First page Back Continue Last page Overview Text

Notes:


sender_ok = False
# allow all from mailer-daemon, abuse@
if data.get('sender', '') == '':
return ret('dunno', '', factory, data, runTime, dnsblScore)
if data.get('recipient', '').lower()[:6] == 'abuse@':
return ret('dunno', '', factory, data, runTime, dnsblScore)
res, resEx = factory.check('list_bw_client_address', data)
# client address black/whitelist
if res != 0:
if res > 0:
return ret('dunno', '', factory, data, runTime, dnsblScore)
if res < 0:
return ret('550', '5.7.1 Your client address was blacklisted (BLACKLIST1). Please send mail to abuse@fjfi.cvut.cz with explanation why your client address should be removed.', factory, data, runTime, dnsblScore)
# sender mail address black/whitelist (user@some.domain.com, user@, .some.domain.com, .domain.com, .com)
res, resEx = factory.check('list_bw_sender', data)
if res != 0:
if res > 0:
return ret('dunno', '', factory, data, runTime, dnsblScore)
if res < 0:
return ret('550', '5.7.2 Your mail address was blacklisted (BLACKLIST2). Please send mail to abuse@fjfi.cvut.cz with explanation why your mail address should be removed.', factory, data, runTime, dnsblScore)
# sender address verification for local addresses
# FIXME: doesn't work becaus we don't verify mail from local mailservers
# we should read transport tables and try real mailserver
# this can be implemented by standard postfix restriction rules
# if data.get('sender', '').lower()[-len('fjfi.cvut.cz'):] == 'fjfi.cvut.cz':
# res, resEx = factory.check('verify_user', data)
# if res < 0:
# return ret('450', "4.7.0 Sender address verification failed - %s is not valid local address" % data.get('sender', ''), factory, data, runTime, dnsblScore)
# # don't accept mail from servers without any reverse record in DNS
# if data.get('client_name', ''):
# return ret('451', "4.7.2 Your client address is suspicious (DNSERR2), it doesnt have correct DNS records. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % sdom, factory, data, runTime, dnsblScore)
# well, reject mail from incorrectly configured mailservers
# for domain their admins/users are not idiots and they send
# mail only throught well configured official mailservers
if data.get('sender_domain', '').lower() in [ 'verisign.com' ]:
if data.get('client_name', '') == '' or data.get('helo_name', '').find('.') == -1 or factory.check('dnsbldynamic_pattern', data)[0] < 0:
return ret('550', "5.7.5 Your mailserver configuration is incorrect (DOMAINERR1), we expect that all real mailservers for %s are well maintained and thats why we reject mail from suspicious client that use your domain in sender address. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % data.get('sender_domain', ''), factory, data, runTime, dnsblScore)
if data.get('sender', '').lower() == data.get('recipient', '').lower() and data.get('client_address', '')[:7] != '147.32.':
return ret('550', "5.7.3 Your mail address is suspicious (SENDERERR1), sender and recipient address is same but you are not sending mail throught official mailserver for CTU FNSPE. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % sdom, factory, data, runTime, dnsblScore)
# # from Russia and China accept only mail from mailservers with correct
# # reverse records
# if factory.check('country')[1] in [ 'RU', 'CN' ]:
# if data.get('client_name', '') == '':
# return ret('550', '', ...)
# slowdown mail from incorrectly configured mailservers
# or mailserver in dynamic IP ranges.
if data.get('client_name', '') == '' or factory.check('dnsbldynamic_pattern', data)[0] > 0:
if data.get('helo_name', '').find('.') == -1:
time.sleep(5.0) # slow down all suspicious traffic
else:
time.sleep(2.0) # slow down all suspicious traffic
# apply greylisting for mailservers without reverse DNS records
# or mailservers from dynamic IP range that doesn't say correct HELO
if data.get('client_name', '') == '' or (data.get('helo_name', '').find('.') == -1 and factory.check('dnsbldynamic_pattern', data)[0] > 0):
res, resEx = factory.check('greylist', data)
if res < 0:
return ret('451', "4.7.10 Your mail is suspicious (GREYLIST), greylist in progress, try again later after %ss. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % resEx[1], factory, data, runTime, dnsblScore) # make higher score for suspicious sender domain or domain
# that mailserver should never be on any blacklist (so score
# will never reach required treshold...)
for sdom, sc in [ ('biz', 0.25), ('verisign.com', 2.0), ('geocities.com', 1.0) ]:
if data.get('sender', '').lower()[-len(sdom):] == sdom:
dnsblScore += sc
# higher score for incorrectly configured mailservers (e.g. bad HELO)
try:
import ppolicy.tools.dnscache
helo_name = data.get('helo_name', '')
if len(helo_name) == 0 or (helo_name[0] == '[' and helo_name[-1] == ']'):
if data.get('client_address', '') != helo_name[1:-1]:
dnsblScore += 0.75
elif helo_name.find('.') == -1 or data.get('client_address', '') not in ppolicy.tools.dnscache.getIpForName(helo_name):
dnsblScore += 0.5
except:
pass
# higher score for client addresses without PTR DNS records
if data.get('client_name', '') == '':
dnsblScore += 1
# amavis stats for last 7 days for each domain
res, resEx = factory.check('list_amavis_domain_score', data)
if res > 0:
dnsblScore += (resEx[0]/25)*(1-1.0/resEx[1])
# remote mail addresses used as RCPT TO from local senders
res, resEx = factory.check('list_amavis_whitelist_sender', data)
if res > 0:
dnsblScore -= 3
# SPF violation
res, resEx = factory.check('spf', data)
if res < 0:
dnsblScore += 1
# dynamic allocated IP (e.g. 123-123.adsl.provider.com)
res, resEx = factory.check('dnsbldynamic_pattern', data)
if res > 0:
dnsblScore += 0.5
# spamassassin score from various blacklists
res, resEx = factory.check('dnsblscore', data)
dnsblScore += res
# reject mail from mailserver that should not be on blacklists
for sdom, sc in [ ('verisign.com', 6.0) ]:
if data.get('sender', '').lower()[-len(sdom):] == sdom and dnsblScore > sc:
return ret('550', "5.7.6 Your client address is suspicious (DOMAINERR2), it has hight blacklist score althrought your domain %s should be correctly configured. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % sdom, factory, data, runTime, dnsblScore)
# reject mail sended from dynamic address that doesn't said icorrect HELO (not fqdn)
if dnsblScore > 4:
res, resEx = factory.check('dnsbldynamic_pattern', data)
if (res > 0 or data.get('client_name', '').lower() in [ '', 'friend' ]) and helo_name.find('.') == -1:
return ret('451', '4.7.6 Your client address is suspicious (HELOERR3), it doesnt send correct HELO. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
# reject mail from addresses without PTR DNS records
if dnsblScore > 4.5:
if data.get('client_name', '') == '':
return ret('451', '4.7.1 Your client address is suspicious (DNSERR1), it doesnt have reverse DNS records. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
if dnsblScore > 5:
# reject mail from addresses without correct PTR and A DNS records
if dnsblScore > 6:
res, resEx = factory.check('resolve_name_mx', data)
if res < 0:
return ret('451', '4.7.2 Your client address is suspicious (DNSERR2), it doesnt have correct DNS records. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
if dnsblScore > 7:
helo_name = data.get('helo_name', '')
if len(helo_name) == 0 or (helo_name[0] == '[' and helo_name[-1] == ']'):
# if data.get('client_address', '') != helo_name[1:-1]:
if len(helo_name) == 0:
return ret('451', '4.7.3 Your client address is suspicious (HELOERR1), it doesnt send correct HELO. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
else:
if dnsblScore > 9:
try:
# import ppolicy.tools.dnscache
# if helo_name.find('.') == -1 or data.get('client_address', '') not in ppolicy.tools.dnscache.getIpForName(helo_name):
if helo_name.find('.') == -1:
return ret('451', '4.7.4 Your client address is suspicious (HELOERR2), it doesnt send correct HELO. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
except:
pass
res, resEx = factory.check('verify_connection', data)
if res < 0:
return ret('550', '5.7.11 Reverse SMTP Connect Spam Fighting rule failed, your your mailserver cant be verified. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)
res, resEx = factory.check('greylist', data)
if res < 0:
return ret('451', "4.7.10 Your mail is suspicious (GREYLIST), greylist in progress, try again later after %ss. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php" % resEx[1], factory, data, runTime, dnsblScore) if dnsblScore > 6:
time.sleep(dnsblScore) # slow down all suspicious traffic
else:
res, resEx = factory.check('verify_connection', data)
if res < 0:
return ret('451', '4.7.11 Reverse SMTP Connect Spam Fighting rule failed, your mailserver cant be verified, try to resend mail later. To whitelist your mail see http://nms.fjfi.cvut.cz/fjfi/mail.php', factory, data, runTime, dnsblScore)

return ret('dunno', '', factory, data, runTime, dnsblScore)