Changes in Version 4.77.10-1

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jun 17 08:40:48 IST 2009



On 17/06/2009 04:31, Gary Faith wrote:
> After re-reading you explanation about spoofing, etc.  I think I need 
> to clarify what I was thinking so you can tell me it won't work like 
> that.  :-)
> My thoughts were that the system that has a dynamic IP automatically 
> registers it's IP with DynDNS every time the IP address changes so
> host.domain.com    A   {dynamic IP}
> is always up pointing to the system.  Since the IP changes every time 
> so does the PTR record making it impossible to base a rule.  So I 
> always know the IP from a forward DNS query (DynDNS) and it will never 
> match the reverse.
> I figured that the sending system would say that I am host.domain.com,
But it can only know the numerical IP address you're coming from, since 
that is all there is in the IP packets. DNS is there to allow you to 
turn it into a name, using an A record, or turn a numerical address into 
a name with a PTR record. But you can't magic a name out of thin air if 
there is no PTR record.
> a check of DNS would give the IP address and a comparison would be 
> done to see if the IP address is the same as the IP that made the 
> connection.  That way I don't need to check the reverse DNS.
> Or is it going to blindly accept the name given in the helo/ehlo 
> handshake and if so, I agree that would be easily spoofable.  Am I 
> thinking this right?
It's nothing to do with the helo handshake, that could be almost 
anything. It could just be some internal private hostname or a domain 
name or whatever. I don't use the helo name at all, it can't usually be 
trusted and is trivially changeable by the spammer sending you junk.

> Thanks again,
> Gary
>
> >>> Julian Field <MailScanner at ecs.soton.ac.uk> 6/15/2009 3:17 PM >>>
>
>
> On 15/06/2009 19:28, Julian Field wrote:
> >
> >
> > On 15/06/2009 19:09, Gary Faith wrote:
> >> Yes, I have mail being sent from a dynamic IP address with a host
> >> name I know but the IP will change.  Can you provide a way to turn
> >> off the anti-spoof checking?  If not now, in future releases?
> > I will add a switch for you. But it does make defeating the name
> > lookup into a very simple thing for a spammer/attacker to do against 
> you.
> I have implemented it by you using
>      host-nocheck:hostname.domain.com
> instead of
>      host:hostname.domain.com
> in the condition in a line in a ruleset.
>
> I can see how this might be useful should you be needing to test against
> a dynamic IP address, in which case you will have a DNS PTR record but
> no DNS A record.
>
> This will hopefully solve your problem nicely.
>
> It will be in the next release.
>
> >> >>> Kai Schaetzl <maillists at conactive.com> 6/14/2009 3:31 AM >>>
> >> Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100:
> >>
> >> > Just use the IP addresses instead of the hostnames. Trivial, surely?
> >>
> >> But he doesn't know them.
> >>
> >> Kai
> >>
> >> --
> >> Kai Schätzl, Berlin, Germany
> >> Get your web at Conactive Internet Services: http://www.conactive.com
> >>
> >>
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >
> > Jules
> >
>
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Follow me at twitter.com/JulesFM
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Follow me at twitter.com/JulesFM

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list