[Greylist-users] mail from internal domains not delayed?

Evan Harris eharris at puremagic.com
Tue Jul 15 20:23:20 PDT 2003 

Just so happens I discovered that myself last night.  The fix has been
checked into CVS.

Evan


On Tue, 15 Jul 2003, Deke Clinger wrote:

> Greetings,
>
> I'm seeing spam come in without delay if the message is spoofed from an
> internal domain.
>
> This check:
>
>   if (! ($mail_mailer =~ /smtp\Z/i) && ($mail_from ne "<>" || $relay_ip eq  "127.0.0.1")) {
>
> causes mail 'spoofed' such that it appears to be from an internal domain
> (qualcomm.com) to bypass greylisting. Running sendmail with the -d20 flag
> shows which mailer is selected for a given sender or recipient address:
>
>
> mail from: dclinger at qualcomm.com
>
> --parseaddr(dclinger at qualcomm.com)
> parseaddr-->0x204598=dclinger at qualcomm.com:
>         mailer 8 (relay), host `imr.qualcomm.com.'
>         user `dclinger at qualcomm.com', ruser `<null>'
>         state=OK, next=0x0, alias 0x0, uid 0, gid 0
>         flags=180<QPINGONFAILURE,QPINGONDELAY>
>         owner=(none), home="(none)", fullname="(none)"
>         orcpt="(none)", statmta=(none), status=(none)
>         finalrcpt="(none)"
>         rstatus="(none)"
>         statdate=(none)
> 250 2.1.0 dclinger at qualcomm.com... Sender ok
>
>
> So far today, 4 of the 5 spams I've received have used this technique. I've
> gotten one user call as well.
>
> So...
>
> In envfrom_callback I commented out this statment:
>
>  if ($mail_mailer !~ /smtp\Z/i) {
>  ...
>  }
>
> (it doesn't appear to do anything anyway)
>
> In envrcpt_callback I changed:
>
>
>   if (! ($mail_mailer =~ /smtp\Z/i) && ($mail_from ne "<>" || $relay_ip eq  "127.0.0.1")) {
>     ## we aren't using an smtp-like mailer, so bypass checks
>     print "  Mail delivery is not using an smtp-like mailer.  Skipping checks.\n" if ($verbose);
>     goto PASS_MAIL;
>   }
>
>
> to:
>
>
>   if ($relay_ip eq "127.0.0.1") {
>     # mail from localhost
>     print "  Mail delivery from localhost. Skipping checks.\n" if ($verbose);
>     goto PASS_MAIL;
>     }
>
>
> This may not be a good idea for some sites, but if you're using a 'dedicated'
> Internet mail bastion this will cause mail with a From: address in your local
> domain and mail from the <> sender to be checked like anything else. Mail
> relayed from the localhost is still exempt from checks.
>
> Should/could we make this a config option, or even a default?
>
> Cheers,
>
> -Deke
>
> _______________________________________________
> Greylist-users mailing list
> Greylist-users at lists.puremagic.com
> http://lists.puremagic.com/cgi-bin/mailman/listinfo/greylist-users
>

More information about the Greylist-users mailing list