spf-discuss
[Top] [All Lists]

forged email DSN

2005-02-25 16:31:42
I am testing a new policy for Python Milter.  When a message arrives
with no PTR, invalid HELO, and no SPF, then I would like to just REJECT it as
either forged, or sent from a clueless domain.  But some of my
customers have clueless clients which need to send them email, so
I have to accept such messages.

If the (effectively) anonymous message doesn't get kicked out by
content filtering or blacklists, I do a CBV to check that the
purpoted sender is at least accepting DSNs.  The new wrinkle is
that I don't about the CBV, but actually send a DSN telling
the purported sender about the delivery status.  The purported
sender is either from a clueless domain that needs to fix their
servers to meet basic RFC requirements, or else the victim of a
joe job.  In either case, the DSN is supposed to help them solve
the problem.  I track which purported senders I've already sent
the DSN to so that they get it only once per restart of the milter.

I know some of you are going to hate this idea, but I wan't to hear the
criticism, and perhaps change things.

Here is a sample DSN, this one for what was obviously (to a human) a forgery:

To: dh(_dot_)hurley_59(_at_)osuuspankki(_dot_)fi
From: postmaster(_at_)mail(_dot_)bmsi(_dot_)com
Subject: Critical mail server configuration error
Auto-Submitted: auto-generated (configuration error)
MIME-Version: 1.0
Content-Type: text/plain

Someone at IP address 211.108.109.85 sent an email to
greg(_at_)bmsi(_dot_)com, claiming to be sent from 
dh(_dot_)hurley_59(_at_)osuuspankki(_dot_)fi(_dot_)  
The subject was: 

Subject: Online Drugs - save up to 80% 

If that wasn't you, then your domain, osuuspankki.fi,
was forged!  This is a very serious problem, especially if
you are part of an institution such as a bank - since the
forger is probably trying to rob your customers.  You need
to provide authentication for your SMTP (email) servers to
prevent criminals from forging your domain.  The simplest
step is usually to publish an SPF record with your Sender
Policy.  For more information, see:

http://spf.pobox.com

I hate to annoy you with a DSN (Delivery Status
Notification) from a possibly forged email, but since you
have not published a sender policy, I don't know what else to do.

If it *was* you that sent the email, then your email domain
or configuration is in error.  If you don't know anything
about mail servers, then pass this on to your SMTP (mail)
server administrator.  We have accepted the email anyway, in
case it is important, but we couldn't find anything about
the mail submitter at 211.108.109.85 to distinguish it from a
zombie (compromised/infected computer - usually a Windows
PC).  There was no PTR record for its IP address (PTR names
that contain the IP address don't count).  RFC2821 requires
that your hello name be a FQN (Fully Qualified domain Name,
i.e. at least one dot) that resolves to the IP address of
the mail sender.  In addition, just like for PTR, we don't
accept a helo name that contains the IP, since this doesn't
help to identify you.  The hello name you used,
chess-eng.co.uk, was invalid.

Furthermore, there was no SPF record for the sending domain
osuuspankki.fi.  We even tried to find its IP in any A or
MX records for your domain, but that failed also.  We really
should reject mail from anonymous mail clients, but in case
it is important, we are accepting it anyway.

We are sending you this message to alert you to someone forging your
domain (if that is the case), or to problems with your email configuration.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>