Any Way to Plug This Hole in Local Sendmail Delivery?

Jeffrey Goldberg jeffrey at goldmark.org
Thu Apr 5 18:18:35 UTC 2007 

On Apr 4, 2007, at 8:13 AM, Martin McCormick wrote:

> 	First of all, I think sendmail is great, so this is a
> minor issue.  The problem is that the spammers can cause local
> delivery of their junk by using the name of an account on the
> system.
> From: Weekly News <martin at dc.cis.okstate.edu>


There are four places where I spammer could be forging your domain,  
and each method requires different responses.

First the spammer could be saying

  HELO your.domain

I remember discussion of this on comp.mail.sendmail five or six years  
ago.  I know that in that discussion I contributed some rules (that  
others improved upon) to check to see whether the HELO string claimed  
to be from the receiving host itself.

I expect that by now there is a packaged FEATURE or CONFiguration for  
doing this kind of check.  I know that exim and postfix have both had  
easy configuration for this kind of checking for a very long time, so  
I'm confident that it's there for sendmail.

The second is that the spammer could be forging in the sender address  
(envelope FROM)

   MAIL FROM:<user at your.domain>

For this, I suspect that someone has put together a milter or a set  
of rules.  Again, the option to block such things has been available  
in postfix and exim for a while.  If you do this, you have to pay  
some attention to whether any of your users legitimately have mail  
automatically forwarded to them from other parts of the net.

A more general solution (still  has the forwarding problem) is to use  
SPF

   http://www.openspf.org/

This will allow you to not only block forgeries from your own domain,  
but to also block forgeries from my domain (and from everyone else  
who publishes SPF records).  SPF is a general anti-forgery tool for  
domain in Sender.  There are sendmail milters for doing SPF.

The third type of forgery is in the header From address.  I don't  
think that this kind of detection and filtering should be done by the  
MTA directly.  That kind of thing should be done with whatever  
content filtering tool you are using (e.g., spamassassin)

The fourth kind of domain forgery is so unlikely (and easy to detect)  
that it's negligible.  If (And this is extremely unlikely) the  
spammer controls the reverse DNS for the IP address that is sending  
the spam, the spammer could set up a bogus DNS PTR record so that a  
lookup of the numerical IP address will return something with your  
domain.  It's unlikely a spammer would do  this, and the normal  
default process of checking DNS resolvability will catch it anyway.

Anyway, I recommend SPF.  But for alternatives you may wish to post  
your query to the newsgroup comp.mail.sendmail.

Cheers,

-j

-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

More information about the freebsd-questions mailing list