def _check_helo(relay): helo = relay.get("helo") try: helo_ipv4 = ipaddress.IPv4Address(helo) except ValueError: helo_ipv4 = None if helo and helo_ipv4 and not IP_PRIVATE.match(helo): return True return False
def check_for_sender_no_reverse(self, msg, option=None, target=None): """Check if the apparent sender (in the last received header) had no reverse lookup for it's IP Look for headers like: Received: from mx1.eudoramail.com ([204.32.147.84])""" srcvd = None if msg.untrusted_relays: srcvd = msg.untrusted_relays[-1] if not srcvd: return False if "." not in srcvd.get("rdns"): return False if IP_PRIVATE.match(srcvd.get("ip")): return False return True
def _check_for_forged_received(self, msg): mismatch_from = 0 mismatch_ip_helo = 0 hostname_re = Regex(r"^\w+(?:[\w.-]+\.)+\w+$") ip_re = Regex(r"^(\d+\.\d+)\.\d+\.\d+") for index, relay in enumerate(msg.untrusted_relays): from_ip = relay.get("ip") from_host = self.hostname_to_domain(relay.get("rdns")) by_host = self.hostname_to_domain(relay.get("by")) helo_host = self.hostname_to_domain(relay.get("helo")) if not by_host or not hostname_re.match(by_host): continue if from_host and from_ip == '127.0.0.1': from_host = "undef" self.ctxt.log.debug("eval: forged-HELO: from=%s helo=%s by=%s" % ( from_host if from_host else "(undef)", helo_host if helo_host else "(undef)", by_host if by_host else "(undef)" )) try: ip_netmask_16 = ipaddress.IPv4Network(from_ip).supernet(16) except ValueError: ip_netmask_16 = "" try: helo_netmask_16 = ipaddress.IPv4Network(helo_host).supernet(16) except ValueError: helo_netmask_16 = "" if ip_netmask_16 and helo_netmask_16 and from_ip != helo_host: if (ip_netmask_16 != helo_netmask_16 and not IP_PRIVATE.match(helo_host)): self.ctxt.log.debug("eval: forged-HELO: massive mismatch " "on IP-addr HELO: %s != %s" % (helo_host, from_ip)) mismatch_ip_helo += 1 prev = msg.untrusted_relays[index - 1] if prev and index > 0: prev_from_host = prev.get("rdns") if (hostname_re.match(prev_from_host) and by_host != prev_from_host and not self._helo_forgery_whitelisted(by_host, prev_from_host)): self.ctxt.log.debug("eval: forged-HELO: mismatch on from: " "%s != %s" % (prev_from_host, by_host)) mismatch_from += 1 self.set_global("mismatch_from", mismatch_from) self.set_global("mismatch_ip_helo", mismatch_ip_helo)
def check_for_no_rdns_dotcom_helo(self, msg, option=None, target=None): """Check untrusted relays and verify if latest relay it has helo from a big email provider like lycos, hotmail, excite, caramail, cs, aol, msn, yahoo, drizzle""" no_rdns_dotcom_helo = False for relay in msg.untrusted_relays: if IP_PRIVATE.match(relay.get("ip")): continue from_host = relay.get("rdns") helo_host = relay.get("helo") if not helo_host: continue no_rdns_dotcom_helo = False big_isp_re = Regex( r".*(?:\.|^)(lycos\.com|lycos\.co\.uk|hotmail\.com" r"|localhost\.com|excite\.com|caramail\.com|" r"cs\.com|aol\.com|msn\.com|yahoo\.com|" r"drizzle\.com)$") if big_isp_re.match(helo_host): if not from_host: no_rdns_dotcom_helo = True return no_rdns_dotcom_helo