Re: [exim] Transparently faked domains

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: exim-users
Subject: Re: [exim] Transparently faked domains
On Wed, 21 Nov 2007, Marcin Krol wrote:

> Obviously, envelope-from address is faked. This got me thinking -
> suppose we used following algorithm:
>
> 1. Get revdns name for incoming IP.
>
> 2. Extract domain from envelope-from address. Remove leftmost subdomain
> (radca.lex.pl -> lex.pl) (this is done for sake of large email providers
> who send mail from hosts that are not their MXes, smth like
> smtp43.someprovider.com for outgoing mail and smtp.someprovider.com for
> incoming mail)
>
> 3. If string 2 doesn't contain string 1 (revdns name), the domain is
> faked and this could be used for things like increasing SA score or
> doing fakereject in Exim.
>
> Could this work? Pros? Cons?


Not really useful. You can't draw any generalised association between the
DNS domain of a sending host, and the domain part of a sender email
address, even if you could reliably work out how much of the revdns name
to do the match against. Many orgs outsource their mail provision to
other companies.

One goal of SPF is to allow a domain to make a statement (in DNS) about
the hosts from which its mail is permitted to originate, so you should
look into that, bearing in mind the usual caveats.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK