Re: [Mimedefang] Non-routable addresses in HELO
At 03:37 11-07-2006, Steffen Kaiser wrote: BTW: That somebody knows what the "#" element is used for? That's the host address as a decimal integer. Regards, -sm ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Tue, 11 Jul 2006, Steffen Kaiser wrote: > On Mon, 10 Jul 2006, Jim McCullars wrote: > > > I just reject when someone sends an IP address as a HELO, and it is not > > their actual IP address. In filter_sender(): > > > > if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) { # looks like an IP > > Shouldn't you optionally allow square brackets? As they are required by > both RFCs for address literals. Well, if you look at it in the context of the test being bypassed if they do include square brackets, then they are already "allowed". But yes, the test should probably be changed to check for them. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Tue, Jul 11, 2006 at 12:37:44PM +0200, Steffen Kaiser wrote: > On Tue, 11 Jul 2006, Jan-Pieter Cornet wrote: > > >So, based on this latter paragraph, it is entirely OK to reject > >after "EHLO 127.0.0.1", since that is not a properly formatted EHLO > >argument. RFC821 has similar restrictions on the HELO argument, > >which should be a "domain" (no IP allowed). > > RFC821 is funny, because it allows this: > > [1.2.3.4].[1.2.3.6].#123445.DummDiDumm > [...BNF explantion...] But there are additional limitations in the text of RFC821, to quote: from section 3.5 Opening and Closing: HELO from section 3.7 Domains: Whenever domain names are used in SMTP only the official names are used, the use of nicknames or aliases is not allowed. And from the glossary: domain The hierarchially structured global character string address of a host computer in the mail system. And it is indeed fun to read, because the DNS system has only just been invented when this was written, and that clearly shows :) > BTW: That somebody knows what the "#" element is used for? That knowledge might have been lost together with Jon Postel. I've never seen it used. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Tue, 11 Jul 2006, Jan-Pieter Cornet wrote: So, based on this latter paragraph, it is entirely OK to reject after "EHLO 127.0.0.1", since that is not a properly formatted EHLO argument. RFC821 has similar restrictions on the HELO argument, which should be a "domain" (no IP allowed). RFC821 is funny, because it allows this: [1.2.3.4].[1.2.3.6].#123445.DummDiDumm relevant EBNF: ::= | "." ::= | "#" | "[" "]" ::= "." "." "." ::= | ::= one, two, or three digits representing a decimal integer value in the range 0 through 255 EHLO's argument is defined more restrictive. BTW: That somebody knows what the "#" element is used for? Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, Jul 10, 2006 at 10:26:40AM -0700, John Rudd wrote: > If you're going to be a stickler about what the RFC says, in what you > require about the sender, then it's probably a good idea to be a > stickler about the RFC in how your server operates as well. > Specifically, you may not refuse the message based upon the HELO > argument. No, that is not correct. This points comes up repeatedly, and proponents of the "you cannot reject based on HELO name" usually quote this paragraph from RFC 2821, section 4.1.4 Order of Commands: An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only. However, this explicitly says that you MUST NOT reject because of an IP address mismatch, when the incoming IP connection has another IP address as the hostname given as the EHLO argument. However, this says nothing about rejecting based on other criteria, for example, malformedness of the argument. Both RFC 2821 (defining EHLO) and RFC 821 (defining HELO) are quite strict about what that argument should look like. To quote RFC 2821 again: - The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1. (look up section 4.1.1.1 yourself if you must, it describes address literals like [194.109.21.6], or [IPv6:2001:888:0:1::666]). So, based on this latter paragraph, it is entirely OK to reject after "EHLO 127.0.0.1", since that is not a properly formatted EHLO argument. RFC821 has similar restrictions on the HELO argument, which should be a "domain" (no IP allowed). But while on the subject of RFC strictness... the RFCs are lagging behind a little bit. According to the RFC, you MUST reject the HELO or EHLO argument with a 501 error if the argument is invalid. In practice, however, any reject reason is often delayed until the RCPT command, to allow specific users (like postmaster) to override certain checks. This usually also results in better error messages to users. This practice is not allowed by the RFCs, but is generally consired the better thing to do. Also note that I'm not aware of any SMTP server implementation that actually enforces syntactic checks on the HELO or EHLO argument out of the box (resulting in lots of clients sending utter crap). Also note that blocking based on EHLO will produce some false positives: there are legitimate mail servers out there that EHLO as, eg. "lan.local" or something silly. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, 10 Jul 2006, Jim McCullars wrote: I just reject when someone sends an IP address as a HELO, and it is not their actual IP address. In filter_sender(): if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) { # looks like an IP Shouldn't you optionally allow square brackets? As they are required by both RFCs for address literals. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Jul 10, 2006, at 12:41 PM, Michael Lang wrote: My point being: Seems rather hypocritical to complain about the lack of merits of the client based upon lack of RFC compliance ... while advocating lack of RFC compliance in your server. in my filter RFC ignorant client Mails get additional SpamScore added, but as written above, i pointed it out wrong ... ah, that actually makes a LOT more sense. Good idea :-) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, 2006-07-10 at 10:26 -0700, John Rudd wrote: > > On Jul 10, 2006, at 7:57 AM, Michael Lang wrote: > > If you're going to be a stickler about what the RFC says, in what you > require about the sender, then it's probably a good idea to be a > stickler about the RFC in how your server operates as well. > Specifically, you may not refuse the message based upon the HELO > argument. uupps .. maybe i pointed out this one, the wrong way ... what i meant was that, putting in your filter (oct.oct.oct.oct) today and tomorror the next, doesn't make sense. It's the wrong way of 'ALLOW ALL, DENY ...' > My point being: Seems rather hypocritical to complain about the lack of > merits of the client based upon lack of RFC compliance ... while > advocating lack of RFC compliance in your server. in my filter RFC ignorant client Mails get additional SpamScore added, but as written above, i pointed it out wrong ... Kind regards Michael Lang > ___ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang <[EMAIL PROTECTED]> ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Jul 10, 2006, at 7:57 AM, Michael Lang wrote: On Mon, 2006-07-10 at 09:17 -0500, Jim McCullars wrote: On Sun, 9 Jul 2006, Dirk the Daring wrote: Obviously, if I have sending hosts on my network that really did have non-routable addresses, this would be a possible problem (altho the simple I just reject when someone sends an IP address as a HELO, and it is not their actual IP address. In filter_sender(): i remember an exploit with negative Integers as helo name ... and as RFC 821 states """This command is used to identify the sender-SMTP to the receiver-SMTP. The argument field contains the host name of the sender-SMTP.""" If you're going to be a stickler about what the RFC says, in what you require about the sender, then it's probably a good idea to be a stickler about the RFC in how your server operates as well. Specifically, you may not refuse the message based upon the HELO argument. My point being: Seems rather hypocritical to complain about the lack of merits of the client based upon lack of RFC compliance ... while advocating lack of RFC compliance in your server. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, 2006-07-10 at 09:17 -0500, Jim McCullars wrote: > > On Sun, 9 Jul 2006, Dirk the Daring wrote: > > > Obviously, if I have sending hosts on my network that really did have > > non-routable addresses, this would be a possible problem (altho the simple > >I just reject when someone sends an IP address as a HELO, and it is not > their actual IP address. In filter_sender(): i remember an exploit with negative Integers as helo name ... and as RFC 821 states """This command is used to identify the sender-SMTP to the receiver-SMTP. The argument field contains the host name of the sender-SMTP.""" it should be the hostname of the remote MTA, so everthing in /^[a-z0-9\-\.]+/i would be valid, so if you want to be restrictive implement a FULL FQDN check for the helo, extending to prevent Spam/Virus Senders from abusing you MTA, you could add SPF checking and DUL strings in reverse FQDN as helo Strings are modifyable from within the Virus/Trojan. (I've already seen Zombie PC's sending Messages periodicaly after 10 minutes to get passed greylisting. but maybe it's easier to setup secured communication Channels with your MTA Peers ? like 'DENY ALL, ALLOW FROM ...' ;) Greetz mIke try adding these filter to your config but do logging only ;) sub filter_recipient{ ... if (check_dul($RealRelayHostname)) { md_syslog('warning', check_dul($RealRelayHostname)); } ... } ... sub check_dul($){ my $reverseFQDN = $_[0]; md_syslog('warning', "Checking for MTAname $reverseFQDN"); if ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}(|(\d{1,3}[\.\-]\d{1,3})|[\.\-]\d{1,3})/) { return ('TEMP', "$reverseFQDN DUL like syntax"); } elsif ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}[\.\-]\d{1,3}(|[\.\-]\d{1,3})/) { return ('TEMP', "$reverseFQDN DUL like syntax"); } elsif ($reverseFQDN =~ /(xsdl|adsl|pool|dial(in|up|-in|-up)|dynamic)/i) { return ('TEMP', "$reverseFQDN DUL like syntax"); } else {return;} } > > if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) { # looks like an IP > if ($helo ne $ip) { > return('REJECT', "IP address $ip doesn't match helo string $helo"); > } > } > > This is fairly effective, I grepped my syslog file on one of two email > relays and since last Friday it stopped over 5000 email attempts. It has > the added effect of stopping those who use *my* IP address as the HELO > string. > > HTH... > > Jim McCullars > University of Alabama in Huntsville > > ___ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang <[EMAIL PROTECTED]> ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Sun, 9 Jul 2006, Dirk the Daring wrote: > Obviously, if I have sending hosts on my network that really did have > non-routable addresses, this would be a possible problem (altho the simple I just reject when someone sends an IP address as a HELO, and it is not their actual IP address. In filter_sender(): if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) { # looks like an IP if ($helo ne $ip) { return('REJECT', "IP address $ip doesn't match helo string $helo"); } } This is fairly effective, I grepped my syslog file on one of two email relays and since last Friday it stopped over 5000 email attempts. It has the added effect of stopping those who use *my* IP address as the HELO string. HTH... Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Sun, 2006-07-09 at 22:40 -0400, Dirk the Daring wrote: >I've noticed some SPAMmers recently starting to HELO using > non-routable > IP addresses (mostly 10.x.x.x or 192.168.x.x) > > I'm thinking of filtering for this, and I came up with this code > (which > would be placed AFTER the check for an IP-based HELO in square > brackets - > so any IP-based HELO missing the brackets has already been rejected). If your seeing drive by spammers, I honestly would be looking at implementing greylisting instead. Most of my spam experience has shown that a vast majority is coming from IP addresses that do not get used that often. My $0.02 Kayne ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Sun, 9 Jul 2006, Dirk the Daring wrote: I've noticed some SPAMmers recently starting to HELO using non-routable IP addresses (mostly 10.x.x.x or 192.168.x.x) See the past threads about this topic; actually only MUAs should use private IPs here, but a multi-interface or misconfigured MTA might pick the wrong one ... . I'm thinking of filtering for this, and I came up with this code (which would be placed AFTER the check for an IP-based HELO in square brackets - so any IP-based HELO missing the brackets has already been rejected). The HELO argument is not properly defined, EHLO's one is. I'd appreciate any feedback anyone would like to offer on this code snippet: # Check for a HELO that is a non-routable address and therefore invalid if (($helo =~ /(^|\[)10\.d{1,3}\.d{1,3}\.d{1,3}\]$/i) || It makes no sense to optionally allow [ left, but enforce ] on the right side. Digits don't have no case at all. There was a post about rejecting HELO arguments, where IPs are not enclosed in brackets (and other malformed stuff), but otherwise HELO checks are nonsense. Obviously, if I have sending hosts on my network that really did have non-routable addresses, this would be a possible problem (altho the simple solution is for them to not HELO with their IP, but use their hostname). And The better solution would be: If you trust them -> exempt them from the check at all! (Use the relay address to determine, if it _really_ is your trusted host.) Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang