On Apr 4, 2007, at 8:13 AM, Martin McCormick wrote:

        First of all, I think sendmail is great, so this is a
minor issue.  The problem is that the spammers can cause local
delivery of their junk by using the name of an account on the
system.
From: Weekly News <[EMAIL PROTECTED]>


There are four places where I spammer could be forging your domain, and each method requires different responses.

First the spammer could be saying

 HELO your.domain

I remember discussion of this on comp.mail.sendmail five or six years ago. I know that in that discussion I contributed some rules (that others improved upon) to check to see whether the HELO string claimed to be from the receiving host itself.

I expect that by now there is a packaged FEATURE or CONFiguration for doing this kind of check. I know that exim and postfix have both had easy configuration for this kind of checking for a very long time, so I'm confident that it's there for sendmail.

The second is that the spammer could be forging in the sender address (envelope FROM)

  MAIL FROM:<[EMAIL PROTECTED]>

For this, I suspect that someone has put together a milter or a set of rules. Again, the option to block such things has been available in postfix and exim for a while. If you do this, you have to pay some attention to whether any of your users legitimately have mail automatically forwarded to them from other parts of the net.

A more general solution (still has the forwarding problem) is to use SPF

  http://www.openspf.org/

This will allow you to not only block forgeries from your own domain, but to also block forgeries from my domain (and from everyone else who publishes SPF records). SPF is a general anti-forgery tool for domain in Sender. There are sendmail milters for doing SPF.

The third type of forgery is in the header From address. I don't think that this kind of detection and filtering should be done by the MTA directly. That kind of thing should be done with whatever content filtering tool you are using (e.g., spamassassin)

The fourth kind of domain forgery is so unlikely (and easy to detect) that it's negligible. If (And this is extremely unlikely) the spammer controls the reverse DNS for the IP address that is sending the spam, the spammer could set up a bogus DNS PTR record so that a lookup of the numerical IP address will return something with your domain. It's unlikely a spammer would do this, and the normal default process of checking DNS resolvability will catch it anyway.

Anyway, I recommend SPF. But for alternatives you may wish to post your query to the newsgroup comp.mail.sendmail.

Cheers,

-j

--
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to