Re: [9fans] upas "open relay" issue

Re: [9fans] upas "open relay" issue

[Geoff Collyer]

We run with "norelay on" on our outside interfaces, but I also took
the extra paranoid step of bouncing a@b@c addresses in rewrite.in.
They are illegal and if smtpd lets them in, I think it's perfectly
permissible to squash them:

: cpu; cat /mail/lib/rewrite.in
# optimisation; throw mail addressed to the bit bucket away right now
(([^@!.]+\.)*collyer\.(net|ca)!)?(nobody|none|/dev/null) | "cat >/dev/null"

# reject any address with a % or 2 @s because spammers might try to relay through us.
# let route-addrs through, at least for now.
.*(%|.@.*@).*	| "/mail/lib/haspercent '&' '\s'"

# queue msg. for inside iff not spam
.*		| "/mail/lib/qmail.in '\s' /net/tcp!$site!25 '&'"


Coincidentally, our ISP (Pac Bell) blithely told the MAPS (spam
cowboy) people on Friday that an entire /12 IP block, including the
subnet for our house, was (1) *all* dial-up IP addresses, and (2)
therefore should not be permitted to send mail.  Of course they didn't
bother to tell us, so we found out when mail to aol started
mysteriously bouncing.  Bzzt!  Luckily MAPS quickly figured out that
Pac Bell were lying or incompetent (or both) and undid the damage:
``When an ISP submits their IPs/netblocks to the DUL, we can usually
assume that the information they give us is correct.''

Re: [9fans] upas "open relay" issue

[Boyd Roberts]

a@9srv.net wrote:

>the spam cops at ordb.org don't like me. they send test mail
>from "marvin@marvin.ordb.org@mydomain.net" (except with my
>*real* domain, obviously), ...
>
a@b@c is illegal.  If you want to do that you should use a%b@c.

Re: [9fans] upas "open relay" issue

[Russ Cox]

This is our /mail/lib/smtpd.conf that gets used
for the outside interface.  Make sure you've got the
syntax right.

g% cat /mail/lib/smtpd.conf.ext
#
#	smtpd configuration options for external gateway
#	change verifysenderdom & saveblockedmsg when dirty converted
#

defaultdomain		plan9.bell-labs.com
norelay			on	#turn off relaying
verifysenderdom		on	#dns verification of sender domain
saveblockedmsg		on	#save blocked messages

#
#	networks that are allowed to relay through us
#
ournets		135.104.0.0/16		#mh
ournets		135.180.0.0/16		#ho
ournets		204.178.16.5/32		#www.bell-labs.com
ournets		204.178.16.43/32	#www1.bell-labs.com

#
#	domains that we will accept mail for
#	these must match the rewrite rules
#

ourdomains	*.lucent.com, *.bell-labs.com
ourdomains	[204.178.31.2]				#achille
g%

I do expect upas to be
dealing with your problem better, since we've had
the same troubles and fixed them.  I run a scan
every night to make sure we've not fallen into any
of the various smtp blacklists.  Smtpd knows about
multiple @ signs and should be getting it rihgt.

We do have a separate rule in our /mail/lib/rewrite that says:

# reject any address with a % because spammers might try to relay through us using
# it and an internal machine
.*%.*	|	"/mail/lib/haspercent '&' '\s'"

but this isn't your problem (yet).

g% cat /mail/lib/haspercent
#!/bin/rc

{
	echo ''$1'' is an illegal address.
	echo We don''t relay mail to addresses containing a %.
	echo
	echo '=================================================='
	echo
	sed 1d
} | upasname=/dev/null mail -s 'illegal address' $2
g%

[9fans] upas "open relay" issue

[a]

i know i asked this question about a week or two ago, and russ
responed quickly, but things got hectic and i wasn't able to
respond further. pardon.

the spam cops at ordb.org don't like me. they send test mail
from "marvin@marvin.ordb.org@mydomain.net" (except with my
*real* domain, obviously), claiming to be from
"spamtest@[10.0.0.1]" (again, with my *real* ip). it gets
through. i've got norelay=on, but i've also got lines in
smtpd.conf with ournets and ourdomains for the offending
addresses (since they're valid when true).

what to do? should upas be dealing with this better (russ
sounded like he expected it to)? it looks like i can just
rip out the foo@bar@baz rewriting stuff in /mail/lib/rewrite
since i don't actually care about mail with those sorts of
addresses getting through to anyone. advice?

(incidently, if anyone wants more of the headers, i'm
happy to give them out, but don't want to post the info
here until the system's not actually a relay any more)

much thanks,
ア