Server IP : 85.214.239.14 / Your IP : 3.135.206.19 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /usr/share/perl5/Mail/SpamAssassin/Plugin/ |
Upload File : |
# <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # </@LICENSE> package Mail::SpamAssassin::Plugin::RelayEval; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::Logger; use Mail::SpamAssassin::Constants qw(:ip); use strict; use warnings; # use bytes; use re 'taint'; our @ISA = qw(Mail::SpamAssassin::Plugin); my $IPV4_ADDRESS = IPV4_ADDRESS; # constructor: register the eval rule sub new { my $class = shift; my $mailsaobject = shift; # some boilerplate... $class = ref($class) || $class; my $self = $class->SUPER::new($mailsaobject); bless ($self, $class); # the important bit! $self->register_eval_rule("check_for_numeric_helo"); # type does not matter $self->register_eval_rule("check_for_illegal_ip"); # type does not matter $self->register_eval_rule("check_all_trusted"); # type does not matter $self->register_eval_rule("check_no_relays"); # type does not matter $self->register_eval_rule("check_relays_unparseable"); # type does not matter $self->register_eval_rule("check_for_sender_no_reverse"); # type does not matter $self->register_eval_rule("check_for_from_domain_in_received_headers", $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS); $self->register_eval_rule("check_for_forged_received_trail"); # type does not matter $self->register_eval_rule("check_for_forged_received_ip_helo"); # type does not matter $self->register_eval_rule("helo_ip_mismatch"); # type does not matter $self->register_eval_rule("check_for_no_rdns_dotcom_helo"); # type does not matter return $self; } # tvd: why isn't this just RegistrarBoundaries ? sub hostname_to_domain { my ($hostname) = @_; if ($hostname !~ /[a-zA-Z]/) { return $hostname; } # IP address my @parts = split(/\./, $hostname); if (@parts > 1 && $parts[-1] =~ /(?:\S{3,}|ie|fr|de)/) { return join('.', @parts[-2..-1]); } elsif (@parts > 2) { return join('.', @parts[-3..-1]); } else { return $hostname; } } sub _helo_forgery_welcomelisted { my ($helo, $rdns) = @_; if ($helo eq 'msn.com' && $rdns eq 'hotmail.com') { return 1; } 0; } sub check_for_numeric_helo { my ($self, $pms) = @_; my $rcvd = $pms->{relays_untrusted_str}; if ($rcvd) { local $1; # no re "strict"; # since perl 5.21.8: Ranges of ASCII printables... if ($rcvd =~ /\bhelo=($IPV4_ADDRESS)(?=[\000-\040,;\[()<>]|\z)/i # Bug 5878 && $1 !~ IS_IP_PRIVATE) { return 1; } } return 0; } sub check_for_illegal_ip { my ($self, $pms) = @_; # Bug 6295, no longer in use, kept for compatibility with old rules dbg('eval: the "check_for_illegal_ip" eval rule no longer available, '. 'please update your rules'); return 0; } # note using IPv4 addresses for now due to empty strings matching IP_ADDRESS # due to bug in pure IPv6 address regular expression sub helo_ip_mismatch { my ($self, $pms) = @_; for my $relay (@{$pms->{relays_untrusted}}) { # is HELO usable? next unless ($relay->{helo} =~ IS_IPV4_ADDRESS && $relay->{helo} !~ IS_IP_PRIVATE); # compare HELO with IP return 1 if ($relay->{ip} =~ IS_IPV4_ADDRESS && $relay->{ip} !~ IS_IP_PRIVATE && $relay->{helo} ne $relay->{ip} && # different IP is okay if in same /24 $relay->{helo} =~ /^(\d+\.\d+\.\d+\.)/ && index($relay->{ip}, $1) != 0); } return 0; } ########################################################################### sub check_all_trusted { my ($self, $pms) = @_; return $pms->{num_relays_trusted} && !$pms->{num_relays_untrusted} && !$pms->{num_relays_unparseable}; } sub check_no_relays { my ($self, $pms) = @_; return !$pms->{num_relays_trusted} && !$pms->{num_relays_untrusted} && !$pms->{num_relays_unparseable}; } sub check_relays_unparseable { my ($self, $pms) = @_; return $pms->{num_relays_unparseable} ? 1 : 0; } # Check if the apparent sender (in the last received header) had # no reverse lookup for it's IP # # Look for headers like: # # Received: from mx1.eudoramail.com ([204.32.147.84]) sub check_for_sender_no_reverse { my ($self, $pms) = @_; # Sender received header is the last in the sequence my $srcvd = $pms->{relays_untrusted}-> [$pms->{num_relays_untrusted} - 1]; return 0 unless (defined $srcvd); # Ignore if the from host is domainless (has no dot) return 0 unless ($srcvd->{rdns} =~ /\./); # Ignore if the from host is from a private IP range return 0 if ($srcvd->{ip_private}); return 1; } # check_for_sender_no_reverse() #Received: from dragnet.sjc.ebay.com (dragnet.sjc.ebay.com [10.6.21.14]) # by bashir.ebay.com (8.10.2/8.10.2) with SMTP id g29JpwB10940 # for <rod@begbie.com>; Sat, 9 Mar 2002 11:51:58 -0800 sub check_for_from_domain_in_received_headers { my ($self, $pms, $domain, $desired) = @_; if (exists $pms->{from_domain_in_received}) { if (exists $pms->{from_domain_in_received}->{$domain}) { if ($desired eq 'true') { # See use of '0e0' below for why we force int() here: return int($pms->{from_domain_in_received}->{$domain}); } else { # And why we deliberately do NOT use integers here: return !$pms->{from_domain_in_received}->{$domain}; } } } else { $pms->{from_domain_in_received} = {}; } my $from = $pms->get('From:addr'); if ($from !~ /\b\Q$domain\E/i) { # '0e0' is Perl idiom for "true but zero": $pms->{from_domain_in_received}->{$domain} = '0e0'; return 0; } my $rcvd = $pms->{relays_trusted_str}."\n".$pms->{relays_untrusted_str}; if ($rcvd =~ / rdns=\S*\b${domain} [^\]]*by=\S*\b${domain} /) { $pms->{from_domain_in_received}->{$domain} = 1; return ($desired eq 'true'); } $pms->{from_domain_in_received}->{$domain} = 0; return ($desired ne 'true'); } sub check_for_no_rdns_dotcom_helo { my ($self, $pms) = @_; if (!exists $pms->{no_rdns_dotcom_helo}) { $self->_check_received_helos($pms); } return $pms->{no_rdns_dotcom_helo} ? 1 : 0; } # Bug 1133 # Some spammers will, through HELO, tell the server that their machine # name *is* the relay; don't know why. An example: # from mail1.mailwizards.com (m448-mp1.cvx1-b.col.dial.ntli.net # [213.107.233.192]) # by mail1.mailwizards.com # When this occurs for real, the from name and HELO name will be the # same, unless the "helo" name is localhost, or the from and by hostsnames # themselves are localhost sub _check_received_helos { my ($self, $pms) = @_; for (my $i = 0; $i < $pms->{num_relays_untrusted}; $i++) { my $rcvd = $pms->{relays_untrusted}->[$i]; # Ignore where IP is in private IP space next if ($rcvd->{ip_private}); my $from_host = $rcvd->{rdns}; my $helo_host = $rcvd->{helo}; my $by_host = $rcvd->{by}; my $no_rdns = $rcvd->{no_reverse_dns}; next unless defined($helo_host); # Check for a faked dotcom HELO, e.g. # Received: from mx02.hotmail.com (www.sucasita.com.mx [148.223.251.99])... # this can be a stronger spamsign than the normal case, since the # big dotcoms don't screw up their rDNS normally ;), so less FPs. # Since spammers like sending out their mails from the dotcoms (esp. # hotmail and AOL) this will catch those forgeries. # # allow stuff before the dot-com for both from-name and HELO-name, # so HELO="outgoing.aol.com" and from="mx34853495.mx.aol.com" works OK. # $pms->{no_rdns_dotcom_helo} = 0; if ($helo_host =~ /(?:\.|^)(lycos\.com|lycos\.co\.uk|hotmail\.com |localhost\.com|excite\.com|caramail\.com |cs\.com|aol\.com|msn\.com|yahoo\.com|drizzle\.com)$/ix) { my $dom = $1; # ok, let's catch the case where there's *no* reverse DNS there either if ($no_rdns) { dbg2("eval: Received: no rDNS for dotcom HELO: from=$from_host HELO=$helo_host"); $pms->{no_rdns_dotcom_helo} = 1; } } } } # _check_received_helos() # FORGED_RCVD_TRAIL sub check_for_forged_received_trail { my ($self, $pms) = @_; $self->_check_for_forged_received($pms) unless exists $pms->{mismatch_from}; return ($pms->{mismatch_from} > 1); } # FORGED_RCVD_IP_HELO sub check_for_forged_received_ip_helo { my ($self, $pms) = @_; $self->_check_for_forged_received($pms) unless exists $pms->{mismatch_ip_helo}; return ($pms->{mismatch_ip_helo} > 0); } sub _check_for_forged_received { my ($self, $pms) = @_; $pms->{mismatch_from} = 0; $pms->{mismatch_ip_helo} = 0; my $IP_PRIVATE = IP_PRIVATE; my @fromip = map { $_->{ip} } @{$pms->{relays_untrusted}}; # just pick up domains for these my @by = map { hostname_to_domain ($_->{lc_by}); } @{$pms->{relays_untrusted}}; my @from = map { hostname_to_domain ($_->{lc_rdns}); } @{$pms->{relays_untrusted}}; my @helo = map { hostname_to_domain ($_->{lc_helo}); } @{$pms->{relays_untrusted}}; for (my $i = 0; $i < $pms->{num_relays_untrusted}; $i++) { next if (!defined $by[$i] || $by[$i] !~ /^\w+(?:[\w.-]+\.)+\w+$/); if (defined ($from[$i]) && defined($fromip[$i])) { if ($from[$i] =~ /^localhost(?:\.localdomain)?$/) { if ($fromip[$i] eq '127.0.0.1') { # valid: bouncing around inside 1 machine, via the localhost # interface (freshmeat newsletter does this). TODO: this # may be obsolete, I think we do this in Received.pm anyway $from[$i] = undef; } } } my $frm = $from[$i]; my $hlo = $helo[$i]; my $by = $by[$i]; dbg2("eval: forged-HELO: from=".(defined $frm ? $frm : "(undef)"). " helo=".(defined $hlo ? $hlo : "(undef)"). " by=".(defined $by ? $by : "(undef)")); # note: this code won't catch IP-address HELOs, but we already have # a separate rule for that anyway. next unless ($by =~ /^\w+(?:[\w.-]+\.)+\w+$/); my $fip = $fromip[$i]; if (defined($hlo) && defined($fip)) { if ($hlo =~ /^\d+\.\d+\.\d+\.\d+$/ && $fip =~ /^\d+\.\d+\.\d+\.\d+$/ && $fip ne $hlo) { $hlo =~ /^(\d+\.\d+)\.\d+\.\d+$/; my $hclassb = $1; $fip =~ /^(\d+\.\d+)\.\d+\.\d+$/; my $fclassb = $1; # allow private IP addrs here, could be a legit screwup if ($hclassb && $fclassb && $hclassb ne $fclassb && $hlo !~ IS_IP_PRIVATE) { dbg2("eval: forged-HELO: massive mismatch on IP-addr HELO: '$hlo' != '$fip'"); $pms->{mismatch_ip_helo}++; } } } my $prev = $from[$i-1]; if (defined($prev) && $i > 0 && $prev =~ /^\w+(?:[\w.-]+\.)+\w+$/ && $by ne $prev && !_helo_forgery_welcomelisted($by, $prev)) { dbg2("eval: forged-HELO: mismatch on from: '$prev' != '$by'"); $pms->{mismatch_from}++; } } } ########################################################################### # support eval-test verbose debugs using "-Deval" sub dbg2 { if (would_log('dbg', 'eval') == 2) { dbg(@_); } } 1;