1

TL;DR

How can I fool my own sendmail into thinking an email comes from a particular ip address, so that it rejects the message due to a DNSBL match?

Details:

I run my own mail server, and most spam is blocked by the DNS black lists (DNSBL) that I've added to /etc/mail/sendmail.mc like so:

dnl FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
dnl FEATURE(`dnsbl',`b.barracudacentral.org',`"554 Rejected " $&{client_addr} " found in b.barracudacentral.org"')dnl

Today some spam came in (passing all tests), and after checking MX Toolbox and DNSBL Information could see that adding one of several DNSBLs would have blocked this particular spam.

So, I added another DNSBL, and now I want to test it by resubmitting this email to Sendmail, but therein lies the problem: it won't be coming from the right ip address, and the DNSBL won't see it as bad.

Here's the command I normally would have used:

formail -s /usr/sbin/sendmail -oi -t < testmail.mbox

Before I try to reinvent a wheel, I thought I'd ask here first. Possible ideas:

  • Is there a CLI option to sendmail for faking the source ip?
  • Maybe craft a queued message file and put it in the queue directly?
  • Perhaps set up another ip address on my machine, and send to myself with it?
  • Would an OpenVPN or SSH tunnel be a quick fix?
  • Possibly a shared library could be loaded to intercept system calls, à la LibFakeTime?
  • Dtrace looks powerful, can it alter getsockopt(2) calls like this?

Thanks!

PFudd
  • 73
  • 6
  • SMTP uses TCP connections which can't have faked IPs (short from "owning" the IP) The blocklist, as you said runs on receive, so not easy to retest. You could add that IP to your own network to test, but needs correct routing. Generally it is more work than it is worth, try to find some other test service, or just wait for spam to hit again. – NiKiZe Aug 01 '21 at 06:58
  • 1
    It turns out "owning" the IP was the solution, and as long as the IP was added on the same host as sendmail, routing is automatic. That being said, I'm not sure if I'd want to try it with Docker or some other virtual machine, as routing gets really hairy there. – PFudd Aug 03 '21 at 01:55

1 Answers1

1

After sleeping on it, the solution ended up being trivial:

ssh my-mail-server

# Add 1.2.3.4 as an alias (eth1:0) to interface eth1:
sudo ifconfig eth1:0 1.2.3.4 netmask 255.255.255.255

# Use 1.2.3.4 as the source ip, connect to port 25 on the local host:
nc -s 1.2.3.4 0.0.0.0 25

HELO 1.2.3.4
MAIL FROM: yoda@the-force.com
RCPT TO: me@earth.com
DATA
Subject: is this really from 1.2.3.4?

Test from 1.2.3.4
.
QUIT
^C

# Deleting 1.2.3.4 from eth1:
sudo ifconfig eth1:0 0.0.0.0

Voilà, the resulting header:

Return-Path: <yoda@the-force.com>
Received: from 1.2.3.4 ([1.2.3.4] (may be forged))
    by earth.com (8.15.2/8.15.2) with SMTP id 1731SlYY013775
    for <me@earth.com>; Mon, 2 Aug 2021 18:29:14 -0700
Authentication-Results:the-force.com; dkim=permerror (bad message/signature format)
Date: Mon, 2 Aug 2021 18:28:47 -0700
From: <yoda@the-force.com>
Message-Id: <202108030129.1731SlYY013775@earth.com>
Subject: Test subject

It also revealed that the ip address was not being blocked (DNSBL not working?), so in that sense, the test was a success. :-/

Update: D'oh! The lines in sendmail.mc should be like this instead:

FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
FEATURE(`dnsbl',`b.barracudacentral.org',`"554 Rejected " $&{client_addr} " found in b.barracudacentral.org"')dnl

In other words, the 'dnl' on the front was commenting-out all of the DNSBL lines. :-(

Aaaaand this is why we test, ladies and gentlemen.

PFudd
  • 73
  • 6