Mailing List CGatePro@mail.stalker.com Message #92451
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: A script or a rule to block forged addresses ?
Date: Tue, 04 Sep 2007 10:09:21 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> > How about setting the domain to "force auth" for
> "non-clients"? The force auth setting requires authentication
> for from addresses in your domain(s). If you set it to
> non-clients, it requires authentication from anyone outside
> your network in order to send email from accounts in your domain(s).
> >
> In our experience, that doesn't solve the problem. We're
> usually getting
> spammers on our platform, that use a valid account, and then forge the
> - From header e.g.
>
> - -- snip --
> Received: from [190.45.8.150] (account sebastian.jara@vtr.net
> HELO servidor)
>   by fe1.vtr.cl (CommuniGate Pro SMTP 5.0.12)
>   with ESMTPA id 160980562; Wed, 01 Aug 2007 10:59:19 -0400
> Message-ID: <41225-22007831145929137@servidor>
> X-EM-Version: 6, 0, 1, 0
> X-EM-Registration: #00F06206106618006920
> To: "hosting" <hostingmcv@yahoo.es>
> Organization: mcv
> From: "Su empresa en internet" <hostingmcv@yahoo.es>
> - -- snip --
>
> As you can see, the account is indeed authenticated, but using a
> different From header.
>
> In strict terms, CGP is acting as it should, according to the
> SMTP AUTH
> RFC (RFC 2254). The RFC doesn't say anything about forged addresses.
>
> I'm toying with the idea of an external filter to do the check, but I
> have some doubts about the performance hit of doing this, specially on
> heavily loaded systems.

You're right. You'd either need an option added to the SMTP security to provide for "allow forged sender" or not, or you'd need to write your own filter. I don't think the impact would be too significant even on a heavily-loaded system. It would need only to parse the received header for the (account xxxx), get a list of valid aliases for that account, parse the return path (supplied as P xxxx in the CGPro header section) and from address and reject the message if the return path and/or from addresses aren't valid aliases for the account.

Return-Path: <test@mail.wcg.org>
Received: from [208.57.205.126] (account postmaster HELO bretmiller)
  by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
  with ESMTPA id 22404373 for bret.miller@wcg.org; Tue, 04 Sep 2007 09:58:28 -0700
From: "Bret" <test@mail.wcg.org>

The filter would skip the tests if it the message was not submitted authenticated, so it would only apply to email submitted by valid accounts on your server. Force auth would take care of the rest.

It's a fairly simple concept. You wouldn't want to "reject" the messages since the return-path is forged, but you could discard them and build a rejection notice to submit to the account used to authenticate.

Bret



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster