At 21:04 -0700 2002/12/12, Kevin P. Fleming wrote:
>
>
>acl_check_data:
> deny log_message = Teergrube: Hotmail forgery
> message = X-Forgery: NOT HOTMAIL SERVER
> sender_domains = hotmail.com
> condition = ${if def:header_X-Originating-IP: {0}{1}}
> delay = 30s
> deny log_message = Teergrube: AOL forgery
> message = X-Forgery: NOT AOL ADDRESS
> senders = \N^\d.*@aol\.com$\N
> delay = 30s
> deny log_message = Teergrube: AOL forgery
> message = X-Forgery: NOT AOL MAILER
> sender_domains = aol.com
> condition = ${if match {${lc:$h_X-Mailer:}} {(a(?:ol|tlas))}
>{0}{1}}
> delay = 30s
> deny log_message = Teergrube: AOL forgery
> message = X-Forgery: NOT AOL SERVER
> sender_domains = aol.com
> condition = ${if match {${lc:$h_Received:}} {by.*aol\.com}
>{0}{1}}
> delay = 30s
> deny log_message = Teergrube: Yahoo forgery
> message = X-Forgery: NOT YAHOO SERVER
> sender_domains = yahoo.com
> condition = ${if match {$h_Received:}
>{(yahoo.com.via.(?:HTTP|NNFMP))} {0}{1}}
> delay = 30s
>
>Delays for the infamous Hotmail/AOL/Yahoo forgers...
I still think that this is definitely the wrong way of checking for
hotmail/yahoo/aol, still it seems very popular.
In terms of false positives, one should be free to set the envelope
sender to whatever is acceptable, and if roaming, that can be a
hotmail address for instance.
In terms of missed positives, a spammer can easily forge the headers
checked by this rules.
In my opinion a rcpt acl that does a sanity check on the helo/sender
ip/sender reverse lookup, and perhaps sender address domain MX in
case the others fail, is much more accurate. It might require a lot
of DNS lookups, but these generate less traffic than initially
accepting all the message data.
I might add these delays to my rcpt acl though...
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/
