PATCH (for ZMailer): handling authenticated users - hints for other MTAs

Mariano Absatz mailscanner at LISTS.COM.AR
Thu May 20 23:35:10 IST 2004 

Hi,

an ISP wants to detect 'outgoing' spam, that is, when their own customers are
abusing its mail servers for spamming.

As a first and obvious measure, they're using SMTP authentication, but,
nonetheless, they have some volatile users that ask and pay for the service
just to be able to spam for a while until they are detected and thrown out.

Now they want to implement spam detection and logging for the outgoing mail,
and they want to be able to do the following:
1) log the authenticated user (this may be different from the 'envelope
from').
2) be able to 'bounce' a message to its own customers when they think it's
spam, but they have to bounce it to the user that authenticated, and not to
the 'envelope from'.
3) they want to be able to create rulesets so that certain actions are done
when the authenticated user matches something.


So, as the authenticated user is within ZMailer's envelope metadata, we made
some changes so that this data is available from within the message data
structure and used here and there.

The patch (for MailScanner 4.29.7) to do this is at
http://baby.com.ar/MailScanner/ZM-AUTH/MailScanner-4.29.7-ZM-Auth.patch

I also left the complete patched files in
http://baby.com.ar/MailScanner/ZM-AUTH/

These are:
Config.pm
ConfigDefs.pl
Message.pm
ZMailer.pm

To be able to use this you have to do the following:
Add an option (in MailScanner.conf) to qualify users authenticated without a
domain:
  Default Domain Without Auth = example.com
So that users authenticated as 'someuser' become 'someuser at example.com' (we
NEED to have an e-mail address to be able to bounce).

Now, there's a new action available for these MailScanner.conf settings:
  Spam Actions
  High Scoring Spam Actions
  Non Spam Actions
The new action is called 'authbounce' that works like the old 'bounce'
action, only that it looks at the authenticated user as the address that will
get the bounce. You know this address exists, because its YOUR user.
:-)

If there's no authenticated user, there will be no bounce.

If you are actually crazy and want that this option has a fallback to the
'envelope from' when there's no authentication data, you can also add this
option in MailScanner.conf:
  Always Auth Bounce = yes
Which obviously defaults to 'no'.

And last, but not least, now, your rulesets can include an 'Auth'
direction... example:

in MailScanner.conf
  High Scoring Spam Actions = %rules-dir%/hispam.actions.rules

in hispam.actions.rules
 Auth: trusted_freq_fp at example.com   deliver
 FromOrAuth: claiming_freq_fp at example.com deliver forward abuse at example.com
 FromOrTo:   default  delete

So that High Scoring messages are normally deleted.

But, we have a trusted user (trusted_freq_fp at example.com) that sends a
requested newsbulletin that frequently hits as a false positive, so we
deliver her messages (given that she provided enough credentials
authenticating via SMTP AUTH).

We have another user (claiming_freq_fp at example.com) that claims to be in the
same situation but we don't yet trust him, so we deliver his mails, but we
also deliver a copy to our abuse help desk. What's more, we want to see if
he's beeing somehow joe-jobed, so we check for messages where he
authenticated or where he is the envelope from.


Julian,

in order for this to be useful with other MTAs, you have to find out the
authenticated user within ReadQF and assign it to
$message->{authenticateduser}

Regards.

--
Mariano Absatz
El Baby
----------------------------------------------------------
Military justice is to justice what military music is to music.
      -- Groucho Marx

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list