[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SLUG] Spam creaping through

On Fri, Jun 01, 2001 at 01:04:36PM +1000, Peter McCarthy wrote:

> I read that sendmail will automatically reject email that does not have a host
> name that resolves, however this does not seem to be working for the following
> example.

Depending upon your configuration, but yes, it can be configured to
reject mail from which do not resolve.  Note that this is based on the
envelope, not the message headers.  This is a common cause of confusion.

The envelope addresses are those passed in the `mail from' and `rcpt to'
smtp commands.  Here's an example:

  [johnc@nospam.dropbear ~]$ telnet wombat.vastsystems.com.au 25
  Connected to wombat.vastsystems.com.au (
  Escape character is '^]'.
  220 vastsystems.com.au ESMTP Sendmail 8.11.0/8.11.0; Fri, 1 Jun 2001 17:17:11 +1000
  ehlo dropbear.vastsystems.com.au
  250-wombat.vastsystems.com.au Hello IDENT:johnc@nospam.dropbear.vastsystems.com.au [], pleased to meet you
  250 HELP
  mail from: johnc@nospam.vastsystems.com.au
  250 2.1.0 johnc@nospam.vastsystems.com.au... Sender ok
  rcpt to: johnc@nospam.vastsystems.com.au
  250 2.1.5 johnc@nospam.vastsystems.com.au... Recipient ok
  354 Enter mail, end with "." on a line by itself
  From: noone@nospam.nowhere         
  To: someone@nospam.nowhere
  Subject: Test

  250 2.0.0 f517HLs01938 Message accepted for delivery
  221 2.0.0 wombat.vastsystems.com.au closing connection
  Connection closed by foreign host.

And this is what the message I receive looks like:

  From johnc@nospam.vastsystems.com.au  Fri Jun  1 17:17:49 2001
  Return-Path: <johnc@nospam.vastsystems.com.au>
These two headers have the address given in the `mail from' command.
  Received: from dropbear.vastsystems.com.au
  +(IDENT:johnc@nospam.dropbear.vastsystems.com.au [])
          by wombat.vastsystems.com.au (8.11.0/8.11.0) with ESMTP id f517HLs01938
          for johnc@nospam.vastsystems.com.au; Fri, 1 Jun 2001 17:17:23 +1000

This one has the address given in the `rcpt to', but it's not always
present.  Even if it is, if there are multiple recipients, only one will
be here.

  Date: Fri, 1 Jun 2001 17:17:23 +1000
  Message-Id: <200106010717.f517HLs01938@nospam.wombat.vastsystems.com.au>

I didn't provide a `Date:' or `Message-Id:' header, so sendmail inserts

  From: noone@nospam.nowhere
  To: someone@nospam.nowhere
  Subject: Test

And here are the headers I actually provided.  Note that they're
garbage, and even though I have sendmail configured to block mail if the
sender's domain doesn't resolve, that check is done on the envelope
address, not the `From:' header.

> We quite frequently receive an email from hahaha@nospam.sexyfun.net with an attachment

sexyfun.net exists, but as I've explained above, that's irrelevant.  The
envelope address is what matters.

> that is a virus.
> I have the filter inplace to block this address but it still manages to get
> through.

How have you configured your filter?  Is it filtering on message header
or envelope?

> Jun  1 13:04:19 mail sendmail[24597]: NAA24597: from=<>, size=33261, class=0,
> This explains why it get past the filter, but no why sendmail doesn't
> automatically bin it as the send address does not reslove.

The null address is a special case.  Are you *certain* that you're
looking at the right log entry?

> Any ideas on how I should attack this ?

Send us your sendmail.mc (and filter rules if they're not in
sendmail.mc).  Also, which version of sendmail are you using?

> Also how do I specify the MaxMessageSize parameter to be a value using the
> sendmail.mc file ?

define(`confMAX_MESSAGE_SIZE', `1000000')dnl


whois !JC774-AU@nospam.whois.aunic.net

SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug