Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

badmailfrom question

 

 

Qmail users RSS feed   Index | Next | Previous | View Threaded


keyoz at iln

Feb 23, 1999, 11:57 AM

Post #1 of 24 (10200 views)
Permalink
badmailfrom question

are the messages from the addresses in /var/qmail/control/badmailfrom
automatically bounced or do they just go to /dev/null?

I'm not aware where all those spam go.

TIA
--
k e c h i e

"It's now safe to turn off your computer" means computing was unsafe
before it appeared. -- m e


cjohnson at palomine

Feb 23, 1999, 11:52 AM

Post #2 of 24 (10096 views)
Permalink
Re: badmailfrom question [In reply to]

On Wed, Feb 24, 1999 at 02:57:19AM +0800, keyoz [at] iln wrote:
> are the messages from the addresses in /var/qmail/control/badmailfrom
> automatically bounced or do they just go to /dev/null?

The sender is rejected at the SMTP level. The sender says:

MAIL FROM:<badguy [at] baddomain>

and qmail-smtpd responds:

553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)

End of story.

Chris


multics at wizvax

Feb 23, 1999, 12:02 PM

Post #3 of 24 (10062 views)
Permalink
Re: badmailfrom question [In reply to]

> On Wed, Feb 24, 1999 at 02:57:19AM +0800, keyoz [at] iln wrote:
> > are the messages from the addresses in /var/qmail/control/badmailfrom
> > automatically bounced or do they just go to /dev/null?
>
> The sender is rejected at the SMTP level. The sender says:
>
> MAIL FROM:<badguy [at] baddomain>
>
> and qmail-smtpd responds:
>
> 553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)
>
> End of story.

Is there anyway to have qmail use badmailfrom on the from line in the
header? The spammers are forging the envelopes so the envelopes are
pretty useless these days for filtering.

(I've always referred to the "From " line as the envelope sender and
called the "From:" line in the header the header from line.)

--
Richard Shetron multics [at] wizvax multics [at] acm
What is the Meaning of Life?
There is no meaning,
It's just a consequence of complex carbon based chemistry; don't worry about it
The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.


cjohnson at palomine

Feb 23, 1999, 12:18 PM

Post #4 of 24 (10090 views)
Permalink
Re: badmailfrom question [In reply to]

On Tue, Feb 23, 1999 at 02:02:35PM -0500, Richard Shetron wrote:
> > On Wed, Feb 24, 1999 at 02:57:19AM +0800, keyoz [at] iln wrote:
> > > are the messages from the addresses in /var/qmail/control/badmailfrom
> > > automatically bounced or do they just go to /dev/null?
> >
> > The sender is rejected at the SMTP level. The sender says:
> >
> > MAIL FROM:<badguy [at] baddomain>
> >
> > and qmail-smtpd responds:
> >
> > 553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)
> >
> > End of story.
>
> Is there anyway to have qmail use badmailfrom on the from line in the
> header? The spammers are forging the envelopes so the envelopes are
> pretty useless these days for filtering.

Nope. qmail-smtpd doesn't look at the address headers.

For this task you'll probably need a mail delivery agent with filtering like
maildrop or procmail.

Chris


mw at wierdlmpc

Feb 23, 1999, 2:05 PM

Post #5 of 24 (10072 views)
Permalink
Re: badmailfrom question [In reply to]

>
> MAIL FROM:<badguy [at] baddomain>
>


Is there anyway to have qmail use badmailfrom on the from line in the
header? The spammers are forging the envelopes so the envelopes are
pretty useless these days for filtering.

The From line *is* the envelope sender, which is coming from the MAIL
FROM during the smtp conversation. It is not the From: header.

Mate


adam at flounder

Feb 23, 1999, 2:07 PM

Post #6 of 24 (10064 views)
Permalink
Re: badmailfrom question [In reply to]

From: Mate Wierdl <mw [at] wierdlmpc>


:What the original post said does not make much sense: the From line
:*is* the envelope sender's address.


No it's not. If I put mw [at] wierdlmpc in my badmailfrom, I
will still get messages that you send to the qmail list. But those messages
will still say:
From: Mate Wierdl <mw [at] wierdlmpc>

The envelope sender will be:
qmail-return-xxxxx-adam=flounder.net [at] list

--Adam


mw at wierdlmpc

Feb 23, 1999, 2:12 PM

Post #7 of 24 (10081 views)
Permalink
Re: badmailfrom question [In reply to]

>
> Is there anyway to have qmail use badmailfrom on the from line in the
> header? The spammers are forging the envelopes so the envelopes are
> pretty useless these days for filtering.

Nope. qmail-smtpd doesn't look at the address headers.

For this task you'll probably need a mail delivery agent with filtering like
maildrop or procmail.

What the original post said does not make much sense: the From line
*is* the envelope sender's address.

Mate


adam at flounder

Feb 23, 1999, 2:21 PM

Post #8 of 24 (10079 views)
Permalink
Re: badmailfrom question [In reply to]

From: Mate Wierdl <mw [at] wierdlmpc>


:I do not understand what you are talking about: I am talking about
:From line, not From: header.

The other guy wants badmailfrom to work on the From: line. Not the From:
header (i.e. the From: line in the body of the message) At least that's how
I understood his question. Basically the answer is that qmail doesn't do
that. I am pretty sure maildrop does though.

:Mate


--Adam


mw at wierdlmpc

Feb 23, 1999, 2:25 PM

Post #9 of 24 (10075 views)
Permalink
Re: badmailfrom question [In reply to]

From: Mate Wierdl <mw [at] wierdlmpc>


:What the original post said does not make much sense: the From line
:*is* the envelope sender's address.


No it's not. If I put mw [at] wierdlmpc in my badmailfrom, I
will still get messages that you send to the qmail list. But those messages
will still say:
From: Mate Wierdl <mw [at] wierdlmpc>

The envelope sender will be:
qmail-return-xxxxx-adam=flounder.net [at] list

I do not understand what you are talking about: I am talking about
From line, not From: header.

Mate


mrsam at geocities

Feb 23, 1999, 3:47 PM

Post #10 of 24 (10088 views)
Permalink
Re: badmailfrom question [In reply to]

Richard Shetron writes:

> Is there anyway to have qmail use badmailfrom on the from line in the
> header?

Yes. Write the code to do it. As a guideline, use my patch,
http://www.geocities.com/SiliconValley/Peaks/5799/qmail-uce.html


> The spammers are forging the envelopes so the envelopes are
> pretty useless these days for filtering.

The From: header is equally forged, so you won't gain much, unless you
perform an overall syntax check on the header - i.e. bounce if the From:
header is missing, or doesn't appear to have anything that can ever be
possibly valid in any kind of a situation whatsoever.

--
Sam


niek at packetstorm

Feb 23, 2005, 10:03 AM

Post #11 of 24 (10062 views)
Permalink
Re: Badmailfrom question [In reply to]

On 2/23/2005 6:56 PM +0100, Jason Lieurance wrote:
> Hello,
>
> Does 'badmailfrom' refuse based on the domain in the 'Return-Path' or the
> 'Received:'??? And if its the 'Received:' and there's multiple 'Received:', which
> one does it look at???
> Thanks.

Jason,

man qmail-smtpd

Niek
--


qmail at discworld

Feb 23, 2005, 10:04 AM

Post #12 of 24 (10076 views)
Permalink
Re: Badmailfrom question [In reply to]

Jason Lieurance <jason [at] vipersystems> wrote:
>
> Does 'badmailfrom' refuse based on the domain in the 'Return-Path' or the
> 'Received:'???

The SMTP envelope sender address, which qmail-local records in the
Return-Path: header field.

Charles
--
---------------------------------------------------------------------------
Charles Cazabon <qmail [at] discworld>
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
---------------------------------------------------------------------------


jason at vipersystems

Feb 23, 2005, 10:45 AM

Post #13 of 24 (10058 views)
Permalink
Re: Badmailfrom question [In reply to]

Charles Cazabon said:
> Jason Lieurance <jason [at] vipersystems> wrote:
>>
>> Does 'badmailfrom' refuse based on the domain in the 'Return-Path' or the
>> 'Received:'???
>
> The SMTP envelope sender address, which qmail-local records in the Return-Path:
> header field.
>
> Charles

Thanks.

Now, is there a way to block/refuse based upon the 1st host in the 'Received:'
when there are multiples???

--
Jason


niek at packetstorm

Feb 23, 2005, 10:58 AM

Post #14 of 24 (10081 views)
Permalink
Re: Badmailfrom question [In reply to]

On 2/23/2005 7:45 PM +0100, Jason Lieurance wrote:
> Thanks.
>
> Now, is there a way to block/refuse based upon the 1st host in the 'Received:'
> when there are multiples???

What problem are you trying to solve ?
Spam delivered to you by zombie machines ?
Stopping mail from certain smtp servers ?
Something else ?

Niek
--


qmail at discworld

Feb 23, 2005, 11:02 AM

Post #15 of 24 (10072 views)
Permalink
Re: Badmailfrom question [In reply to]

Jason Lieurance <jason [at] vipersystems> wrote:
> >
> > The SMTP envelope sender address, which qmail-local records in the
> > Return-Path: header field.

> Thanks.

You're welcome.

> Now, is there a way to block/refuse based upon the 1st host in the 'Received:'
> when there are multiples???

The topmost Received: header indicates which host qmail-smtpd received the
message from, so assuming you're using tcpserver to launch qmail-smtpd, then
yes, it's easy. Read the tcpserver documentation to find out how to use its
rules database features to allow/deny connections from particular hosts. You
can match based on IP addresses, reverse DNS, and more.

Charles
--
---------------------------------------------------------------------------
Charles Cazabon <qmail [at] discworld>
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
---------------------------------------------------------------------------


jason at vipersystems

Feb 23, 2005, 11:22 AM

Post #16 of 24 (10069 views)
Permalink
Re: Badmailfrom question [In reply to]

Niek said:

> Spam delivered to you by zombie machines ?

Bingo. I guess I could do as Charles suggested and add a rule to tcp server for
reverse dns but wouldn't the zombie still resolve?

> Stopping mail from certain smtp servers ?

I guess baically what I mentioned above.

> Niek

Jason


niek at packetstorm

Feb 23, 2005, 11:29 AM

Post #17 of 24 (10070 views)
Permalink
Re: Badmailfrom question [In reply to]

On 2/23/2005 8:22 PM +0100, Jason Lieurance wrote:
> Niek said:
>
>
>>Spam delivered to you by zombie machines ?
>
>
> Bingo. I guess I could do as Charles suggested and add a rule to tcp server for
> reverse dns but wouldn't the zombie still resolve?

Add rblsmtpd [1] to your qmail-smtpd run script like so:
-u "$QMAILDUID" -g "$NOFILESGID" -c "$MAXSMTPD" 0 smtp \
/usr/local/bin/rblsmtpd \
-r virbl.dnsbl.bit.nl \
-r sbl-xbl.spamhaus.org \
-r relays.ordb.org

There are loads of other blocklists, the ones above I find to be very safe
with regards to false positives.

[1]: http://cr.yp.to/ucspi-tcp/rblsmtpd.html

Niek
--


jason at vipersystems

Feb 23, 2005, 11:53 AM

Post #18 of 24 (10068 views)
Permalink
Re: Badmailfrom question [In reply to]

Niek wrote:
> Add rblsmtpd [1] to your qmail-smtpd run script like so:
> -u "$QMAILDUID" -g "$NOFILESGID" -c "$MAXSMTPD" 0 smtp \
> /usr/local/bin/rblsmtpd \
> -r virbl.dnsbl.bit.nl \
> -r sbl-xbl.spamhaus.org \
> -r relays.ordb.org

Yes, I have these except '-r virbl.dnsbl.bit.nl' but here's one of the
headers:

Received: from presumable [at] stlouisrams by redhat.vipersystems.biz by
uid 82 with qmail-scanner-1.16
(clamscan: 0.65. spamassassin: 2.61. Clear:SA:0(0.8/6.2
tests=HTML_30_40,HTML_MESSAGE ):.
Processed in 12.602103 secs); 23 Feb 2005 00:13:23 -0000
Received: from amontsouris-152-1-10-100.w82-123.abo.wanadoo.fr
(82.123.87.100)
by redhat.vipersystems.biz with SMTP; 23 Feb 2005 00:13:10 -0000
Received: from stlouisrams.net (mail4.infinology.net [38.118.142.231])
by AMontsouris-152-1-10-100.w82-123.abo.wanadoo.fr with esmtp
id 35B187D4DA for <sales [at] vipersystems>; Tue, 22 Feb 2005
16:13:03 -0800

ANOTHER:

Received: from patrica_r_katzct [at] cims by
redhat.vipersystems.biz by uid 82 with qmail-scanner-1.16
(clamscan: 0.65. spamassassin: 2.61. Clear:SA:0(3.3/6.2
tests=HTML_30_40,HTML_MESSAGE,):.
Processed in 21.335718 secs); 22 Feb 2005 21:15:57 -0000
Received: from zaqdb7354b9.zaq.ne.jp (HELO stappert.de) (219.115.84.185)
by redhat.vipersystems.biz with SMTP; 22 Feb 2005 21:15:36 -0000


Lately, the spam is just flowing even with rblsmtpd & spamassassin.

Jason


lists-qmail at maexotic

May 6, 2009, 8:04 AM

Post #19 of 24 (8621 views)
Permalink
Re: badmailfrom question [In reply to]

On Wed, May 06, 2009 at 10:16:05AM -0400, Jason Staudenmayer wrote:
> I have the patch applied but I have never really set this file for
> blocking.

badmailfrom ist a native feature of qmail. You don't need a patch for
that.

> Is it 'safe' to put my domain in the badmailfrom file to block emails
> sent as my users? I figure my users should never send email from my
> domain from outside my network right.

You have to substitute "network" with "mailserver". If you have a
badmailfrom then *nobody* can inject messages with addresses/domains
in that file via SMTP to your server (even not via Outlook or Thunderbird)
from your local network.

There are solutions however.
Some SMTP AUTH patches disable the use of badmailfrom if the user is
authenticated (you have to check your AUTH patch (if you use one) if it does).

Another possibility is to separate and have 2 qmail-smtpds running on
different IP addresses (one internal one external)
- compile another copy of qmail with "conf-home" set to another place
(like /var/qmail-local) and install it.
- then make the control files identical
ln -sf /var/qmail/control/* /var/qmail-local/control/
and rm /var/qmail-local/control/badmailfrom
- now make the binaries all the same so they use only one queue:
do cp /var/qmail-local/bin/qmail-smtpd /var/qmail/bin/qmail-smtpd-local
then rm -rf /var/qmail-local/bin
and ln -s /var/qmail/bin /var/qmail-local/bin
- edit /service/qmail-smtpd/run and change the IP address this tcpserver
listens on to the external address
restart: svc -t /service/qmail-smtpd
- duplicate /service/qmail-smtpd/ to /tmp/qmail-smtpd-local/
mkdir /tmp/qmail-smtpd-local/
cd /tmp/qmail-smtpd-local/
( cd /service/qmail-smtpd; tar cfv - . ) | tar xfv -
edit /tmp/qmail-smtpd-local/run and change the external address to the
local address and "qmail-smtpd" to "qmail-smtpd-local"
you may also want to clean out logfiles:
rm /tmp/qmail-smtpd-local/log/main/*
activate the new service:
mv /tmp/qmail-smtpd-local /service/qmail-smtpd-local
wait a few seconds.
- check if everything works (maybe by checking logfiles and telnetting
to port 25 of the external and internal address)
Have all your users use the local address to inject mails via smtp.

\Maex

--
Markus Stumpf


jasons at adventureaquarium

May 6, 2009, 8:17 AM

Post #20 of 24 (8617 views)
Permalink
RE: badmailfrom question [In reply to]

> -----Original Message-----
> From: Markus Stumpf [mailto:lists-qmail [at] maexotic]
> Sent: Wednesday, May 06, 2009 11:04 AM
> To: Jason Staudenmayer
> Cc: qmail [at] list
> Subject: Re: badmailfrom question
>
>
> On Wed, May 06, 2009 at 10:16:05AM -0400, Jason Staudenmayer wrote:
> > I have the patch applied but I have never really set this file for
> > blocking.
>
> badmailfrom ist a native feature of qmail. You don't need a
> patch for that.
>
> > Is it 'safe' to put my domain in the badmailfrom file to
> block emails
> > sent as my users? I figure my users should never send email from my
> > domain from outside my network right.
>
> You have to substitute "network" with "mailserver". If you
> have a badmailfrom then *nobody* can inject messages with
> addresses/domains in that file via SMTP to your server (even
> not via Outlook or Thunderbird) from your local network.
>
> There are solutions however.
> Some SMTP AUTH patches disable the use of badmailfrom if the
> user is authenticated (you have to check your AUTH patch (if
> you use one) if it does).
>
> Another possibility is to separate and have 2 qmail-smtpds
> running on different IP addresses (one internal one external)
> - compile another copy of qmail with "conf-home" set to another place
> (like /var/qmail-local) and install it.
> - then make the control files identical
> ln -sf /var/qmail/control/* /var/qmail-local/control/
> and rm /var/qmail-local/control/badmailfrom
> - now make the binaries all the same so they use only one queue:
> do cp /var/qmail-local/bin/qmail-smtpd
> /var/qmail/bin/qmail-smtpd-local
> then rm -rf /var/qmail-local/bin
> and ln -s /var/qmail/bin /var/qmail-local/bin
> - edit /service/qmail-smtpd/run and change the IP address
> this tcpserver
> listens on to the external address
> restart: svc -t /service/qmail-smtpd
> - duplicate /service/qmail-smtpd/ to /tmp/qmail-smtpd-local/
> mkdir /tmp/qmail-smtpd-local/
> cd /tmp/qmail-smtpd-local/
> ( cd /service/qmail-smtpd; tar cfv - . ) | tar xfv -
> edit /tmp/qmail-smtpd-local/run and change the external
> address to the
> local address and "qmail-smtpd" to "qmail-smtpd-local"
> you may also want to clean out logfiles:
> rm /tmp/qmail-smtpd-local/log/main/*
> activate the new service:
> mv /tmp/qmail-smtpd-local /service/qmail-smtpd-local
> wait a few seconds.
> - check if everything works (maybe by checking logfiles and telnetting
> to port 25 of the external and internal address)
> Have all your users use the local address to inject mails via smtp.
>
> \Maex
>
> --
> Markus Stumpf
>

Would it be possible to use tcp.smtp file to configure separate badmailfrom files?
Example
10.0.2.137:allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailfrom-test"
:allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailfrom"

I'm trying to test this but it doesn't seem to pickup the badmailfrom-test settings. I have my email address blocked and manualy send emails via telnet I cannot get it to block my address.

Jason



..><((((>


lists-qmail at maexotic

May 6, 2009, 8:28 AM

Post #21 of 24 (8613 views)
Permalink
Re: badmailfrom question [In reply to]

On Wed, May 06, 2009 at 11:17:56AM -0400, Jason Staudenmayer wrote:
> Would it be possible to use tcp.smtp file to configure separate badmailfrom files?
> Example
> 10.0.2.137:allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailfrom-test"
> :allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailfrom"

Not without patching qmail-smtpd.
The attached small patch (untested!!) should do the trick.

\Maex
Attachments: badmailfrom_env.diff (0.75 KB)


kyle-qmail at memoryhole

May 6, 2009, 8:32 AM

Post #22 of 24 (8608 views)
Permalink
Re: badmailfrom question [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, May 6 at 10:16 AM, quoth Jason Staudenmayer:
> Is it 'safe' to put my domain in the badmailfrom file to block
> emails sent as my users?
> I figure my users should never send email from my domain from
> outside my network right.

Something else you may want to consider is whether your users will
ever send themselves email to other addresses that forward to their
home address.

For example, I have a forwarding email address at my old undergraduate
university; anything sent to it gets relayed to my email server. If I
send a message to that address (e.g. if I'm testing to see if my
server is broken), then the email server at my undergrad university
will be sending me an email with my own address as the return address.

So, to decide to block all mail that claims to be from your users, you
must either know that your users will never want to do that (or you
must be ready to explain to your users why they aren't allowed to do
that).

~Kyle
- --
Nip the shoots of arbitrary power in the bud, is the only maxim which
can ever preserve the liberties of the people.
-- John Quincy Adams
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAkoBraUACgkQBkIOoMqOI14kZACfatlwE6ELVdBJmmeAb2OdpKef
ChsAoMLU06k4RbDK1cu4UeKDhkc31Ca7
=VIbT
-----END PGP SIGNATURE-----


jasons at adventureaquarium

May 6, 2009, 8:53 AM

Post #23 of 24 (8605 views)
Permalink
RE: badmailfrom question [In reply to]

> -----Original Message-----
> From: Kyle Wheeler [mailto:kyle-qmail [at] memoryhole]
> Sent: Wednesday, May 06, 2009 11:33 AM
> To: qmail [at] list
> Subject: Re: badmailfrom question
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wednesday, May 6 at 10:16 AM, quoth Jason Staudenmayer:
> > Is it 'safe' to put my domain in the badmailfrom file to block
> > emails sent as my users?
> > I figure my users should never send email from my domain from
> > outside my network right.
>
> Something else you may want to consider is whether your users will
> ever send themselves email to other addresses that forward to their
> home address.
>
> For example, I have a forwarding email address at my old
> undergraduate
> university; anything sent to it gets relayed to my email server. If I
> send a message to that address (e.g. if I'm testing to see if my
> server is broken), then the email server at my undergrad university
> will be sending me an email with my own address as the return address.
>
> So, to decide to block all mail that claims to be from your
> users, you
> must either know that your users will never want to do that (or you
> must be ready to explain to your users why they aren't allowed to do
> that).
>
> ~Kyle
> - --
> Nip the shoots of arbitrary power in the bud, is the only maxim which
> can ever preserve the liberties of the people.
> -- John
> Quincy Adams -----BEGIN PGP SIGNATURE-----
> Comment: Thank you for using encryption!
>
> iEYEARECAAYFAkoBraUACgkQBkIOoMqOI14kZACfatlwE6ELVdBJmmeAb2OdpKef
> ChsAoMLU06k4RbDK1cu4UeKDhkc31Ca7
> =VIbT
> -----END PGP SIGNATURE-----
>

Good point although I don't think my user base is going to do anything like that.

Jason



..><((((>


jasons at adventureaquarium

May 6, 2009, 8:54 AM

Post #24 of 24 (8615 views)
Permalink
RE: badmailfrom question [In reply to]

> -----Original Message-----
> From: Markus Stumpf [mailto:lists-qmail [at] maexotic]
> Sent: Wednesday, May 06, 2009 11:28 AM
> To: Jason Staudenmayer
> Cc: qmail [at] list
> Subject: Re: badmailfrom question
>
>
> On Wed, May 06, 2009 at 11:17:56AM -0400, Jason Staudenmayer wrote:
> > Would it be possible to use tcp.smtp file to configure separate
> > badmailfrom files? Example
> >
> 10.0.2.137:allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailf
> > rom-test"
> > :allow,HELOCHECK="",BADMAILFROM="/var/qmail/control/badmailfrom"
>
> Not without patching qmail-smtpd.
> The attached small patch (untested!!) should do the trick.
>
> \Maex
>
>

Applied that to my backup MX and it seems to be working just fine.

Thanks for the help.

Jason



..><((((>

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.