Firewall Wizards mailing list archives
Re: FWTK and smap/smapd
From: Rick Murphy <rmurphy () mitretek org>
Date: Wed, 17 Jul 2002 13:07:07 -0400
At 08:51 PM 7/17/2002 +0530, Devdas Bhagat wrote:
On 17/07/02 08:30 -0400, Rick Murphy wrote: <snip> > The important part of using a patched smap is to provide anti-relay and > anti-spam capabilities. The spam-rejection capabilities are pretty broad - > there's things I can do to block spam with smap that qmail and postfix > can't do. Like? Examples, lots of them (or at least one).
OK. Much of the spam I used to receive came from forged hotmail.com accounts.Very little spam actually comes from hotmail, so I don't want to just block them since there are some legitimate correspondents of mine that use their mail (heck, I use a hotmail address sometimes when I'm on the road..)
Your mail server can detect the hotmail forgery by looking at the hostname of the machine that's trying to deliver the mail to it - for hotmail, the mail is going to come from a server in the hotmail.com or msn.com domain. So, an ideal filter for hotmail forgery is to require the delivering server to have a valid reverse DNS entry, and to require that reverse DNS to match either hotmail.com or msn.com. With smap, I configure that with:
smap: verify-reverse hotmail.com:msn.com I've a long list of similar domains that get this treatment.The selectivity of this is very important - I don't want to require all mail servers to have valid reverse DNS (or even *any* reverse DNS) - requiring reverse DNS to match for all senders has too high a rejection rate for me; allowing it to be selective (even in face of things like hotmail coming from msn) is important.
FWIW, Postfix by default can block based on connecting IP, sender (mail from:), recipient (rcpt to), regular expressions in the body/headers,
smap can do all of the above. I don't have the patch installed that allows searching for RE's in the body, but a patch does exist.
and if need be pass it on to a filtering program like Spamassassain/razor/procmail, and/or through an antivirus. With patches, it can do a lot more (rhsbl etc).
That's the real difference between smap/smapd and postfix - postfix is a complete mail delivery agent. Smap isn't, and so relies on something else (sendmail, postfix, etc.) for delivery. Personally, I think that's a real advantage to postfix over smap - I use what I use mostly out of inertia.
And FWIW, I'm not talking about the network here at work - I use fwtk on my home network.
-Rick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code reviews [Was: FWTK and smap/smapd], (continued)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: FWTK and smap/smapd Brian Hatch (Jul 19)
- Re: FWTK and smap/smapd Adam Shostack (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 18)
- Re: FWTK and smap/smapd Darren Reed (Jul 18)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Devdas Bhagat (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)