Exempt one IP from possible SMTP attack: command=VRFY

Hello,

I want to do some sanity checking of email addresses.

The current algorithm is like so:

1) check mail address to contain at least one character and no control
character.
2) pass the string to localhost's MTA and call VRFY; accept on 250 and
251 replies; reject for all but 252 replies
3) for 252 replies, check the MX/A records of the host part (no
connection to the host is attempted, aka SMTP-ahead)

I maintain a persistent connection to the mail server for step 2. I
prefer using VRFY over RCPT TO, because this keeps the logs quite and
you can easily differ between local and remote users.

I have created another instance of sendmail with anything stripped
from the mc file, except the usual stuff to process / mangle users
(virtuser, aliases, ...). There is neither a FEATURE like greet_pause,
conncontrol, ratecontrol nor a definition of
confCONNECTION_RATE_THROTTLE, confBAD_RCPT_THROTTLE; but still I get

"possible SMTP attack: command=VRFY, count=6"

in the logs. The same happens if I run

(echo ehlo localhost; sleep 1; for cnt in $(seq 0 19); do echo
vrfy ....; done; sleep 1; echo quit) | sendmail -bs -C uservrfy.cf

as root on the command line.

If I grep for 5 or 6 (because of count=6) in the cf file, I just get
Timeouts, FileModes and QueueRunner options and plenty of lines of
rule sets. But there is no token "possible" in the rule sets, so I
assume that they to not trigger the message.

ska

In article
<18e24842-f84b-4e68-963a-c2bd73f9d051@f63g2000hsf.googlegroups.com> ska
<skg@mail.inf.fh-brs.de> writes:
>
[snip]
>
>I have created another instance of sendmail with anything stripped
>from the mc file, except the usual stuff to process / mangle users
>(virtuser, aliases, ...). There is neither a FEATURE like greet_pause,
>conncontrol, ratecontrol nor a definition of
>confCONNECTION_RATE_THROTTLE, confBAD_RCPT_THROTTLE; but still I get
>
>"possible SMTP attack: command=VRFY, count=6"
>
>in the logs. The same happens if I run
>
>(echo ehlo localhost; sleep 1; for cnt in $(seq 0 19); do echo
>vrfy ....; done; sleep 1; echo quit) | sendmail -bs -C uservrfy.cf
>
>as root on the command line.
>
>If I grep for 5 or 6 (because of count=6) in the cf file, I just get
>Timeouts, FileModes and QueueRunner options and plenty of lines of
>rule sets. But there is no token "possible" in the rule sets, so I
>assume that they to not trigger the message.

I don't see any question in your message... Anyway your analysis is
correct, these checks are hardwired in the source code, specifically in
calls to checksmtpattack() in srvrsmtp.c, and even more specifically:

#ifndef MAXVRFYCOMMANDS
# define MAXVRFYCOMMANDS 6 /* max VRFY/EXPN commands before slowdown */
#endif /* ! MAXVRFYCOMMANDS */

- the #ifndef allows for compile-time overriding wihtout modifying the
actual source. And there is no provision for exempting specific SMTP
clients. But you have the source...

--Per Hedeland
per@hedeland.org