Mercurial > dnsbl
changeset 127:2b1a4701e856
sendmail no longer guarantees <> wrapper on envelopes
| author | carl |
|---|---|
| date | Sat, 08 Apr 2006 10:06:09 -0700 |
| parents | 05ae49d37896 |
| children | 9ab51896447f |
| files | ChangeLog NEWS configure.in dnsbl.conf src/dnsbl.cpp xml/dnsbl.in |
| diffstat | 6 files changed, 94 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Sat Mar 25 09:47:08 2006 -0800 +++ b/ChangeLog Sat Apr 08 10:06:09 2006 -0700 @@ -1,18 +1,26 @@ $Id$ +5.18 2006-04-08 + Bug fix - newer sendmail versions don't guarantee envelope addresses + enclosed in <> wrapper. + + Document backscatter prevention configuration for systems that are + used to mainly spam filter and then forward to mail to the internal + server. + 5.17 2006-03-25 - never ask dns blacklists about rfc1918 address space. + Never ask dns blacklists about rfc1918 address space. 5.16 2006-03-16 - bug fix - the smtp error message for uribl filtering needs to + Bug fix - the smtp error message for uribl filtering needs to reference the host name, not the ip address. 5.15 2006-03-15 - bug fix - we failed to properly set the return code to indicate the + Bug fix - we failed to properly set the return code to indicate the reason when rejecting mail for content filtering. 5.14 2006-03-13 - fix typo in the default config file and documentation for using + Fix a typo in the default config file and documentation for using multi.surbl.org 5.13 2006-03-12
--- a/NEWS Sat Mar 25 09:47:08 2006 -0800 +++ b/NEWS Sat Apr 08 10:06:09 2006 -0700 @@ -1,5 +1,6 @@ $Id$ +5.18 2006-04-08 sendmail no longer guarantees <> wrapper on envelopes 5.17 2006-03-25 never ask dns blacklists about rfc1918 address space 5.16 2006-03-16 bug fix, smtp error message for uribl filtering needs host name, not ip address 5.15 2006-03-15 bug fix, failed to set reason code when rejecting mail from content filtering
--- a/configure.in Sat Mar 25 09:47:08 2006 -0800 +++ b/configure.in Sat Apr 08 10:06:09 2006 -0700 @@ -1,7 +1,7 @@ AC_INIT(configure.in) AM_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE(dnsbl,5.17) +AM_INIT_AUTOMAKE(dnsbl,5.18) AC_PATH_PROGS(BASH, bash) AC_LANG_CPLUSPLUS
--- a/dnsbl.conf Sat Mar 25 09:47:08 2006 -0800 +++ b/dnsbl.conf Sat Apr 08 10:06:09 2006 -0700 @@ -1,3 +1,32 @@ +context main-default { + // outbound dnsbl filtering to catch our own customers that end up on the sbl + dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; + dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; + dnsbl_list local sbl dul; + + // outbound content filtering to prevent our own customers from sending spam + content on { + filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; + #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; + ignore { include "hosts-ignore.conf"; }; + tld { include "tld.conf"; }; + cctld { include "cctld.conf"; }; + html_tags { include "html-tags.conf"; }; + html_limit on 20 "Mail containing excessive bad html tags rejected"; + html_limit off; + host_limit on 20 "Mail containing excessive host names rejected"; + host_limit soft 20; + }; + + // backscatter prevention - don't send bounces for mail that we accepted but could not forward + // we only send bounces to our own customers + env_from unknown { + "<>" black; + }; +}; + context main { dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
--- a/src/dnsbl.cpp Sat Mar 25 09:47:08 2006 -0800 +++ b/src/dnsbl.cpp Sat Apr 08 10:06:09 2006 -0700 @@ -855,16 +855,24 @@ } //////////////////////////////////////////////// -// this email address is passed in from sendmail, and will -// always be enclosed in <>. It may have mixed case, just -// as the mail client sent it. We dup the string and convert -// the duplicate to lower case. +// +// this email address is passed in from sendmail, and will normally be +// enclosed in <>. I think older versions of sendmail supplied the <> +// wrapper if the mail client did not, but the current version does not do +// that. So the <> wrapper is now optional. It may have mixed case, just +// as the mail client sent it. We dup the string and convert the duplicate +// to lower case. // char *to_lower_string(char *email); char *to_lower_string(char *email) { - int n = strlen(email)-2; - if (n < 1) return strdup(email); - char *key = strdup(email+1); + int n = strlen(email); + if (*email == '<') { + // assume it also ends with > + n -= 2; + if (n < 1) return strdup(email); // return "<>" + email++; + } + char *key = strdup(email); key[n] = '\0'; for (int i=0; i<n; i++) key[i] = tolower(key[i]); return key;
--- a/xml/dnsbl.in Sat Mar 25 09:47:08 2006 -0800 +++ b/xml/dnsbl.in Sat Apr 08 10:06:09 2006 -0700 @@ -159,7 +159,7 @@ reject mail sent to invalid addresses. Otherwise, the backup mail servers will accept that mail, and then generate a bounce message when the message is forwarded to the primary server (and rejected there with - no such user). + no such user). These rejections are the primary cause of such backscatter. </para> <para> This milter will also decode (uuencode, base64, mime, html entity, url @@ -449,6 +449,11 @@ The following ideas are under consideration. </para> <para> + Add mail volume limits based on smtp auth accounts, to prevent + customers from sending too much mail. This should catch customers + that get infected with malware that knows about smtp auth. + </para> + <para> Add a per-context option to reject mail if the number of digits in the reverse dns client name exceeds some threshold. </para> @@ -563,6 +568,35 @@ <refsect1 id='sample.5'> <title>Sample</title> <literallayout class="monospaced"><![CDATA[ +context main-default { + // outbound dnsbl filtering to catch our own customers that end up on the sbl + dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; + dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; + dnsbl_list local sbl dul; + + // outbound content filtering to prevent our own customers from sending spam + content on { + filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; + #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; + ignore { include "hosts-ignore.conf"; }; + tld { include "tld.conf"; }; + cctld { include "cctld.conf"; }; + html_tags { include "html-tags.conf"; }; + html_limit on 20 "Mail containing excessive bad html tags rejected"; + html_limit off; + host_limit on 20 "Mail containing excessive host names rejected"; + host_limit soft 20; + }; + + // backscatter prevention - don't send bounces for mail that we accepted but could not forward + // we only send bounces to our own customers + env_from unknown { + "<>" black; + }; +}; + context sample { dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";