Re: [Exim] SMTP Spoofing - Preventing Local Relaying

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jason Robertson
Datum:  
To: Tony Earnshaw, exim-users
Betreff: Re: [Exim] SMTP Spoofing - Preventing Local Relaying
What I think he is referring to, is that the spammer is sending
directly to his mailserver, bypassing their uplink mailservers, that
their provider offers, and not a mail relay as such, for example, an
email that's currently frozen on my mailserver from
dslpppm227.dnvr.uswest.net [63.225.111.227]

Well for him, there are a few options, that I have implemented, first
find the various dialups are possible and block all of these ISPs.

A few options that can be done, sender verification can be done.
Create a filter that contains

if (($sender_host_name contains "ppp") or
    ($sender_host_name contains "dsl") or
    ($sender_host_name contains "pool") or
    ($sender_host_name contains "dhcp") or
    ($sender_host_name contains ".cpe.") or
    ($sender_host_name contains "interbusiness.it") or
    (($sender_host_name contains "cable") and ($sender_host_name does
not contain "bloor.is.net.cable.rogers.com"))) then


[ Note Rogers.com uses cable within their sending mail server ]

Lastly you can create a list of networks to deny from.

Jason

On 4 Mar 2003 at 13:45, Tony Earnshaw wrote:

> tir, 2003-03-04 kl. 02:51 skrev Mail List:
>
> > --But-- if you try and send mail to another domain/user on the server
> > housing domainA.com, then exim will accept the connection and hand-off
> > the message.. For example if you try and send from the above
> > "domainA.com" account, and send a message to "admin@???" (or
> > to any domain/user on the server), then the mail server will accept
> > and deliver the mail.. In the maillog, you'll see this message from
> > such an attempt:
> >
> > Feb 26 21:22:01 exim[1609]: 2003-02-26 21:22:01 Authentication failed
> > for dhcpxxx-xxx-xxx-xxx.rr.com (owksu-j28xloafc.domainA.com)
> > [24.xxx.xxx.xxx]: 535 Incorrect authentication data
> >
> > (the 24.xxx.xxx.xxx is my RR connection to the net)
> >
> > But that's just a warning in the log, even though it reports
> > "Incorrect authentication data" -the mail server will still
> > accept/deliver the message using domainA.com as the SMTP server from
> > the MTU..
> >
> > This isn't the way it's suppose to work correct..? I'm just having a
> > hard time explaining what's going on here, but I'm fairly sure it
> > shouldn't be doing what it's doing.. :-)
>
> I don't really understand this thread (I always start at what came in
> last and work my way back.)
>
> Everything one could possibly think of is configurable in Exim, to the
> extent that after years' of Exim configuration I'm continually finding
> out new and better ways of doing things. And here are all my heoes
> agreeing with Xantippe that they're not.
>
> But with respect to the above single point, Xantippe (I'll call you
> Xantippe, since it's a good name):
>
> I think your main problem is that you have a lot of catching up to do
> and Exim's new to you. You can configure Exim authentication in one of
> several ways. Globally or individually you can grant or deny any desired
> permission on almost any basis to do anything to anyone who
> authenticates correctly or doesn't. You just haven't discovered how,
> yet. Give yourself a month or twelve with much reading and practice.
>
> If one tries to explain to a dedicated Sendmail, Qmail or Postfix person
> how flexible and elegant Exim is, they simply mawp and can not
> understand, since there is no parallel. The best one I've seen lately
> was on the SA list, where a Qmail admin boasted that Qmail hadn't needed
> any bugfixes whatsoever for the last 4 years.
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> All the world is mad, exceptin thee and me
> and even thee's a little queer
>
> e-post:        tonni@???
> www:        http://www.billy.demon.nl

>
>
>



--
Jason Robertson
Now at the Nation Research Council.