Regarding mail anti-relay, FW-1 v4.0 SMTP security server takes into
account source routing (WI-124 Sept 1998). My feeling is that they refer
to an old practice, mentioned page-32 (6.2.7) of famous RFC822. This is
not enough at all to stop spammers using your mail server as a relay.
http://www.orbs.org/envelopes.html describes all pairs they know of
(MAIL FROM, RCPT TO) commands used by spammers in SMTP envelope.
MAIL FROM:<any@imagine>
RCPT TO:<victim%target@your mail server>
is an heavly exploited example.
How to deal with such symbols ?
First define a SMTP resource (let's say MailFromInternet).
A rule in your rule base directs incomming smtp connections to
MailFromInternet resource.
In "Action1" tab of MailFromInternet, define a translation for
"Recipient" field like this one:
*{%, ,@,:,[,],!}*@*yourdomain -> [EMAIL PROTECTED]
Next step is at "Mail Server" you defined in MailFromInternet resource.
If your mail server:
- accepts mail for recipient [EMAIL PROTECTED]
- aliases it to /dev/null
then mail data goes where they have to go.
Notice that:
- if mail server fails to accepts [EMAIL PROTECTED]
and
- if "Notify Sender On Error" is true
an error notification message is sent to sender.
In case sender is spoofed (MAIL FROM:<any@imagine>), you get a smurf
like traffic, towards "MAIL FROM" address.
Now, what about the very straightforward pair:
MAIL FROM:<any@imagine>
RCPT TO:<victim@target>
they are discarded using MailFromInternet Match tab, specifying
strictly, recipients you are responsible of in "Recipient" field.
*@{company1,business1}.com was an example pointed by
<[EMAIL PROTECTED]>
in "Re: [FW1] SMTP Security Server" at "8 Sep 1999 09:34:43 +0200 (MET
DST)"
Comments:
1)
I've used smap for years and "%@:[]!" symbols where in smap.c under
#ifdef SPECIALDOMAIN compiler directive.
Here are some lines from smap.c source code:
/*
* Copyright (c) 1993, Trusted Information Systems, Incorporated
* All rights reserved.
*
* Redistribution and use are governed by the terms detailed in the
* license document ("LICENSE") included with the toolkit.
*/
/*
* Author: Marcus J. Ranum, Trusted Information Systems, Inc.
*/
static char RcsId[] = "$Header: smap.c,v 1.6 94/11/01 11:57:52 mjr
rel $";
...
#ifdef SPECIALDOMAIN
if((jxp = strpbrk(chop,"%@:[]!")) != (char *)0) {
goto bomb;
...
This list of symbols are certainly up todate,
from http://www.orbs.org/envelopes.html one can get the same.
I have just added <space>, because of a strange behaviour in cc:mail,
at the time it was used here (enac.fr).
2)
aliasing [EMAIL PROTECTED] to a real account gives
you a way to collect relay attempts. Be sure not to host this account
on a main server, to avoid Dos attack.
3)
in the right part of *{%, ,@,:,[,],!}*@*yourdomain, after the last '@',
you have to specify all domains, hosts, MXes you accept. Discarding just
your main domain could not be enough.
4)
At last, how to be convinced that you realy have enhanced your
anti-relay protection. You can use attached script, I wrote it to
convinced my self.
You need an access on a host from outside and netcat (tcp/ip swiss army
knife) on it.
Christian Julien
| customer site: [EMAIL PROTECTED]
| company: [EMAIL PROTECTED]
#!/bin/ksh -e
#
# no copyrights and as usual, I assume no responsibility for any thing done by
# anyone using this simple script.
# Christian Julien
# | customer site: [EMAIL PROTECTED]
# | company: [EMAIL PROTECTED]
#
# script_verif_anti_relay.ksh: netcats special MAIL FROM:, RCPT TO: sequences,
# to check mail relay capability of a server
# netcat (nc) and sed must be in your PATH
#
# this script is customized for FW-1 v4.0 SMTP security server:
# many modern sendmail will reject MAIL FROM:<[EMAIL PROTECTED]>,
# with error: 501 <[EMAIL PROTECTED]>... Sender domain must exist
#
# - > . < - > . < - > . < - > . < - > . < - > . < - > . < - > . < - > .
#
# Example:
# ./script_verif_anti_relay.ksh christian.julien free.fr 195.220.159.57 \
# mail.enac.fr enac.fr
#
# | checks anti-relay at 195.220.159.57, no mail has to be delivered to
# | [EMAIL PROTECTED], relay is tested as :
# | mail.enac.fr, 195.220.159.57, [195.220.159.57] and also as enac.fr
#
# Usage:
# ./script_verif_anti_relay.ksh victim target SMTP_Server_IP SMTP_Server_DNS \
# [other-1_DNS ... other-n_DNS]
#
# | victim: spam victim
# | target: machine|domain|MX of spam victim
# | SMTP_Server_IP: IP of SMTP server which is to be checked
# | SMTP_Server_DNS: reverse DNS of SMTP_Server_IP
# | : : : : : : : : parent domain of SMTP server, or subdomains,
# | : other-1_DNS : or MXes of parent|sub domain (n < 100).
# | : ... : In a syntax a la <victim%target@relay> relay is tested as:
# | : other-n_DNS : SMTP_Server_DNS, SMTP_Server_IP, [SMTP_Server_IP]
# | : : : : : : : : and all the <victim%target@other-i_DNS>, 1 <= i <=n
# - > . < - > . < - > . < - > . < - > . < - > . < - > . < - > . < - > .
function Usage {
echo "Your command: |$*|"
sed -n '/^# - >/,/^# - >/p' $1 | grep -v '< - >' | cut -c2-
}
# PARAMETERS
# --
# help (-h)
# or
# to many parameters (>103) (n < 100)
# or
# to few parameters (<4) (victim target SMTP_Server_IP SMTP_Server_DNS are needed)
#
if ( [ "$1" = "-h" ] || [ "$#" -gt "103" ] || [ "$#" -lt "4" ])
then Usage $0 $*
exit 1
fi
victim="$1"
target="$2"
SMTP_Server_IP="$3"
SMTP_Server_DNS="$4"
# shift in order to get SMTP_Server_DNS and other-1_DNS ... other-n_DNS in $*
shift ; shift ; shift ; shift
spambag="spambag"
fake_domain="fake.domain"
# http://www.orbs.org/envelopes.html describes SMTP envelopes used by spammers
(
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<victim@target>
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT TO:<${victim}@${target}>"
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<"victim@target">
echo "MAIL FROM:<${spambag}@${fake_domain}>" 'RCPT TO:<"\c' ; echo
"${victim}@$target\c" ; echo '">'
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO: victim@target
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT TO: ${victim}@$target"
#-------
# MAIL FROM:<spambag>
# RCPT TO:<victim@target>
echo "MAIL FROM:<$spambag>" "RCPT TO:<${victim}@${target}>"
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<victim%target@{relay}>
for relay in $SMTP_Server_DNS $SMTP_Server_IP "[$SMTP_Server_IP]" $*
do
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT
TO:<${victim}%${target}@${relay}>"
done
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<victim@target@{relay}>
for relay in $SMTP_Server_DNS $SMTP_Server_IP "[$SMTP_Server_IP]" $*
do
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT
TO:<${victim}@${target}@${relay}>"
done
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<target!victim@{relay}>
for relay in $SMTP_Server_DNS $SMTP_Server_IP "[$SMTP_Server_IP]" $*
do
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT
TO:<${target}!${victim}@${relay}>"
done
#-------
# MAIL FROM:<[EMAIL PROTECTED]>
# RCPT TO:<@{relay}:victim@target>
for relay in $SMTP_Server_DNS $SMTP_Server_IP "[$SMTP_Server_IP]" $*
do
echo "MAIL FROM:<${spambag}@${fake_domain}>" "RCPT
TO:<@${relay}:${victim}@${target}>"
done
#-------
# MAIL FROM:<fake_domain!spambag>
# RCPT TO:<target!victim>
echo "MAIL FROM:<${fake_domain}!${spambag}>" "RCPT TO:<${target}!${victim}>"
#-------
# MAIL FROM:<spambag>
# RCPT TO:<target!victim>
echo "MAIL FROM:<$spambag>" "RCPT TO:<${target}!${victim}>"
#-------
# MAIL FROM:<>
# RCPT TO:<victim@target>
echo "MAIL FROM:<>" "RCPT TO:<${victim}@${target}>"
#-------
# MAIL FROM:<spambag@{relay}>
# RCPT TO:<victim@target>
for relay in $SMTP_Server_DNS $SMTP_Server_IP "[$SMTP_Server_IP]" $*
do
echo "MAIL FROM:<${spambag}@${relay}>" "RCPT TO:<${victim}@${target}>"
done
) |&
# test every envelope
set +e ; read -p Mail From Rcpt To ; set -e
while [ "$Mail" != "" ]
do
# netcat send netoutput every second (-i parameter)
nc -i 1 $SMTP_Server_IP 25 <<EOF
$Mail $From
$Rcpt $To
DATA
X-Envelope: <|$Mail $From|$Rcpt $To|>
.
QUIT
EOF
# debugging envelopes: comment netcat above and so called here-document
# uncomment echo command hereafter:
# echo "$Mail $From\n$Rcpt $To"
set +e ; read -p Mail From Rcpt To ; set -e
done
# in case MAIL FROM or RCPT TO is rejected,
# DATA, X-Envelope and . commands are rejected, but it doesn't matter
# hereafter an exemple:
#
#550 <[EMAIL PROTECTED]>... Relaying Denied for: messagerie.enac.fr
#503 Need RCPT (recipient)
#500 Command unrecognized: "X-Envelope: <|MAIL FROM:<[EMAIL PROTECTED]>|RCPT
TO:<[EMAIL PROTECTED]>|> "
#500 Command unrecognized: "."
