changeset 127:2b1a4701e856

sendmail no longer guarantees <> wrapper on envelopes
author carl
date Sat, 08 Apr 2006 10:06:09 -0700
parents 05ae49d37896
children 9ab51896447f
files ChangeLog NEWS configure.in dnsbl.conf src/dnsbl.cpp xml/dnsbl.in
diffstat 6 files changed, 94 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Sat Mar 25 09:47:08 2006 -0800
+++ b/ChangeLog	Sat Apr 08 10:06:09 2006 -0700
@@ -1,18 +1,26 @@
     $Id$
 
+5.18 2006-04-08
+    Bug fix - newer sendmail versions don't guarantee envelope addresses
+    enclosed in <> wrapper.
+
+    Document backscatter prevention configuration for systems that are
+    used to mainly spam filter and then forward to mail to the internal
+    server.
+
 5.17 2006-03-25
-    never ask dns blacklists about rfc1918 address space.
+    Never ask dns blacklists about rfc1918 address space.
 
 5.16 2006-03-16
-    bug fix - the smtp error message for uribl filtering needs to
+    Bug fix - the smtp error message for uribl filtering needs to
     reference the host name, not the ip address.
 
 5.15 2006-03-15
-    bug fix - we failed to properly set the return code to indicate the
+    Bug fix - we failed to properly set the return code to indicate the
     reason when rejecting mail for content filtering.
 
 5.14 2006-03-13
-    fix typo in the default config file and documentation for using
+    Fix a typo in the default config file and documentation for using
     multi.surbl.org
 
 5.13 2006-03-12
--- a/NEWS	Sat Mar 25 09:47:08 2006 -0800
+++ b/NEWS	Sat Apr 08 10:06:09 2006 -0700
@@ -1,5 +1,6 @@
     $Id$
 
+5.18 2006-04-08 sendmail no longer guarantees <> wrapper on envelopes
 5.17 2006-03-25 never ask dns blacklists about rfc1918 address space
 5.16 2006-03-16 bug fix, smtp error message for uribl filtering needs host name, not ip address
 5.15 2006-03-15 bug fix, failed to set reason code when rejecting mail from content filtering
--- a/configure.in	Sat Mar 25 09:47:08 2006 -0800
+++ b/configure.in	Sat Apr 08 10:06:09 2006 -0700
@@ -1,7 +1,7 @@
 AC_INIT(configure.in)
 
 AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(dnsbl,5.17)
+AM_INIT_AUTOMAKE(dnsbl,5.18)
 AC_PATH_PROGS(BASH, bash)
 
 AC_LANG_CPLUSPLUS
--- a/dnsbl.conf	Sat Mar 25 09:47:08 2006 -0800
+++ b/dnsbl.conf	Sat Apr 08 10:06:09 2006 -0700
@@ -1,3 +1,32 @@
+context main-default {
+    // outbound dnsbl filtering to catch our own customers that end up on the sbl
+    dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
+    dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+    dnsbl   dul     dul.dnsbl.sorbs.net         "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s";
+    dnsbl_list  local sbl dul;
+
+    // outbound content filtering to prevent our own customers from sending spam
+    content on {
+        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s";
+        #uribl    black.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
+        ignore    { include "hosts-ignore.conf"; };
+        tld       { include "tld.conf"; };
+        cctld     { include "cctld.conf"; };
+        html_tags { include "html-tags.conf"; };
+        html_limit on 20 "Mail containing excessive bad html tags rejected";
+        html_limit off;
+        host_limit on 20 "Mail containing excessive host names rejected";
+        host_limit soft 20;
+    };
+
+    // backscatter prevention - don't send bounces for mail that we accepted but could not forward
+    // we only send bounces to our own customers
+    env_from unknown {
+        "<>"    black;
+    };
+};
+
 context main {
     dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
     dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
--- a/src/dnsbl.cpp	Sat Mar 25 09:47:08 2006 -0800
+++ b/src/dnsbl.cpp	Sat Apr 08 10:06:09 2006 -0700
@@ -855,16 +855,24 @@
 }
 
 ////////////////////////////////////////////////
-// this email address is passed in from sendmail, and will
-// always be enclosed in <>. It may have mixed case, just
-// as the mail client sent it. We dup the string and convert
-// the duplicate to lower case.
+//
+// this email address is passed in from sendmail, and will normally be
+// enclosed in <>.	I think older versions of sendmail supplied the <>
+// wrapper if the mail client did not, but the current version does not do
+// that.  So the <> wrapper is now optional.  It may have mixed case, just
+// as the mail client sent it.	We dup the string and convert the duplicate
+// to lower case.
 //
 char *to_lower_string(char *email);
 char *to_lower_string(char *email) {
-	int n = strlen(email)-2;
-	if (n < 1) return strdup(email);
-	char *key = strdup(email+1);
+	int n = strlen(email);
+	if (*email == '<') {
+		// assume it also ends with >
+		n -= 2;
+		if (n < 1) return strdup(email);	// return "<>"
+		email++;
+	}
+	char *key = strdup(email);
 	key[n] = '\0';
 	for (int i=0; i<n; i++) key[i] = tolower(key[i]);
 	return key;
--- a/xml/dnsbl.in	Sat Mar 25 09:47:08 2006 -0800
+++ b/xml/dnsbl.in	Sat Apr 08 10:06:09 2006 -0700
@@ -159,7 +159,7 @@
                 reject mail sent to invalid addresses.  Otherwise, the backup mail
                 servers will accept that mail, and then generate a bounce message when
                 the message is forwarded to the primary server (and rejected there with
-                no such user).
+                no such user). These rejections are the primary cause of such backscatter.
             </para>
             <para>
                 This milter will also decode (uuencode, base64, mime, html entity, url
@@ -449,6 +449,11 @@
                 The following ideas are under consideration.
             </para>
             <para>
+                Add mail volume limits based on smtp auth accounts, to prevent
+                customers from sending too much mail. This should catch customers
+                that get infected with malware that knows about smtp auth.
+            </para>
+            <para>
                 Add a per-context option to reject mail if the number of digits in
                 the reverse dns client name exceeds some threshold.
             </para>
@@ -563,6 +568,35 @@
         <refsect1 id='sample.5'>
             <title>Sample</title>
             <literallayout class="monospaced"><![CDATA[
+context main-default {
+    // outbound dnsbl filtering to catch our own customers that end up on the sbl
+    dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
+    dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+    dnsbl   dul     dul.dnsbl.sorbs.net         "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s";
+    dnsbl_list  local sbl dul;
+
+    // outbound content filtering to prevent our own customers from sending spam
+    content on {
+        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s";
+        #uribl    black.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
+        ignore    { include "hosts-ignore.conf"; };
+        tld       { include "tld.conf"; };
+        cctld     { include "cctld.conf"; };
+        html_tags { include "html-tags.conf"; };
+        html_limit on 20 "Mail containing excessive bad html tags rejected";
+        html_limit off;
+        host_limit on 20 "Mail containing excessive host names rejected";
+        host_limit soft 20;
+    };
+
+    // backscatter prevention - don't send bounces for mail that we accepted but could not forward
+    // we only send bounces to our own customers
+    env_from unknown {
+        "<>"    black;
+    };
+};
+
 context sample {
     dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
     dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";