procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: forged localhost sender test

2004-12-13 12:49:42
from [Professional Software Engineering] [Permanent Link] 
At 18:30 2004-12-13 +0100, Dallman Ross wrote:


Well, first, the host domain is parsed from $HOST in procmail
using a bit of code that attempts to strip (does a pretty good job at
stripping) down things like

   somehost.somedomain.[a-z]{2,3}[^.]
   somehost.somedomain.co.uk

and so on to what I call the "stub" ("somedomain").
It works well, but there naturally could be some odd cases
where it wouldn't work right, in which case the user is
encouraged to override with a manual entry in the myvars file.
Yea, the chief issue I saw was that the hostname being used could be any of a number of aliases, not just what the hostname is defined as locally. Say, if your mail is hosted on someone else's server but you have DNS records under your own domain. the $HOST may be "www.hostingdomain.tld", but you might have "mail.yourdomain.tld", and that can legitimatley appear in the message headers. The spammer has probably come to you through your own domain name, since it's affiliated with the email address they're spamming at. 


The vsnag code also considers private IP address space and
localhost when it looks -- not dissimilar to what I noticed in
your script.
Well, I wasn't too concerned with non-routed IP space, since those would imply delivery from another host within one's own non-routed network, though if one were running a server via NAT and the locally defined IP address were non-routed, that could be an issue - easily handled by having an explicit declaration of that IP (much like localhost).
I'd considered having a config script that could run ifconfig and extract the list of IP addresses which refer to the local host, but that doesn't get us the hostnames, and seemed like a bit of extra work for an incomplete solution.
BTW, concurrent with this update, I also investigated using a call to sendmail to validate local senders - people claiming to be on the local host, generally using trumped-up local username portions stuffed in front of your domain (also frightfully popular with viruses, but creeping into spam as well). 


:0
* FROM_DOMAIN ?? ^regexp_for_your_local_domain$
{
        VALIDUSER=`$SENDMAIL -bv $CLEANFROM`
        :0
        * ! VALIDUSER ?? deliverable:
        {
                SPAMVAL="+180"
                SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} spoofed local user $CLEANFROM${NL}" 
        }
}
(CLEANFROM and FROM_DOMAIN are extracted from the From: as a matter of course in my basic procmailrc -- the code is in my sandbox template).
Basically, if I parse "deliverable" from the string returned by the sendmail invocation, sendmail sees it as a valid address (either local, or a remote server handles it, which should generally not be the case if it's actually a local user). Anything else, and it would appear to be bogus (bad domain, deliberatley rejected in the sendmail settings, etc).
I dunno how well this would work for anyone on some big ISP server (besides being sendmail-centric), but on a locally administered server, I know that usernames should validate correctly. If your ISP/office uses LDAP, I suppose one could use a client to validate those addresses as well.
The above recipe caught several locally spoofed messages. Granted, several other messages also bore valid usernames (forged, but otherwise valid addresses), and those won't be caught by this, but the idea here is to nab the messages which have invalid local usernames on them. Since so little of my legit mail will come from the local host (I don't tend to send myself a lot of messages, and there's not an abundance of correspondance with other local users), the hit from invoking the mta to validate the users is nominal.
Since my use of DNSBLs and some stuff at the MTA level has proven reasonably effective in blotting out 90+ percent of the chuff I'd otherwise have to locally process, I don't know what the effectiveness of this approach would be across a more average distribution of spam messages. If anyone happens to have a wildly large spam corpus, I'd be interested in hearing how well this performs.
Documenting invocations for other MTAs to do the same thing (and/or alternate result strings to look for) would be useful as well. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to avoid s/\n/ /g when unfolding a header, Volker Kuhlmann
Next by Date:  Re: How to avoid s/\n/ /g when unfolding a header, Dallman Ross
Previous by Thread:  Re: forged localhost sender test, Dallman Ross
Next by Thread:  Re: Folder: bounced, Adam Bogacki
Indexes:  [Date] [Thread] [Top] [All Lists]