep -c '^Received:'`

 #  Don't bother analysing local mail (adjust for your LDA)
 :0
 * COUNTReceived ?? ^1$
 *       ^From:
 *       ^To:
 *       ^Received: (from [a-z0-9]+(_at_)localhost
 { SWITCHRC=/dev/null }

 #  Catch anything that tries to appear local but isn't
 :0
 *       ^From:
 * !     ^(From|Return-Path):.*@
 *       ^Received:.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
 {
         # From address is atless
         :0 fhw
         * !$    ^Received:.*($LOGNAME|root)@localhost
         | formail -A "X-spam: invalid return address (1-no @ symbol, but came 
from offsite)"
 
         # From address is badly formatted
         :0 fhw
         * !$    ^Received:.*($LOGNAME|root)@localhost
         * !     
^From:.*[a-z][a-z0-9_.:-]+@([a-z0-9][a-z0-9.-]*\.)+(com|net|org|edu|int|mil|gov|biz|info|name|[a-z][a-z])\>
         | formail -A "X-spam: invalid return address (2-address format error)"
 }

 :0 fhw
 * ! COUNTReceived ?? ^[01]$
 *       ^From:[^(_at_)]+$
 *       ^To:[^(_at_)]+$
 | formail -A "X-spam: too many Received lines for local mail"

 MYDOMAIN=`hostname`

 :0
 * MYDOMAIN ?? 
[a-z]+[a-z0-9-]+\.\/[a-z]+[a-z0-9-]+\.(com?|net?|org?|biz|info)(\.([a-z][a-z]))?$
 { MYDOMAIN=$MATCH }

 :0 E
 * MYDOMAIN ?? 
[a-z]+[a-z0-9-]+\.\/[a-z]+[a-z0-9-]+(\.(bc|ab|sk|mb|on|qc|pe|ns|nf))?\.ca$
 { MYDOMAIN=$MATCH }

 # Adjust the range to suite your expectations.
 :0 fhw
 * MYDOMAIN ?? .+
 * COUNTReceived ?? ^[3-9]
 * $    ^Message-ID:.+@(.+\.)?$MYDOMAIN>
 | formail -A "X-spam: too many Received lines for local Message-ID (probably 
forged)"

It ain't perfect, but it may serve your needs, or at least act as a
starting point for your own rules.  If you come up with anything better,
please share.  :)

-- 
  Paul Chvostek                                             
<paul(_at_)it(_dot_)ca>
  Operations / Abuse / Whatever                          +1 416 598-0000
  it.canada - hosting and development                  http://www.it.ca/

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Local domain forgery detection?, John Conover
Next by Date:  Re: Outmatched by MATCH, Erik Christiansen
Previous by Thread:  Local domain forgery detection?, John Conover
Next by Thread:  Re: Local domain forgery detection?, dman
Indexes:  [Date] [Thread] [Top] [All Lists]