Re: [Mimedefang] Access to sendmail marco client_addr
On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote: > We've found that this approach works and is valuable, although it has > been tricky to determine what a "safe" number of IPs is to allow. In > particular, smartphones roaming around the city tend to look like they > are connecting from many IPs. We eventually changed the comparrison to > consider the number of /24 subnets the IPs were from, which helped. > (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all > count as being from a single subnet). Thanks to both you and the OP for sharing this interesting idea. I'll definitely keep this in mind. Here's a bit on a technique we've used: To quarantine phished accounts, we've implemented something that tracks the number of new recipients a given sender sends mail to. If that exceeds a limit over the last (i.e. rolling window of ) 72 hours, then we lock out the account. This works remarkably well. I don't think we've ended up on a block list since, and there have been very few false positives. We've hit a few people sending to 200 recipients from Outlook. We've been able to address that by moving them to a mailing list system, which I think is the right answer for that anyway. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
I did the same thing here, for exactly the same reasons. Here are my notes about which filter function I ended up using: # # If the current connection is using auth, determine if that user has # sent from too many different IPs recently. # # This has to be done in filter_sender because: # # * In filter_relay() (the obvious choice), no access to SendmailMacros # * filter_begin() is called too late(!) after the message is accepted # * filter_recipient() is potentially called multiple times # We've found that this approach works and is valuable, although it has been tricky to determine what a "safe" number of IPs is to allow. In particular, smartphones roaming around the city tend to look like they are connecting from many IPs. We eventually changed the comparrison to consider the number of /24 subnets the IPs were from, which helped. (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all count as being from a single subnet). Of course it lowers the chance of catching someone who is exploiting a small server farm to send spam, but in practical use it seems to be working OK). Oh, and for webmail, we're applying the same logic to something that watches the webmail's logfiles. Thanks, Mark On Mon, May 05, 2014 at 01:07:42PM +0200, Benoit Panizzon wrote: > Well, after some more RTFM and stumbling over a thread about documentation > issues with global variables: > http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html > > I constate that $RelayAddr is available in filter_begin but > read_commands_file > is not. > > Benoit Panizzon > -- > I m p r o W a r e A G- > __ > > Zurlindenstrasse 29 Tel +41 61 826 93 07 > CH-4133 PrattelnFax +41 61 826 93 02 > Schweiz Web http://www.imp.ch > __ > ___ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Mark Costlow| Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
On 2014-5-5 13:07 , Benoit Panizzon wrote: > Well, after some more RTFM and stumbling over a thread about documentation > issues with global variables: > http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html > > I constate that $RelayAddr is available in filter_begin but > read_commands_file > is not. read_commands_file() isn't necessary in filter_begin, it is implicitly called and all global variables and all sendmail macros are available already. In fact, $RelayAddr is always available, you don't need to call read_commands_file at all (and it contains the value that is in sendmail macro $&{client_addr} ) -- Jan-Pieter Cornet "If you're doing nothing wrong, you have nothing to hide from the giant surveillance apparatus the government's been hiding." -- Stephen Colbert signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
Well, after some more RTFM and stumbling over a thread about documentation issues with global variables: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html I constate that $RelayAddr is available in filter_begin but read_commands_file is not. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Access to sendmail marco client_addr
Hello We use MIMEdefang in conjunction with postfix. Postfix does not set a macro if_addr. According to the Postfix Milter documentation, all milters should use client_addr instead. According to the MIMEDefang documentation, read_commands_file would populate if_addr but does not populate client_addr. Is there a way to tell MIMEDefang to also pull client_addr? Of could someone tell me a better solution for that situation? We keep a history of the users which authenticated via smtp during the last hour and look at how many ip addresses are involved. If the number of different ip addresses is over a thereshold, we disable the user because of suspected phished password. Now we also have users using our webmail. The webmail uses the users credential for smtp auth, but comes from one specific IP address. We don't notice if a botnet starts abusing our webmail. But the webmail adds an extra header telling the IP of the HTTP client. I would like to do something like this in filter_begin: read_commands_file; if ($SendmailMacros{client_addr} eq $webmailip) { open(./HEADERS); look for the IP that sent that email via HTTP; insert into LoginHistory (tstamp, auth_user, HTTP_ip); } Wo how can I access the client_ip from within filter_begin? Mit freundlichen GrĂ¼ssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang