-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 18 Jan 2014, Prabin Acharya wrote:
My mailserver has been compromised.
The scenario is: bogus users are using mailing address of my company
and sending spam messages.
Do you refer to this scenario as "My mailserver has been compromised"? Or
is there some other problem as well?
My mimedefang filter has included my workplace mail domain as safe
sender. However some spam mails are such that sender fakes my
workplace domain too.
IMHO, you should drop this whitelisting of domains. Your suggested
filter_sender is a step in that direction.
I'm thinking of using thing like below:
by using filter_sender, i'd check on legitimate email
addresses that are allowed to pass through my mailserver. If the
sender address contains my domain, check for ip address of the sender,
if ip address belongs to my internal network pass it on, if not drop
the mail.
I'd add: pass it along, too, if the sender is authentificated!
However, if your mail server is compromised and someone is sending SPAM
from your mail server, this won't help to stop it.
However #2: if someone is sending SPAM outside your server and those
messages bounce, you get the bounces still.
So this change does not help in neither of your problems. You could look
into SPF or BATV.
My filter_sender is as follows:
sub filter_sender(){
my($sender, $ip, $hostname, $helo)=@_;
$rg='.*?(@)(pmail\\.com.np)';
$iprg='(10)(\\.)(59)(\\.)(\\d+)(\\.)(\\d+)';
Is there a reason for all the ()'s? You should anchor $rg to the end of
the string, probably with: \.com\.np\.?$ The .*? is not necessary then as
well.
You should anchor $iprg to the beginning of the string, the \d+\.\d+ is
not necessary, unless you want to process the numbers further.
if($sender=~ m/$rg/is){
if($ip =~ m/$iprg/is){
Why do you use variables? This drops performance. Write the strings here
or use qr// in the assignment of the variables.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUtzSAZSHNCne69JnAQKkEQf/T3slFpyKP69TL40vojaPhJa5qWaFWuDV
QMD+z+0N4m/YQfG3IiuYkwruiwuSAqPU2GZ1y2kDskNLyFtD5AnOyaTFOr+g67PV
GoDpGrJbRnoFgW5utiwMPsR04wPi9FO3wZHmu4ZxUt95KrHoD0Ct392wzwvBKiLv
Qgq2eDkHTg1Cqx30vhKjCw5a+sJwUfYQnJYv1y77nyAbg4vbgDKG1V6SXcd9gtMl
cOnGxWZWZsafA7u1zxEjSEAVJ6t3Cmr/yrcneu51kdj1da5HlG7PlEOtOR5uDnKL
Yi9Vp9FiwVlvK1/Zx55Czu0XepQLFvqX4MQ0Lg1tQE8iO2bnjLVCFQ==
=2QGN
-----END PGP SIGNATURE-----
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
