From owner-freebsd-questions@FreeBSD.ORG  Thu Apr  5 18:18:35 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0583016A401
	for <freebsd-questions@freebsd.org>;
	Thu,  5 Apr 2007 18:18:35 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com
	[66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id C033713C455
	for <freebsd-questions@freebsd.org>;
	Thu,  5 Apr 2007 18:18:34 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from compute2.internal (compute2.internal [10.202.2.42])
	by out1.messagingengine.com (Postfix) with ESMTP id B5787211CB7;
	Thu,  5 Apr 2007 14:18:40 -0400 (EDT)
Received: from heartbeat2.messagingengine.com ([10.202.2.161])
	by compute2.internal (MEProxy); Thu, 05 Apr 2007 14:18:35 -0400
X-Sasl-enc: FfiX1L0IAlQTXw5R1dhllsnu+o9sO1CLJxp2iidH6EBq 1175797114
Received: from [10.1.10.136] (n114.ewd.goldmark.org [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTP id 98F4FFA95;
	Thu,  5 Apr 2007 14:18:34 -0400 (EDT)
In-Reply-To: <200704041313.l34DDWuF044355@dc.cis.okstate.edu>
References: <200704041313.l34DDWuF044355@dc.cis.okstate.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <70AB9490-12D7-462A-815E-2212F977624E@goldmark.org>
Content-Transfer-Encoding: 7bit
From: Jeffrey Goldberg <jeffrey@goldmark.org>
Date: Thu, 5 Apr 2007 13:18:33 -0500
To: Martin McCormick <martin@dc.cis.okstate.edu>
X-Mailer: Apple Mail (2.752.2)
Cc: freebsd-questions@freebsd.org
Subject: Re: Any Way to Plug This Hole in Local Sendmail Delivery?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2007 18:18:35 -0000

On Apr 4, 2007, at 8:13 AM, Martin McCormick wrote:

> 	First of all, I think sendmail is great, so this is a
> minor issue.  The problem is that the spammers can cause local
> delivery of their junk by using the name of an account on the
> system.
> From: Weekly News <martin@dc.cis.okstate.edu>


There are four places where I spammer could be forging your domain,  
and each method requires different responses.

First the spammer could be saying

  HELO your.domain

I remember discussion of this on comp.mail.sendmail five or six years  
ago.  I know that in that discussion I contributed some rules (that  
others improved upon) to check to see whether the HELO string claimed  
to be from the receiving host itself.

I expect that by now there is a packaged FEATURE or CONFiguration for  
doing this kind of check.  I know that exim and postfix have both had  
easy configuration for this kind of checking for a very long time, so  
I'm confident that it's there for sendmail.

The second is that the spammer could be forging in the sender address  
(envelope FROM)

   MAIL FROM:<user@your.domain>

For this, I suspect that someone has put together a milter or a set  
of rules.  Again, the option to block such things has been available  
in postfix and exim for a while.  If you do this, you have to pay  
some attention to whether any of your users legitimately have mail  
automatically forwarded to them from other parts of the net.

A more general solution (still  has the forwarding problem) is to use  
SPF

   http://www.openspf.org/

This will allow you to not only block forgeries from your own domain,  
but to also block forgeries from my domain (and from everyone else  
who publishes SPF records).  SPF is a general anti-forgery tool for  
domain in Sender.  There are sendmail milters for doing SPF.

The third type of forgery is in the header From address.  I don't  
think that this kind of detection and filtering should be done by the  
MTA directly.  That kind of thing should be done with whatever  
content filtering tool you are using (e.g., spamassassin)

The fourth kind of domain forgery is so unlikely (and easy to detect)  
that it's negligible.  If (And this is extremely unlikely) the  
spammer controls the reverse DNS for the IP address that is sending  
the spam, the spammer could set up a bogus DNS PTR record so that a  
lookup of the numerical IP address will return something with your  
domain.  It's unlikely a spammer would do  this, and the normal  
default process of checking DNS resolvability will catch it anyway.

Anyway, I recommend SPF.  But for alternatives you may wish to post  
your query to the newsgroup comp.mail.sendmail.

Cheers,

-j

-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/