Author: Andrew - Supernews Date: To: exim-users Subject: Re: [Exim] multiple PTR and HELO check
>>>>> "Philip" == Philip Hazel <ph10@???> writes:
Philip> Exim sets up $sender_host_name to the first name it is given
Philip> by gethostbyaddr(). It also sets up a list of host alias
Philip> names from any aliases that it is given. These are used in
Philip> various checks.
having looked at the code for this I believe there is a weakness,
unless I am badly misunderstanding what it is trying to do. The code
appears to be treating the entire list of aliases as valid provided
that only _one_ of them results in a matching forward lookup. This,
on the face of it, would seem to allow a sufficiently determined
attacker to spoof as follows:
Suppose I (ill-advisedly) have *.supernews.net in my relay_hosts list
(I don't, this is just an example). badguy.net (who also controls
rDNS for 1.2.3.*) sets up records:
spamming.badguy.net. IN A 1.2.3.4
$ORIGIN 3.2.1.in-addr.arpa.
4 IN PTR spamming.badguy.net.
4 IN PTR hahaha.supernews.net.
now, 1.2.3.4 connects to my exim, which looks up the PTRs, sees that
one of them matches, and accepts all the aliases; one of them matches
my relay ACL, and the spammer is away...
the workaround, of course, is to specify relay hosts only by IP.
The correct algorithm for rDNS lookup verification is this:
for each hostname or alias name returned from the address lookup:
perform forward lookup on the name
if at least one IP in the forward lookup matches the connecting IP
then accept the name
else ignore it completely (delete it from the known aliases)