Re: [Exim] faking of sender-addr

Etusivu
Poista viesti
Vastaa
Lähettäjä: Dr Andrew C Aitchison
Päiväys:  
Vastaanottaja: james
Kopio: exim-users
Aihe: Re: [Exim] faking of sender-addr
On Sat, 3 Jun 2000 james@??? wrote:

> I'm new to exim and have some problems which
> seems to be unsolveable for me :)
>
> Anyone can telnet mydomain.com 25
> MAIL FROM: root@???
> RCPT TO: user1@???
> DATE
> hi user. im the root. you are dump
> .
>
> What i want is to convert the sender-addr
> to root@??? or root@???
> whenever someone tries to send a message to (local) users
> with the sender-addr of one of my local domains.
>
> any idea ?


If you have unix users, mail from daemons such as cron, as well as any
mail that is really from root, could get caught by that.

The usual approach is to ensure that the headers contain enough information
to catch anyone who does this; rather than changing the sender address.
I would start by looking at the options sender_verify and rfc1413_hosts.

However, as far as I can see, you have spotted a genuine potential attack.
Perhaps you could block mail with a sender inside your domain, unless the
smtp sender is one of your machines ? The system filter is the first place
I'd consider implementing this.

If you are worried enough to block (as opposed to just logging) this sort
of abuse by local users, I think you would have to go for overkill and
use the variale $sender_ident and run an external programme to check
that that user isn't running telnet.

> uhm..i found the following in my syslogs:
> exim[18815]: 2000-06-03 04:38:01 12xl5l-00006P-00 == root@??? T=local_delivery defer (13): Permission denied: failed to chdir to /root
>
> + many "retry.." + "msg is frozen".
> exim is running as root
> (-rws--x--x    1 root     root      1090010 Jun  3 02:44 /usr/sbin/exim)
> but with EXIM_UID=8 and EXIM_GID=8.

>
> the Documentation says:
> "If no user is specified for Exim in either the compile-time or runtime configuration files, then it runs as root all the time, except when
> performing local deliveries. When an alternative user is specified (which is recommended), it gives up root privilege when it can."
>
> so exim runs as root and drops privileges if it really does not
> need them. So..dear exim..why are you unable to chdir to root's homedir ? :)


Unless you have changed the value of never_users (by default it includes
root) it doesn't become root when delivering mail to root (this is a
paranoic safety catch). This isn't normally a problem, since mail to root
is usually redirected to a person, or group of people.

Dr. Andrew C. Aitchison        Computer Officer, DPMMS, Cambridge
A.C.Aitchison@???    http://www.dpmms.cam.ac.uk/~werdna