Any Way to Plug This Hole in Local Sendmail Delivery?
jeffrey at goldmark.org
Thu Apr 5 18:18:35 UTC 2007
On Apr 4, 2007, at 8:13 AM, Martin McCormick wrote:
> First of all, I think sendmail is great, so this is a
> minor issue. The problem is that the spammers can cause local
> delivery of their junk by using the name of an account on the
> From: Weekly News <martin at dc.cis.okstate.edu>
There are four places where I spammer could be forging your domain,
and each method requires different responses.
First the spammer could be saying
I remember discussion of this on comp.mail.sendmail five or six years
ago. I know that in that discussion I contributed some rules (that
others improved upon) to check to see whether the HELO string claimed
to be from the receiving host itself.
I expect that by now there is a packaged FEATURE or CONFiguration for
doing this kind of check. I know that exim and postfix have both had
easy configuration for this kind of checking for a very long time, so
I'm confident that it's there for sendmail.
The second is that the spammer could be forging in the sender address
MAIL FROM:<user at your.domain>
For this, I suspect that someone has put together a milter or a set
of rules. Again, the option to block such things has been available
in postfix and exim for a while. If you do this, you have to pay
some attention to whether any of your users legitimately have mail
automatically forwarded to them from other parts of the net.
A more general solution (still has the forwarding problem) is to use
This will allow you to not only block forgeries from your own domain,
but to also block forgeries from my domain (and from everyone else
who publishes SPF records). SPF is a general anti-forgery tool for
domain in Sender. There are sendmail milters for doing SPF.
The third type of forgery is in the header From address. I don't
think that this kind of detection and filtering should be done by the
MTA directly. That kind of thing should be done with whatever
content filtering tool you are using (e.g., spamassassin)
The fourth kind of domain forgery is so unlikely (and easy to detect)
that it's negligible. If (And this is extremely unlikely) the
spammer controls the reverse DNS for the IP address that is sending
the spam, the spammer could set up a bogus DNS PTR record so that a
lookup of the numerical IP address will return something with your
domain. It's unlikely a spammer would do this, and the normal
default process of checking DNS resolvability will catch it anyway.
Anyway, I recommend SPF. But for alternatives you may wish to post
your query to the newsgroup comp.mail.sendmail.
Jeffrey Goldberg http://www.goldmark.org/jeff/
More information about the freebsd-questions