Yep, it is a _pre_ data filter. We only use the XMail header portion of the file (four of the first six lines) as you note. Since everything we need to pass this filter is in there, why accept the data? Not accepting the data also makes the "unknown user" bluff more convincing as well. You're also right that it should be FQDN and not FQP. Thanks for the proof reading :-P and the .cmd file offer. That would be great. When I add that to the zip, I'll add a couple of more settings to the script including one for the log location.
The second part is an odd but very reliable way to read backwards into a FQDN without assuming that it's a FQDN in the first place (like "localhost"). Using array-pop empties the array as you go saving a little memory. It's a hack with all of the array stuff, I know. It's proven better than some other methods I've seen and tried in the past so I tend to use it in a lot of PHP. The key to it is the ternary operators when each domain name is concatinated (http://www.php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary). I hope that makes sense. If you find a better method, I'd love to hear it. I look forward to hearing how it goes with the filter, Bryn ----- Original Message ----- From: "Rob Arends" <[EMAIL PROTECTED]> To: "'postmaster - networkoftheapes.net'" <[EMAIL PROTECTED]> Date: Mon, 24 Apr 2006 19:08:53 +1000 Subject: RE: [xmail] Re: "friend" client domain > Thanks Bryn, > > Having a read of the php, I see that you say post data and then reference > filters.pre-data.tab - I assume you will need the mime headers, so you mean > post-data. (Hmmm looking at your initial message parsing, you don't go past > line 4 (data[4]), so does that mean it should/could be a pre-data filter?) > > Correct? > > This will run on Windows, so I can send you the resultant .cmd files for > inclusion to your zip. > > What is FQP - I assume Fully Qualified Path? I expected FQDN - fully > qualified domain name - or similar? > > I'll need to change the log location to suit windows (near the bottom, you > hard code the log location). > > Looks good, understood most of it, just got lost a bit with HOW part2 worked > - too many strstr/explode/array_pop - I got lost even with your verbose > comments. > My PHP is rudimentary. > > I'll let you know how I go in a few days. > > Rob :) > > -----Original Message----- > From: postmaster - networkoftheapes.net > [mailto:[EMAIL PROTECTED] > Sent: Monday, 24 April 2006 4:31 PM > To: Rob Arends > Subject: RE: [xmail] Re: "friend" client domain > > > I've cleaned up and zipped the filter I made. You can grab it at > http://brynmosher.com/bouncer.zip. The instructions are commented within the > PHP file itself. Good luck! > > Bryn > > ----- Original Message ----- > From: "Rob Arends" <[EMAIL PROTECTED]> > To: "'postmaster - networkoftheapes.net'" <[EMAIL PROTECTED]> > Date: Sun, 23 Apr 2006 21:05:48 +1000 > Subject: RE: [xmail] Re: "friend" client domain > > > Yes please Bryn, > > > > Can you send me directly the PHP filter. > > > > Thanks, Rob > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of postmaster - > > networkoftheapes.net > > Sent: Sunday, 23 April 2006 8:59 PM > > To: [email protected] > > Subject: [xmail] Re: "friend" client domain > > > > > > Thanks. I think I've igured it out, but here's an explanation: > > > > While I was writing a pre-data filter to ban the folks who were > > populating client domain with "friend", I noticed the ones claiming to > > be from mail.networkoftheapes.net, my own server. This led me to > > wonder whether the client domain was generated by XMail or the sender. > > After more Googling, testing and looking at logs, I realized the > > sender was giving client domain it's value. > > > > I now have a little code that will look for my server as the client > > domain and check it against valid domains that could be sending from my > server. > > Here's a filtered event from my SMTP log: > > > > "networkoftheapes.net" "networkoftheapes.net" "210.213.227.124" > > "2006-04-23 00:06:18" "mail.networkoftheapes.net" > > "networkoftheapes.net" "[EMAIL PROTECTED]" > > "[EMAIL PROTECTED]" "S1A663" "DATA=EFILTER" "" > "0" > > "" > > > > Some user ([EMAIL PROTECTED]) is trying to claim > > mail.networkoftheapes.net as it's client domain. Since I know they > > can't be, I exit with a 19 failing the message and stopping filter > > processing. I also give them a "550" invalid user formatted message with > the .rej file. > > So far, it's blocked a bunch of these and all seem to be from junk > > hotmail addresses. One of my spam honeypot accounts dropped it's mail > > load per hour by about half with this and 'friend' filtered out. > > > > I suspect that some widely used spam software out there just mimics > > the mail server's domain and supplies an randomly generated hotmail > > address for the from field. I sent some mail from a valid hotmail > > account and it reported "hotmail.com" as the client domain, so I think > > the false-positive count will be nil. > > > > The filter code blocks this and the previously mentioned 'friend' > > entries and writes a log file of it's actions. I wrote it in PHP of > > all things. If anyone is interested, I can post the code and a quick > readme. > > > > Bryn > > > > ----- Original Message ----- > > From: Sönke_Ruempler <[EMAIL PROTECTED]> > > To: [email protected] > > Date: Sun, 23 Apr 2006 11:56:08 +0200 > > Subject: [xmail] Re: "friend" client domain > > > > > > > > On 23.04.2006 03:31, postmaster - networkoftheapes.net wrote: > > > > > > > Now that I've made my filter, I have a question: How is the client > > > > domain generated? Is it something reported by the sending client > > > > software? For example, most entries in my SMTP logs from > > > > "@hotmail.com" report my > > > server > > > > (mail.networkoftheapes.net) in the client domain field. Should it > > > > be > > > doing > > > > this? > > > > > > All SMTP envelope headers are fakable - and so the only information > > > you can trust is the sender IP address. > > > > > > Maybe you want to send us sample headers and messages so we can > > > discuss specific questions. :) > > > - > > > To unsubscribe from this list: send the line "unsubscribe xmail" in > > > the body of a message to [EMAIL PROTECTED] For general help: > > > send the line "help" in the body of a message to > > > [EMAIL PROTECTED] > > > > > > > > - > > To unsubscribe from this list: send the line "unsubscribe xmail" in > > the body of a message to [EMAIL PROTECTED] For general help: > > send the line "help" in the body of a message to > > [EMAIL PROTECTED] > > > > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
