line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# <@LICENSE> |
2
|
|
|
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more |
3
|
|
|
|
|
|
|
# contributor license agreements. See the NOTICE file distributed with |
4
|
|
|
|
|
|
|
# this work for additional information regarding copyright ownership. |
5
|
|
|
|
|
|
|
# The ASF licenses this file to you under the Apache License, Version 2.0 |
6
|
|
|
|
|
|
|
# (the "License"); you may not use this file except in compliance with |
7
|
|
|
|
|
|
|
# the License. You may obtain a copy of the License at: |
8
|
|
|
|
|
|
|
# |
9
|
|
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0 |
10
|
|
|
|
|
|
|
# |
11
|
|
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software |
12
|
|
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, |
13
|
|
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14
|
|
|
|
|
|
|
# See the License for the specific language governing permissions and |
15
|
|
|
|
|
|
|
# limitations under the License. |
16
|
|
|
|
|
|
|
# </@LICENSE> |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
use Mail::SpamAssassin::Plugin; |
20
|
22
|
|
|
22
|
|
161
|
use Mail::SpamAssassin::Logger; |
|
22
|
|
|
|
|
44
|
|
|
22
|
|
|
|
|
607
|
|
21
|
22
|
|
|
22
|
|
115
|
use Mail::SpamAssassin::Constants qw(:ip); |
|
22
|
|
|
|
|
49
|
|
|
22
|
|
|
|
|
1291
|
|
22
|
22
|
|
|
22
|
|
146
|
|
|
22
|
|
|
|
|
46
|
|
|
22
|
|
|
|
|
2538
|
|
23
|
|
|
|
|
|
|
use strict; |
24
|
22
|
|
|
22
|
|
143
|
use warnings; |
|
22
|
|
|
|
|
42
|
|
|
22
|
|
|
|
|
524
|
|
25
|
22
|
|
|
22
|
|
121
|
# use bytes; |
|
22
|
|
|
|
|
48
|
|
|
22
|
|
|
|
|
726
|
|
26
|
|
|
|
|
|
|
use re 'taint'; |
27
|
22
|
|
|
22
|
|
120
|
|
|
22
|
|
|
|
|
43
|
|
|
22
|
|
|
|
|
47702
|
|
28
|
|
|
|
|
|
|
our @ISA = qw(Mail::SpamAssassin::Plugin); |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
# constructor: register the eval rule |
31
|
|
|
|
|
|
|
my $class = shift; |
32
|
|
|
|
|
|
|
my $mailsaobject = shift; |
33
|
63
|
|
|
63
|
1
|
208
|
|
34
|
63
|
|
|
|
|
128
|
# some boilerplate... |
35
|
|
|
|
|
|
|
$class = ref($class) || $class; |
36
|
|
|
|
|
|
|
my $self = $class->SUPER::new($mailsaobject); |
37
|
63
|
|
33
|
|
|
398
|
bless ($self, $class); |
38
|
63
|
|
|
|
|
324
|
|
39
|
63
|
|
|
|
|
164
|
# the important bit! |
40
|
|
|
|
|
|
|
$self->register_eval_rule("check_for_numeric_helo"); |
41
|
|
|
|
|
|
|
$self->register_eval_rule("check_for_illegal_ip"); |
42
|
63
|
|
|
|
|
272
|
$self->register_eval_rule("check_all_trusted"); |
43
|
63
|
|
|
|
|
201
|
$self->register_eval_rule("check_no_relays"); |
44
|
63
|
|
|
|
|
203
|
$self->register_eval_rule("check_relays_unparseable"); |
45
|
63
|
|
|
|
|
187
|
$self->register_eval_rule("check_for_sender_no_reverse"); |
46
|
63
|
|
|
|
|
180
|
$self->register_eval_rule("check_for_from_domain_in_received_headers"); |
47
|
63
|
|
|
|
|
171
|
$self->register_eval_rule("check_for_forged_received_trail"); |
48
|
63
|
|
|
|
|
211
|
$self->register_eval_rule("check_for_forged_received_ip_helo"); |
49
|
63
|
|
|
|
|
195
|
$self->register_eval_rule("helo_ip_mismatch"); |
50
|
63
|
|
|
|
|
184
|
$self->register_eval_rule("check_for_no_rdns_dotcom_helo"); |
51
|
63
|
|
|
|
|
184
|
|
52
|
63
|
|
|
|
|
184
|
return $self; |
53
|
|
|
|
|
|
|
} |
54
|
63
|
|
|
|
|
493
|
|
55
|
|
|
|
|
|
|
# tvd: why isn't this just RegistrarBoundaries ? |
56
|
|
|
|
|
|
|
my ($hostname) = @_; |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
if ($hostname !~ /[a-zA-Z]/) { return $hostname; } # IP address |
59
|
0
|
|
|
0
|
0
|
|
|
60
|
|
|
|
|
|
|
my @parts = split(/\./, $hostname); |
61
|
0
|
0
|
|
|
|
|
if (@parts > 1 && $parts[-1] =~ /(?:\S{3,}|ie|fr|de)/) { |
|
0
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
return join('.', @parts[-2..-1]); |
63
|
0
|
|
|
|
|
|
} |
64
|
0
|
0
|
0
|
|
|
|
elsif (@parts > 2) { |
|
|
0
|
|
|
|
|
|
65
|
0
|
|
|
|
|
|
return join('.', @parts[-3..-1]); |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
else { |
68
|
0
|
|
|
|
|
|
return $hostname; |
69
|
|
|
|
|
|
|
} |
70
|
|
|
|
|
|
|
} |
71
|
0
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
my ($helo, $rdns) = @_; |
73
|
|
|
|
|
|
|
if ($helo eq 'msn.com' && $rdns eq 'hotmail.com') { return 1; } |
74
|
|
|
|
|
|
|
0; |
75
|
|
|
|
|
|
|
} |
76
|
0
|
|
|
0
|
|
|
|
77
|
0
|
0
|
0
|
|
|
|
my ($self, $pms) = @_; |
|
0
|
|
|
|
|
|
|
78
|
0
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
my $rcvd = $pms->{relays_untrusted_str}; |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
if ($rcvd) { |
82
|
0
|
|
|
0
|
0
|
|
my $IP_ADDRESS = IPV4_ADDRESS; |
83
|
|
|
|
|
|
|
my $IP_PRIVATE = IP_PRIVATE; |
84
|
0
|
|
|
|
|
|
local $1; |
85
|
|
|
|
|
|
|
# no re "strict"; # since perl 5.21.8: Ranges of ASCII printables... |
86
|
0
|
0
|
|
|
|
|
if ($rcvd =~ /\bhelo=($IP_ADDRESS)(?=[\000-\040,;\[()<>]|\z)/i # Bug 5878 |
87
|
0
|
|
|
|
|
|
&& $1 !~ /$IP_PRIVATE/) { |
88
|
0
|
|
|
|
|
|
return 1; |
89
|
0
|
|
|
|
|
|
} |
90
|
|
|
|
|
|
|
} |
91
|
0
|
0
|
0
|
|
|
|
return 0; |
92
|
|
|
|
|
|
|
} |
93
|
0
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
95
|
|
|
|
|
|
|
# Bug 6295, no longer in use, kept for compatibility with old rules |
96
|
0
|
|
|
|
|
|
dbg('eval: the "check_for_illegal_ip" eval rule no longer available, '. |
97
|
|
|
|
|
|
|
'please update your rules'); |
98
|
|
|
|
|
|
|
return 0; |
99
|
|
|
|
|
|
|
} |
100
|
0
|
|
|
0
|
0
|
|
|
101
|
|
|
|
|
|
|
# note using IPv4 addresses for now due to empty strings matching IP_ADDRESS |
102
|
0
|
|
|
|
|
|
# due to bug in pure IPv6 address regular expression |
103
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
104
|
0
|
|
|
|
|
|
my $IP_ADDRESS = IPV4_ADDRESS; |
105
|
|
|
|
|
|
|
my $IP_PRIVATE = IP_PRIVATE; |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
for my $relay (@{$pms->{relays_untrusted}}) { |
108
|
|
|
|
|
|
|
# is HELO usable? |
109
|
|
|
|
|
|
|
next unless ($relay->{helo} =~ m/^$IP_ADDRESS$/ && |
110
|
0
|
|
|
0
|
0
|
|
$relay->{helo} !~ /$IP_PRIVATE/); |
111
|
0
|
|
|
|
|
|
# compare HELO with IP |
112
|
0
|
|
|
|
|
|
return 1 if ($relay->{ip} =~ m/^$IP_ADDRESS$/ && |
113
|
|
|
|
|
|
|
$relay->{ip} !~ m/$IP_PRIVATE/ && |
114
|
0
|
|
|
|
|
|
$relay->{helo} ne $relay->{ip} && |
|
0
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
# different IP is okay if in same /24 |
116
|
|
|
|
|
|
|
$relay->{helo} =~ /^(\d+\.\d+\.\d+\.)/ && |
117
|
0
|
0
|
0
|
|
|
|
index($relay->{ip}, $1) != 0); |
118
|
|
|
|
|
|
|
} |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
0; |
121
|
|
|
|
|
|
|
} |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
########################################################################### |
124
|
0
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
125
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
126
|
|
|
|
|
|
|
return $pms->{num_relays_trusted} |
127
|
0
|
|
|
|
|
|
&& !$pms->{num_relays_untrusted} |
128
|
|
|
|
|
|
|
&& !$pms->{num_relays_unparseable}; |
129
|
|
|
|
|
|
|
} |
130
|
|
|
|
|
|
|
|
131
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
132
|
|
|
|
|
|
|
return !$pms->{num_relays_trusted} |
133
|
0
|
|
|
0
|
0
|
|
&& !$pms->{num_relays_untrusted} |
134
|
|
|
|
|
|
|
&& !$pms->{num_relays_unparseable}; |
135
|
|
|
|
|
|
|
} |
136
|
0
|
|
0
|
|
|
|
|
137
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
138
|
|
|
|
|
|
|
return $pms->{num_relays_unparseable}; |
139
|
|
|
|
|
|
|
} |
140
|
0
|
|
|
0
|
0
|
|
|
141
|
|
|
|
|
|
|
# Check if the apparent sender (in the last received header) had |
142
|
|
|
|
|
|
|
# no reverse lookup for it's IP |
143
|
0
|
|
0
|
|
|
|
# |
144
|
|
|
|
|
|
|
# Look for headers like: |
145
|
|
|
|
|
|
|
# |
146
|
|
|
|
|
|
|
# Received: from mx1.eudoramail.com ([204.32.147.84]) |
147
|
0
|
|
|
0
|
0
|
|
my ($self, $pms) = @_; |
148
|
0
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
# Sender received header is the last in the sequence |
150
|
|
|
|
|
|
|
my $srcvd = $pms->{relays_untrusted}-> |
151
|
|
|
|
|
|
|
[$pms->{num_relays_untrusted} - 1]; |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
return 0 unless (defined $srcvd); |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
# Ignore if the from host is domainless (has no dot) |
156
|
|
|
|
|
|
|
return 0 unless ($srcvd->{rdns} =~ /\./); |
157
|
|
|
|
|
|
|
|
158
|
0
|
|
|
0
|
0
|
|
# Ignore if the from host is from a private IP range |
159
|
|
|
|
|
|
|
return 0 if ($srcvd->{ip_private}); |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
return 1; |
162
|
0
|
|
|
|
|
|
} # check_for_sender_no_reverse() |
163
|
|
|
|
|
|
|
|
164
|
0
|
0
|
|
|
|
|
#Received: from dragnet.sjc.ebay.com (dragnet.sjc.ebay.com [10.6.21.14]) |
165
|
|
|
|
|
|
|
# by bashir.ebay.com (8.10.2/8.10.2) with SMTP id g29JpwB10940 |
166
|
|
|
|
|
|
|
# for <rod@begbie.com>; Sat, 9 Mar 2002 11:51:58 -0800 |
167
|
0
|
0
|
|
|
|
|
|
168
|
|
|
|
|
|
|
my ($self, $pms, $domain, $desired) = @_; |
169
|
|
|
|
|
|
|
|
170
|
0
|
0
|
|
|
|
|
if (exists $pms->{from_domain_in_received}) { |
171
|
|
|
|
|
|
|
if (exists $pms->{from_domain_in_received}->{$domain}) { |
172
|
0
|
|
|
|
|
|
if ($desired eq 'true') { |
173
|
|
|
|
|
|
|
# See use of '0e0' below for why we force int() here: |
174
|
|
|
|
|
|
|
return int($pms->{from_domain_in_received}->{$domain}); |
175
|
|
|
|
|
|
|
} |
176
|
|
|
|
|
|
|
else { |
177
|
|
|
|
|
|
|
# And why we deliberately do NOT use integers here: |
178
|
|
|
|
|
|
|
return !$pms->{from_domain_in_received}->{$domain}; |
179
|
|
|
|
|
|
|
} |
180
|
0
|
|
|
0
|
0
|
|
} |
181
|
|
|
|
|
|
|
} else { |
182
|
0
|
0
|
|
|
|
|
$pms->{from_domain_in_received} = {}; |
183
|
0
|
0
|
|
|
|
|
} |
184
|
0
|
0
|
|
|
|
|
|
185
|
|
|
|
|
|
|
my $from = $pms->get('From:addr'); |
186
|
0
|
|
|
|
|
|
if ($from !~ /\b\Q$domain\E/i) { |
187
|
|
|
|
|
|
|
# '0e0' is Perl idiom for "true but zero": |
188
|
|
|
|
|
|
|
$pms->{from_domain_in_received}->{$domain} = '0e0'; |
189
|
|
|
|
|
|
|
return 0; |
190
|
0
|
|
|
|
|
|
} |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
my $rcvd = $pms->{relays_trusted_str}."\n".$pms->{relays_untrusted_str}; |
193
|
|
|
|
|
|
|
|
194
|
0
|
|
|
|
|
|
if ($rcvd =~ / rdns=\S*\b${domain} [^\]]*by=\S*\b${domain} /) { |
195
|
|
|
|
|
|
|
$pms->{from_domain_in_received}->{$domain} = 1; |
196
|
|
|
|
|
|
|
return ($desired eq 'true'); |
197
|
0
|
|
|
|
|
|
} |
198
|
0
|
0
|
|
|
|
|
|
199
|
|
|
|
|
|
|
$pms->{from_domain_in_received}->{$domain} = 0; |
200
|
0
|
|
|
|
|
|
return ($desired ne 'true'); |
201
|
0
|
|
|
|
|
|
} |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
204
|
0
|
|
|
|
|
|
if (!exists $pms->{no_rdns_dotcom_helo}) { $self->_check_received_helos($pms); } |
205
|
|
|
|
|
|
|
return $pms->{no_rdns_dotcom_helo}; |
206
|
0
|
0
|
|
|
|
|
} |
207
|
0
|
|
|
|
|
|
|
208
|
0
|
|
|
|
|
|
# Bug 1133 |
209
|
|
|
|
|
|
|
|
210
|
|
|
|
|
|
|
# Some spammers will, through HELO, tell the server that their machine |
211
|
0
|
|
|
|
|
|
# name *is* the relay; don't know why. An example: |
212
|
0
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
# from mail1.mailwizards.com (m448-mp1.cvx1-b.col.dial.ntli.net |
214
|
|
|
|
|
|
|
# [213.107.233.192]) |
215
|
|
|
|
|
|
|
# by mail1.mailwizards.com |
216
|
0
|
|
|
0
|
0
|
|
|
217
|
0
|
0
|
|
|
|
|
# When this occurs for real, the from name and HELO name will be the |
|
0
|
|
|
|
|
|
|
218
|
0
|
|
|
|
|
|
# same, unless the "helo" name is localhost, or the from and by hostsnames |
219
|
|
|
|
|
|
|
# themselves are localhost |
220
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
221
|
|
|
|
|
|
|
|
222
|
|
|
|
|
|
|
for (my $i = 0; $i < $pms->{num_relays_untrusted}; $i++) { |
223
|
|
|
|
|
|
|
my $rcvd = $pms->{relays_untrusted}->[$i]; |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
# Ignore where IP is in private IP space |
226
|
|
|
|
|
|
|
next if ($rcvd->{ip_private}); |
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
my $from_host = $rcvd->{rdns}; |
229
|
|
|
|
|
|
|
my $helo_host = $rcvd->{helo}; |
230
|
|
|
|
|
|
|
my $by_host = $rcvd->{by}; |
231
|
|
|
|
|
|
|
my $no_rdns = $rcvd->{no_reverse_dns}; |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
next unless defined($helo_host); |
234
|
0
|
|
|
0
|
|
|
|
235
|
|
|
|
|
|
|
# Check for a faked dotcom HELO, e.g. |
236
|
0
|
|
|
|
|
|
# Received: from mx02.hotmail.com (www.sucasita.com.mx [148.223.251.99])... |
237
|
0
|
|
|
|
|
|
# this can be a stronger spamsign than the normal case, since the |
238
|
|
|
|
|
|
|
# big dotcoms don't screw up their rDNS normally ;), so less FPs. |
239
|
|
|
|
|
|
|
# Since spammers like sending out their mails from the dotcoms (esp. |
240
|
0
|
0
|
|
|
|
|
# hotmail and AOL) this will catch those forgeries. |
241
|
|
|
|
|
|
|
# |
242
|
0
|
|
|
|
|
|
# allow stuff before the dot-com for both from-name and HELO-name, |
243
|
0
|
|
|
|
|
|
# so HELO="outgoing.aol.com" and from="mx34853495.mx.aol.com" works OK. |
244
|
0
|
|
|
|
|
|
# |
245
|
0
|
|
|
|
|
|
$pms->{no_rdns_dotcom_helo} = 0; |
246
|
|
|
|
|
|
|
if ($helo_host =~ /(?:\.|^)(lycos\.com|lycos\.co\.uk|hotmail\.com |
247
|
0
|
0
|
|
|
|
|
|localhost\.com|excite\.com|caramail\.com |
248
|
|
|
|
|
|
|
|cs\.com|aol\.com|msn\.com|yahoo\.com|drizzle\.com)$/ix) |
249
|
|
|
|
|
|
|
{ |
250
|
|
|
|
|
|
|
my $dom = $1; |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
# ok, let's catch the case where there's *no* reverse DNS there either |
253
|
|
|
|
|
|
|
if ($no_rdns) { |
254
|
|
|
|
|
|
|
dbg2("eval: Received: no rDNS for dotcom HELO: from=$from_host HELO=$helo_host"); |
255
|
|
|
|
|
|
|
$pms->{no_rdns_dotcom_helo} = 1; |
256
|
|
|
|
|
|
|
} |
257
|
|
|
|
|
|
|
} |
258
|
|
|
|
|
|
|
} |
259
|
0
|
|
|
|
|
|
} # _check_received_helos() |
260
|
0
|
0
|
|
|
|
|
|
261
|
|
|
|
|
|
|
# FORGED_RCVD_TRAIL |
262
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
263
|
|
|
|
|
|
|
$self->_check_for_forged_received($pms) unless exists $pms->{mismatch_from}; |
264
|
0
|
|
|
|
|
|
return ($pms->{mismatch_from} > 1); |
265
|
|
|
|
|
|
|
} |
266
|
|
|
|
|
|
|
|
267
|
0
|
0
|
|
|
|
|
# FORGED_RCVD_IP_HELO |
268
|
0
|
|
|
|
|
|
my ($self, $pms) = @_; |
269
|
0
|
|
|
|
|
|
$self->_check_for_forged_received($pms) unless exists $pms->{mismatch_ip_helo}; |
270
|
|
|
|
|
|
|
return ($pms->{mismatch_ip_helo} > 0); |
271
|
|
|
|
|
|
|
} |
272
|
|
|
|
|
|
|
|
273
|
|
|
|
|
|
|
my ($self, $pms) = @_; |
274
|
|
|
|
|
|
|
|
275
|
|
|
|
|
|
|
$pms->{mismatch_from} = 0; |
276
|
|
|
|
|
|
|
$pms->{mismatch_ip_helo} = 0; |
277
|
0
|
|
|
0
|
0
|
|
|
278
|
0
|
0
|
|
|
|
|
my $IP_PRIVATE = IP_PRIVATE; |
279
|
0
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
my @fromip = map { $_->{ip} } @{$pms->{relays_untrusted}}; |
281
|
|
|
|
|
|
|
# just pick up domains for these |
282
|
|
|
|
|
|
|
my @by = map { |
283
|
|
|
|
|
|
|
hostname_to_domain ($_->{lc_by}); |
284
|
0
|
|
|
0
|
0
|
|
} @{$pms->{relays_untrusted}}; |
285
|
0
|
0
|
|
|
|
|
my @from = map { |
286
|
0
|
|
|
|
|
|
hostname_to_domain ($_->{lc_rdns}); |
287
|
|
|
|
|
|
|
} @{$pms->{relays_untrusted}}; |
288
|
|
|
|
|
|
|
my @helo = map { |
289
|
|
|
|
|
|
|
hostname_to_domain ($_->{lc_helo}); |
290
|
0
|
|
|
0
|
|
|
} @{$pms->{relays_untrusted}}; |
291
|
|
|
|
|
|
|
|
292
|
0
|
|
|
|
|
|
for (my $i = 0; $i < $pms->{num_relays_untrusted}; $i++) { |
293
|
0
|
|
|
|
|
|
next if (!defined $by[$i] || $by[$i] !~ /^\w+(?:[\w.-]+\.)+\w+$/); |
294
|
|
|
|
|
|
|
|
295
|
0
|
|
|
|
|
|
if (defined ($from[$i]) && defined($fromip[$i])) { |
296
|
|
|
|
|
|
|
if ($from[$i] =~ /^localhost(?:\.localdomain)?$/) { |
297
|
0
|
|
|
|
|
|
if ($fromip[$i] eq '127.0.0.1') { |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
298
|
|
|
|
|
|
|
# valid: bouncing around inside 1 machine, via the localhost |
299
|
|
|
|
|
|
|
# interface (freshmeat newsletter does this). TODO: this |
300
|
0
|
|
|
|
|
|
# may be obsolete, I think we do this in Received.pm anyway |
301
|
0
|
|
|
|
|
|
$from[$i] = undef; |
|
0
|
|
|
|
|
|
|
302
|
|
|
|
|
|
|
} |
303
|
0
|
|
|
|
|
|
} |
304
|
0
|
|
|
|
|
|
} |
|
0
|
|
|
|
|
|
|
305
|
|
|
|
|
|
|
|
306
|
0
|
|
|
|
|
|
my $frm = $from[$i]; |
307
|
0
|
|
|
|
|
|
my $hlo = $helo[$i]; |
|
0
|
|
|
|
|
|
|
308
|
|
|
|
|
|
|
my $by = $by[$i]; |
309
|
0
|
|
|
|
|
|
|
310
|
0
|
0
|
0
|
|
|
|
dbg2("eval: forged-HELO: from=".(defined $frm ? $frm : "(undef)"). |
311
|
|
|
|
|
|
|
" helo=".(defined $hlo ? $hlo : "(undef)"). |
312
|
0
|
0
|
0
|
|
|
|
" by=".(defined $by ? $by : "(undef)")); |
313
|
0
|
0
|
|
|
|
|
|
314
|
0
|
0
|
|
|
|
|
# note: this code won't catch IP-address HELOs, but we already have |
315
|
|
|
|
|
|
|
# a separate rule for that anyway. |
316
|
|
|
|
|
|
|
|
317
|
|
|
|
|
|
|
next unless ($by =~ /^\w+(?:[\w.-]+\.)+\w+$/); |
318
|
0
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
my $fip = $fromip[$i]; |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
if (defined($hlo) && defined($fip)) { |
322
|
|
|
|
|
|
|
if ($hlo =~ /^\d+\.\d+\.\d+\.\d+$/ |
323
|
0
|
|
|
|
|
|
&& $fip =~ /^\d+\.\d+\.\d+\.\d+$/ |
324
|
0
|
|
|
|
|
|
&& $fip ne $hlo) |
325
|
0
|
|
|
|
|
|
{ |
326
|
|
|
|
|
|
|
$hlo =~ /^(\d+\.\d+)\.\d+\.\d+$/; my $hclassb = $1; |
327
|
0
|
0
|
|
|
|
|
$fip =~ /^(\d+\.\d+)\.\d+\.\d+$/; my $fclassb = $1; |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
328
|
|
|
|
|
|
|
|
329
|
|
|
|
|
|
|
# allow private IP addrs here, could be a legit screwup |
330
|
|
|
|
|
|
|
if ($hclassb && $fclassb && |
331
|
|
|
|
|
|
|
$hclassb ne $fclassb && |
332
|
|
|
|
|
|
|
!($hlo =~ /$IP_PRIVATE/o)) |
333
|
|
|
|
|
|
|
{ |
334
|
0
|
0
|
|
|
|
|
dbg2("eval: forged-HELO: massive mismatch on IP-addr HELO: '$hlo' != '$fip'"); |
335
|
|
|
|
|
|
|
$pms->{mismatch_ip_helo}++; |
336
|
0
|
|
|
|
|
|
} |
337
|
|
|
|
|
|
|
} |
338
|
0
|
0
|
0
|
|
|
|
} |
339
|
0
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
340
|
|
|
|
|
|
|
my $prev = $from[$i-1]; |
341
|
|
|
|
|
|
|
if (defined($prev) && $i > 0 |
342
|
|
|
|
|
|
|
&& $prev =~ /^\w+(?:[\w.-]+\.)+\w+$/ |
343
|
0
|
|
|
|
|
|
&& $by ne $prev && !_helo_forgery_whitelisted($by, $prev)) |
|
0
|
|
|
|
|
|
|
344
|
0
|
|
|
|
|
|
{ |
|
0
|
|
|
|
|
|
|
345
|
|
|
|
|
|
|
dbg2("eval: forged-HELO: mismatch on from: '$prev' != '$by'"); |
346
|
|
|
|
|
|
|
$pms->{mismatch_from}++; |
347
|
0
|
0
|
0
|
|
|
|
} |
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
348
|
|
|
|
|
|
|
} |
349
|
|
|
|
|
|
|
} |
350
|
|
|
|
|
|
|
|
351
|
0
|
|
|
|
|
|
########################################################################### |
352
|
0
|
|
|
|
|
|
|
353
|
|
|
|
|
|
|
# support eval-test verbose debugs using "-Deval" |
354
|
|
|
|
|
|
|
if (would_log('dbg', 'eval') == 2) { |
355
|
|
|
|
|
|
|
dbg(@_); |
356
|
|
|
|
|
|
|
} |
357
|
0
|
|
|
|
|
|
} |
358
|
0
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
359
|
|
|
|
|
|
|
1; |