Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 13012 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PureMessage RFC2821 violation..... And Support doesn't care...

jimhoelcor

Hi,

     I've been working with support on using PureMessage to prevent backscatter attacks.  In doing so I've found that PureMessage violates RFC2821 in how it handles RCPT TO: responses for invalid users.  Yes, I have a list of valid users for PureMessage to use.  Below is a sample session of the misbehavior.  What bothers me is that support would not accept the fact the product is broken saying this is not supported, after giving me the instructions to set it up..

StartSelection:0000000199 EndSelection:0000001176 220 maxima.mail.cornell.edu ESMTP Sendmail 8.14.4/8.14.4; Mon, 16 May 2011 10:47:52 -0400
helo lost.net
250 maxima.mail.cornell.edu Hello rrdhcp-68-312.redrover.cornell.edu [128.84.69.56], pleased to meet you
mail from: jwh2@cornell.edu
250 2.1.0 jwh2@cornell.edu... Sender ok
rcpt to: jwh222222222222@cornell.edu
250 2.1.5 jwh222222222222@cornell.edu... Recipient ok            Not Really, Should of been a 5XX error.
data
354 Enter mail, end with "." on a line by itself
silly test
.
555 5.0.0 Cornell Email User Not found
quit
221 2.0.0 maxima.mail.cornell.edu closing connection

:12999


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

         What I'm trying to do is protect us from a backscatter attack.  We were doing recipient forwarding (and validation) at the edge.  We recently changed the edge machines to forward email that we don't reject as spam to internal systems for forwarding.  Given that we should do recipient validation at the edge.

         PureMessage is failing rfc2821 in two ways.  First my example above.  Second is in the "subsequent failure" you reference in section 6.  Below the jwh2222222222222@cornell.edu is an invalid address, the jwh2@cornell.edu and ctb38@cornell.edu are valid and receive the email.  In the Sendmail log you see the jwh2222222222222@cornell.edu recipient deleted from the recipient list.  The sender should receive a bounce message ("subsequent failure" ) but does not.  The message goes into the bit bucket, I can't find any trace of it.  I hope you have a clearer understanding now.

    May 17 11:27:49 maxima sendmail[26072]: p4HFQpqf026072: Milter delete: rcpt jwh2222222222222@cornell.edu

    jwh2-3:~ JimHowell$ telnet maxima.mail 25
    Trying 128.253.83.156...
    Connected to maxima.mail.cornell.edu.
    Escape character is '^]'.
    220 maxima.mail.cornell.edu ESMTP Sendmail 8.14.4/8.14.4; Tue, 17 May 2011 11:26:51 -0400
    helo lost.net
    250 maxima.mail.cornell.edu Hello jwh2-3.cit.cornell.edu [128.253.64.161], pleased to meet you
    mail from: jwh2@cornell.edu
    250 2.1.0 jwh2@cornell.edu... Sender ok
    rcpt to: jwh2@cornell.edu
    250 2.1.5 jwh2@cornell.edu... Recipient ok
    rcpt to: jwh2222222222222@cornell.edu
    250 2.1.5 jwh2222222222222@cornell.edu... Recipient ok
    rcpt to: ctb38@cornell.edu
    250 2.1.5 ctb38@cornell.edu... Recipient ok
    data
    354 Enter mail, end with "." on a line by itself
    silly test
    .
    250 2.0.0 p4HFQpqf026072 Message accepted for delivery
    quit
    221 2.0.0 maxima.mail.cornell.edu closing connection
    Connection closed by foreign host

    :13045
Reply
  • 0

    Hi,

         What I'm trying to do is protect us from a backscatter attack.  We were doing recipient forwarding (and validation) at the edge.  We recently changed the edge machines to forward email that we don't reject as spam to internal systems for forwarding.  Given that we should do recipient validation at the edge.

         PureMessage is failing rfc2821 in two ways.  First my example above.  Second is in the "subsequent failure" you reference in section 6.  Below the jwh2222222222222@cornell.edu is an invalid address, the jwh2@cornell.edu and ctb38@cornell.edu are valid and receive the email.  In the Sendmail log you see the jwh2222222222222@cornell.edu recipient deleted from the recipient list.  The sender should receive a bounce message ("subsequent failure" ) but does not.  The message goes into the bit bucket, I can't find any trace of it.  I hope you have a clearer understanding now.

    May 17 11:27:49 maxima sendmail[26072]: p4HFQpqf026072: Milter delete: rcpt jwh2222222222222@cornell.edu

    jwh2-3:~ JimHowell$ telnet maxima.mail 25
    Trying 128.253.83.156...
    Connected to maxima.mail.cornell.edu.
    Escape character is '^]'.
    220 maxima.mail.cornell.edu ESMTP Sendmail 8.14.4/8.14.4; Tue, 17 May 2011 11:26:51 -0400
    helo lost.net
    250 maxima.mail.cornell.edu Hello jwh2-3.cit.cornell.edu [128.253.64.161], pleased to meet you
    mail from: jwh2@cornell.edu
    250 2.1.0 jwh2@cornell.edu... Sender ok
    rcpt to: jwh2@cornell.edu
    250 2.1.5 jwh2@cornell.edu... Recipient ok
    rcpt to: jwh2222222222222@cornell.edu
    250 2.1.5 jwh2222222222222@cornell.edu... Recipient ok
    rcpt to: ctb38@cornell.edu
    250 2.1.5 ctb38@cornell.edu... Recipient ok
    data
    354 Enter mail, end with "." on a line by itself
    silly test
    .
    250 2.0.0 p4HFQpqf026072 Message accepted for delivery
    quit
    221 2.0.0 maxima.mail.cornell.edu closing connection
    Connection closed by foreign host

    :13045
Children
No Data