[Greylist-users] mail from internal domains not delayed?

Deke Clinger dclinger at qualcomm.com
Tue Jul 15 16:37:31 PDT 2003 

Greetings,

I'm seeing spam come in without delay if the message is spoofed from an
internal domain.

This check:

  if (! ($mail_mailer =~ /smtp\Z/i) && ($mail_from ne "<>" || $relay_ip eq  "127.0.0.1")) {

causes mail 'spoofed' such that it appears to be from an internal domain
(qualcomm.com) to bypass greylisting. Running sendmail with the -d20 flag
shows which mailer is selected for a given sender or recipient address:


mail from: dclinger at qualcomm.com

--parseaddr(dclinger at qualcomm.com)
parseaddr-->0x204598=dclinger at qualcomm.com:
        mailer 8 (relay), host `imr.qualcomm.com.'
        user `dclinger at qualcomm.com', ruser `<null>'
        state=OK, next=0x0, alias 0x0, uid 0, gid 0
        flags=180<QPINGONFAILURE,QPINGONDELAY>
        owner=(none), home="(none)", fullname="(none)"
        orcpt="(none)", statmta=(none), status=(none)
        finalrcpt="(none)"
        rstatus="(none)"
        statdate=(none)
250 2.1.0 dclinger at qualcomm.com... Sender ok


So far today, 4 of the 5 spams I've received have used this technique. I've
gotten one user call as well.

So...

In envfrom_callback I commented out this statment:

 if ($mail_mailer !~ /smtp\Z/i) {
 ...
 }

(it doesn't appear to do anything anyway)

In envrcpt_callback I changed:


  if (! ($mail_mailer =~ /smtp\Z/i) && ($mail_from ne "<>" || $relay_ip eq  "127.0.0.1")) {
    ## we aren't using an smtp-like mailer, so bypass checks
    print "  Mail delivery is not using an smtp-like mailer.  Skipping checks.\n" if ($verbose);
    goto PASS_MAIL;
  }


to:


  if ($relay_ip eq "127.0.0.1") {
    # mail from localhost
    print "  Mail delivery from localhost. Skipping checks.\n" if ($verbose);
    goto PASS_MAIL;
    }


This may not be a good idea for some sites, but if you're using a 'dedicated'
Internet mail bastion this will cause mail with a From: address in your local
domain and mail from the <> sender to be checked like anything else. Mail
relayed from the localhost is still exempt from checks.

Should/could we make this a config option, or even a default?

Cheers,

-Deke

More information about the Greylist-users mailing list