[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Formmail + RBL checking

Subject: Re: [cobalt-security] Formmail + RBL checking
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Mon, 19 Aug 2002 18:52:35 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello Ian,

> I have modified the standard formmail.pl script from Matts Script
> Archive to do some RBL (Relay black list ) checking.
>
> Basically, it works for me, but I am interested in some peer
> feedback.


We use the that RBL module too, in our web based email product. I had to
make similar changes to the RBL.pm module to get it working on Linux. If you
want to make your solution available to people, you can make it simpler for
them by just providing the modified nodule in a subdirectory of the
distribution called Mail. This still works using the Mail::RBL reference
without having to install the actual module. For this trick to work on
Windows you can add the line:

use File::Basename;
use lib dirname(__FILE__);

Put this line *before* your use Mail::RBL and it will then work for all OS's
as it puts the absolute path of the current script into your @INC which lets
stupid OSs like Windows find the Mail subdirectory.

One thing I'm not clear on - why? ;-)

RBL's are normally used to protect yourself from inbound email. You're
appear to be checking the REMOTE_ADDR field to see if the IP address that
someone is viewing the page with the CGI script is on is coming from an IP
address that has an open relay on it? Most people are likely to be coming
from an ISP or an ISPs proxy server. These are unlikely to be in RBL lists
since their dialup IP is unlikely to be running an SMTP server, open relay
or not. The other thing, is that it's just as easy to spoof your REMOTE_ADDR
as it is to spoof your HTTP_REFERER.

That aside, there is one other consideration I'd mention. The more RBL's you
list, the longer it will take for the response to return and there aren't
any timeouts in the RBL.pm code. So, you do need to be careful when using
RBL's. Firstly, if any of them hangs for longer than it takes your browser
to timeout then your form to email won't work. Sometimes they also become
unavailable for periods of time (which has happened a bit recently) this
then means that your form to email becomes unusable. One more thing, make
sure that the RBL's don't include dialups as a matter of policy, e.g.
'dialups.mail-abuse.org', as then no-one will be able to use the form, since
they're meant to list every ISPs IP addresses.

You could force a timeout in the code. I had to do this recently with our
live chat product as it does DNS lookups and if they hang (as RBL's can)
then it caused the whole product to have problems. You can use a timeout in
your code like this:

eval {
    local $SIG{'ALRM'} = sub {die};
    alarm(2); # timeout is in seconds and must be an integer > 0

    # insert code here that needs a timeout on it

    alarm(0);
};
if ($@) {
    # we're in this if statement because a timeout happened
}


I'm not trying to knock what you've done. I wanted to share some concerns
and experiences with using the module and some ideas that may help. If you'd
like to discuss it some more, feel free to email me offlist (but take out
the [cobalt-security] bit from the subject or I might miss it).

--
Regards,
Jonathan Michaelson
Commercial CGI Scripting, Web Hosting
Web-based Email, Homepage Creation and Live Help products
http://www.webumake.com

References:
- [cobalt-security] Formmail + RBL checking
  - From: cobalt

Prev by Date: Re: [cobalt-security] Sendmail - (was: SHP flaw)
Next by Date: [cobalt-security] Security Hardening Update 2.0.1
Previous by thread: [cobalt-security] Formmail + RBL checking
Next by thread: [cobalt-security] fun with /usr/lib/authenticate

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index