bgware: mailfront : only allow authenticated user address as MAIL FROM, (Return-Path) ?
Subject:
mailfront : only allow authenticated user address as MAIL FROM,
(Return-Path) ?
From:
Olivier Mueller ####@####.####
Date:
29 Aug 2016 13:26:12 -0000
Message-Id: <3b1d5360-de20-dd27-d6a7-7cd39d434ae0@omx.ch>
Hi,
I hope you all had a nice summer !
I just got a few cases where user accounts were compromised (weak
password or hacked pc's + stolen passwords) and then used to send
massive spams, for example last night:
tcpserver: pid 20727 from 195.223.y.y
tcpserver: ok 20727 omicron:62.48.x.x:25 :195.223.y.y::51731
mailfront[20727]: SASL AUTH LOGIN username=info sys_username=o67a123
domain=example.org
mailfront[20727]: MAIL ####@####.####
mailfront[20727]: RCPT ####@####.####
mailfront[20727]: RCPT ####@####.####
mailfront[20727]: RCPT ####@####.####
(....)
mailfront[20727]: RCPT ####@####.####
mailfront[20727]: RCPT ####@####.####
mailfront[20727]: RCPT ####@####.####
As you can see, the "MAIL FROM:" part used as Return-Path is completely
forged. I just checked the docs to try to find a way to prevent this
directly with mailfront and its plugins, but with no success yet : have
anyone here implemented this ? If yes, a short message would be great,
thanks !
Next step would be to check if the Header-"From: " field is also valid,
but this would most probably be more complex.
Kind regards & a nice week to you,
Olivier
