On Sat, Apr 20, 2002 at 07:30:06AM -0500, will trillich wrote: | On Fri, Apr 19, 2002 at 09:28:17AM -0700, Sean 'Shaleh' Perry wrote: | > HELO dontuthink.com | > 250 server Hello 12-235-84-58.client.attbi.com [12.235.84.58] | > MAIL FROM:<[EMAIL PROTECTED]> | > 250 <[EMAIL PROTECTED]> is syntactically correct | > RCPT TO:<[EMAIL PROTECTED]> | > 550 relaying to <[EMAIL PROTECTED]> prohibited by administrator | > | > if you are relaying, I do not see how. | > | > If someone can relay through you they should be able to telnet to your smtp | > port and send mail out like I just tried. | | thanks. i did similar tests at paladinCorp.com (specifically, | http://www.paladincorp.com.au/unix/spam/spamlart/ ) and they | found some instaces where my setup didn't retch at certain | questionable email syntaxes: | | here are the ones marked 'potential vulnerability'... Output | from Anti-Relay Tests: | | Spam-Lart v0.3.2 | 220 server ESMTP Exim 3.12 #1 Fri, 19 Apr 2002 08:58:34 -0500 | | rcpt to: <"[EMAIL PROTECTED]"@mail.dontUthink.com> | 250 <"[EMAIL PROTECTED]"@mail.dontUthink.com> is | syntactically correct | ** FAILURE / Potentital Vulnerability ** | | but i bet that'll look for use '[EMAIL PROTECTED]' ON | MY SERVER.
It depends on your site's entire configuration. An old version of my exim-spamassassin config is vulnerable to this sort of spoofing. The problem with that config was only the local part was passed back to exim, and that local part looks like a complete address. I just tested this particular potential vulnerability and received an "unkown local-part" bounce. That's good. It's better if you reject it at RCPT time, but ok as long as you don't deliver at all. | right. my exim.conf includes | | rbl_domains = rbl.maps.vix.com | rbl_reject_recipients = false | rbl_warn_header = true | host_accept_relay = localhost : 192.168.1.1/24 : 208.33.90.85/32 | # commented-out: | # percent_hack_domains=* | | what sanity checks does that miss? There are lots more sanity checks that exim can perform. I don't have an up-to-date exim 3 config anymore (if I have one at all). I've been using version 4.01 for a while now. There is a site (ORBD?) that allows you to enter your IP address and it will run a barage of relay tests against it and report the results to the email address you specify. It actually tries to send a message and then waits for your host to relay it to their spamtrap address. (obviously, if you reject at RCPT time it won't need to wait at all because you won't have accepted responsibility for the message) There's some other site you can telnet to and it will test the ip you connected from. I don't recall those hostnames right now, though, and I don't think I wrote them down anywhere. -D -- The heart is deceitful above all things and beyond cure. Who can understand it? I the Lord search the heart and examine the mind, to reward a man according to his conduct, according to what his deeds deserve. Jeremiah 17:9-10 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]