[imp] hardening imp against spammers

Jon Lewis jlewis at lewis.org
Wed Jun 29 13:45:40 PDT 2005 

On Wed, 29 Jun 2005, Chuck Hagenbuch wrote:

> Quoting Jon Lewis <jlewis at lewis.org>:
>
> > Shouldn't there be at least the option to configure such a limit?
>
> "Shouldn't" is a very, very loaded word. Please consider that you are
> dealing with volunteers, that no one may have hit this situation
> before, that no one may have thought of it, etc. And Jan _said_ that
> there wasn't a reason not to add it, and that he was seeing the same
> situation at a customer.

Sorry, I've been dealing with Nigerian webmail abusers on and off for
months and dealing with many other fires recently.  I wasn't as much
complaining about the lack of such a feature as suggesting "here it is,
and it'd be great if someone would do whatever cleanup is required and
merge this into the code"...and Jan's message seemed to imply that he
didn't think it was worth incorporating (or did I misinterpret it) even
though he recently needed (wrote?) the same feature for another IMP site?

This one's trivial enough that if I have to maintain it in our own hacked
up IMP, it's no big deal, but others will likely benefit from having it,
and I'd always rather see it in a future version than have to keep my own
patch set.

> > webmail), I suspect the next things we'll need are the DNSBL support I
> > mentioned (which I suspect is easy enough I might end up doing it), and
>
> We could use this for lots of other aplications, too - Agora, Volos,
> etc. Would be a very useful contribution.

I just did this, but the code is even rougher than the max-recipients
thing, so I really doubt it'll be accepted without some serious cleanup
(like moving the dnsbls and codes to $conf rather than hardcoding them in
compose.php), but here it is anyway.

I'm checking njabl for proxies and spamsources, and sbl-xbl for any return
code.  I put this function at the top of compose.php:

/**
 * Returns a dnsbl the client IP is listed in or FALSE
 */
function dnsblcheck()
{
  $dnsbl  = array(0 => 'dnsbl.njabl.org', 1 => 'sbl-xbl.spamhaus.org');
  $dnsblcode = array(0 => '127.0.0.[49]', 1 => 0);
  $rev = array_reverse(explode('.', $_SERVER['REMOTE_ADDR']));

  for($dnsblc=0; array_key_exists($dnsblc,$dnsbl); $dnsblc++) {
    $lookup = implode('.', $rev) . '.' . $dnsbl[$dnsblc];
    $result = gethostbyname($lookup);
    if ($lookup != $result) {
       if (($dnsblcode[$dnsblc]) && preg_match("/$dnsblcode[$dnsblc]/", $result)) {
         return $dnsbl[$dnsblc];
       }
       if ($dnsblcode[$dnsblc] == 0) {
         return $dnsbl[$dnsblc];
       }
    }
  }
  return FALSE;
}

The at the tops of case BOUNCE_MESSAGE: and SEND_MESSAGE:, I added:

     if (($dnsblname = dnsblcheck()) != FALSE) {
       Horde::logMessage(sprintf("dnsblhit in %s from %s",$dnsblname,$_SERVER['REMOTE_ADDR']), __FILE__, __LINE__, LOG_ERR);
       Horde::raiseMessage(sprintf(_("Sorry.  Your IP is dnsbl listed in %s.  You cannot send mail."),$dnsblname), HORDE_ERROR);
       $get_sig = false;
       break;
     }

> I haven't heard of it. That to me sounds like the kind of thing you're
> better off doing at the MTA level, instead of just in a web layer,
> though.

Trouble is, then its MTA-specific.  Doing it in IMP makes it more portable
and IMP already does db work, knows the username of the logged in user,
and can give the user a nice error message (like my max-recipients or
dnsbl messages) when they try to send and exceed their rate limit.

Anyway, hopefully what I and others here have already done will convince
the Nigerians to move along again to a service easier to abuse.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the imp mailing list