Date: Fri, 30 May 1997 19:29:27 -0700 (PDT) From: Dan Busarow <dan@dpcsys.com> To: Steve Ames <steve@ns1.cioe.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: sendmail: stop mail forwarding Message-ID: <Pine.UW2.3.95.970530192220.29968A-100000@cedb> In-Reply-To: <199705310036.TAA25045@ns1.cioe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 30 May 1997, Steve Ames wrote: > We recently (maybe 30 minutes ago) had someone forward a LOT of mail > through our server... most of it seemed to be destined for every user > on aol.com starting with the letter a. > > What's the Q&D patch to sendmail.cf to stop people from being able to > forward mail through? Can that be restricted by domain? (ie only people > from my domain can forward mail).... Q+D would start with the following and stop after the LocalIP test by changing the SpamIP rule to R$* $| $* $#error $@ 5.7.1 $: 571 Access denied $1 Anything that didn't pass the LocalIP test would be denied. Using the full set takes a little work on your part but will reduce the number of pissed customers. These are basically the rules from http://www.informatik.uni-kiel.de/%7Eca/email/check.html Remember to use <TAB>s between rule parts, they are present in this mail but cut and paste will remove them. Dan -- Dan Busarow 714 443 4172 DPC Systems / Beach.Net dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 ======== sendmail.cf anti-relay rules ======================================== These rulesets are designed to prevent use of your machines to relay mail for un-authorized sites, usually spammers. You can install these anywhere in your .cf, I have ours following ruleset 98. An explanation of how they works follows: ------------------------------------------------------------------ F{JunkMail} /etc/sendmail.junkmail F{MxHosts} /etc/sendmail.mxhosts F{LocalIP} /etc/sendmail.localip F{SpamIP} /etc/sendmail.spamip Scheck_mail # Bounce junk mail R<$={JunkMail}> $#error $@ 5.7.1 $: "Access denied" R$={JunkMail} $#error $@ 5.7.1 $: "Access denied" R$* $: $>3 $1 R$* < @ $* $={JunkMail} > $* $#error $@ 5.7.1 $: "Access denied" R$* < @ $* $={JunkMail} . > $* $#error $@ 5.7.1 $: "Access denied" Scheck_rcpt R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok no client addr: directly invoked R$={LocalIP}$* $| $* $@ ok from here R$={SpamIP}$* $| $* $#error $@ 5.7.1 $: 571 Access denied $1 # not local, not known spammer. check rcpt R$* $| $* $: $>3 $2 # remove local part, maybe repeatedly R$*<@$=w.>$* $>3 $1 $3 R$*<@$*$={MxHosts}.>$* $>3 $1 $4 # still something left? R$*<@$+>$* $#error $@ 5.7.1 $: 571 no relay --------------------------------------------------------------------- F{JunkMail} /etc/sendmail.junkmail This is a flat text file containing the domain names of known spammers, one per line. You can also have entries for abusive individuals at otherwise friendly sites. i.e. cyberpromo.com quantcom.com ImaSpammer@aol.com F{MxHosts} /etc/sendmail.mxhosts This is a text file containing the domain names that we do provide MX services for. Domains in your class Cw do not need to be included here. i.e. goodguy.com myfriend.com F{LocalIP} /etc/sendmail.localip A list of IP address *prefixes* and complete IP addresses that you consider local. i.e. 127.0.0.1 209.25.4 209.25.5 209.25.6.139 209.25.6.140 F{SpamIP} /etc/sendmail.spamip A list of IP address prefixes and/or addresses of known spammers 205.199.212 206.27.86.210 207.124.161.50 The rules: Scheck_mail This rule is run when the client issues the MAIL command to sendmail, MAIL From: dan@dpcsys.com R<$={JunkMail}> $#error $@ 5.7.1 $: "Access denied" R$={JunkMail} $#error $@ 5.7.1 $: "Access denied" Check for complete addresses and reject if found (ImaSpammer@aol.com) R$* $: $>3 $1 Renormalize the address R$* < @ $* $={JunkMail} > $* $#error $@ 5.7.1 $: "Access denied" R$* < @ $* $={JunkMail} . > $* $#error $@ 5.7.1 $: "Access denied" Check for mail from domains of know spammers. Note that machine.cyberpromo.com, machine.subdomain.cyberpromo.com and cyberpromo.com will all be caught. Scheck_rcpt This rule is run when the client issues a RCPT command to sendmail, RCPT To: victime@target.domain R$+ $: $(dequote "" $&{client_addr} $) $| $1 Get the IP address of the sender and put it on the left side of the "$|", the recipient goes on the right side. R0 $| $* $@ ok no client addr: directly invoked If there is no IP address associated with the sender they are local R$={LocalIP}$* $| $* $@ ok from here If the IP address matches an entry in LocalIP they are local R$={SpamIP}$* $| $* $#error $@ 5.7.1 $: 571 Access denied $1 If the IP address matches an entry in SpamIP reject the mail # not local, not known spammer. check rcpt R$* $| $* $: $>3 $2 Send the recipient address ($2) through ruleset 3 to get a "normal" address to examine. # remove local part, maybe repeatedly R$*<@$=w.>$* $>3 $1 $3 This rule will repeatedly remove references to members of Cw (your own domain and sometimes virtual domains) R$*<@$*$={MxHosts}.>$* $>3 $1 $4 This rule will repeatedly remove references to hosts that you allow to use your system as a relay (people you MX for, we put virtual domains and UUCP connected customers here) # still something left? R$*<@$+>$* $#error $@ 5.7.1 $: 571 no relay Stripping Cw and MxHosts should have left us with something like "joe@" for legitimate mail. If there is anything left on the right hand side of the "@" this was a relay attempt. NB: The address rewriting done within these rules is *not* propogated back through other rules. The only thing sendmail looks for from these rules is an error return.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.UW2.3.95.970530192220.29968A-100000>