[Esa-l]Help with hybris getting thru filters

John D. Hardin jhardin at impsec.org
Wed Jun 6 18:54:07 PDT 2001 

On Wed, 6 Jun 2001, Rick Thompson wrote:

> :0
> > * ^(From|Sender):
> 
> Anybody think this will have unintended results? 

Sender headers can be forged.

> My intention is to bypass the filters for internal mail.

A somewhat better way to do this is to look for internal IP addresses
and your domain name in a Received: header.

If you'll post the complete headers from an internal mail, we can pick
out a likely bypass RE.

Warning: you probably don't want to completely bypass the sanitizer on
internal mail. What if one of your users gets hit by a ILY variant via
a webmail account? This actually happened to my company, and
sanitizing internal mail prevented it's spreading beyond the one
user's system.

A better policy for internal mail is to relax MANGLE_EXTENSIONS,
SECURITY_STRIP_MSTNEF and such, and possibly specifying a different
poisoned-executables list, rather than completely bypassing
sanitization.

> Messages can be sent without a Message-ID header.  In fact, I
> think you can pass a message to most SMTP servers without any
> headers at all.  Most servers (including yours) are configured
> to create certain headers (such as Message-ID and Date) if they
> are missing.

This is the case.

<hotbutton>
It would be *really* nice if it was possible to configure sendmail to
bounce Message-ID-less messages coming from outside your local
network, or to be able to specify that it add Message-IDs that DO NOT 
make the messages look locally originated.
</hotbutton>

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  An entitlement beneficiary is a person or special interest group
  who didn't earn your money, but demands the right to take your
  money because they *want* it.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
-----------------------------------------------------------------------
   1245 days until the Presidential Election

More information about the esd-l mailing list