From owner-freebsd-security  Wed Jun 20 16:29:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231])
	by hub.freebsd.org (Postfix) with ESMTP id 3E8D637B403
	for <freebsd-security@FreeBSD.ORG>; Wed, 20 Jun 2001 16:29:31 -0700 (PDT)
	(envelope-from bmw@borderware.com)
From: "Bruce M. Walker" <bmw@borderware.com>
Message-Id: <200106202329.f5KNTPm07958@fusion.borderware.com>
Subject: Re: need help filter this stupid virus. Sendmail didnt stop this.
In-Reply-To: <20010620194713.A18467@ns1.via-net-works.net.ar> from "Fernando
 P . Schapachnik" at "Jun 20, 2001 07:47:13 pm"
To: "Fernando P . Schapachnik" <fschapachnik@vianetworks.com.ar>
Date: Wed, 20 Jun 2001 19:29:25 -0400 (EDT)
Cc: Erick Mechler <emechler@techometer.net>,
	faSty <fasty@i-sphere.com>, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Fernando P . Schapachnik wrote:
> [somebody previously wrote...]
> >
> > You don't need the from.  For example, try this:

Actually, you *do*.  See below...


> > [emechler@lucifer ~]$ cat /etc/mail/access
> > hahaha@sexyfun.net	REJECT
> 
> It won't work, as the virus uses hahaha@sexyfun.net INSIDE the
> message itself and sendmail checks the From field from the envelope,
> which in this case is probably <> (empty).
 
That's correct.

However, new sendmails can specify header checks.  For example, if you
are running FreeBSD 4.3 read /usr/share/sendmail/cf/README and check
around line 1859.

This syntax is supposed to match mail-header From: (or To:) lines...

  From:spammer@some.dom   REJECT
  To:friend.domain        RELAY


Don't forget to hash the map file after editing /etc/mail/access !
You should be able to simply say "make" in that folder.  Or,

  makemap hash /etc/mail/access < /etc/mail/access


> I was about to report it as a bug to sendmail a few days ago, but
> then I thought there might be some option to change that behavior or
> some valid reason for sendmail to accept a empty mail from:

There are two very compelling reasons to accept empty envelope-from:

  1. mailers send bounce and other internally-created error messages
     with an empty envelope-from.  If you don't accept them, you
     will confuse users who will not see bounces.

  2. the RFCs say so.  See RFC2821 (and RFC821).


Cheers!

-bmw

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message