RE: Mail relay question

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

> -->-----Original Message-----
> -->From: listbounce () securityfocus com
> -->[mailto:listbounce () securityfocus com] On Behalf Of 0x90
> -->Sent: Friday, February 22, 2008 1:08 PM
> -->To: security-basics () securityfocus com
> -->Subject: Re: Mail relay question
> -->
> -->
> -->> The amount alone is huge I think when I am only hosting my wife
and
> -->myself
> -->> (as well as the
> -->> usual abuse etc. contacts).
> -->> I am worried that my home is an open relay in a manner I have not
> -->found.
> -->
> -->Getting a lot of spam, and being an open relay do not have much to
do
> -->with
> -->each other.

I should have been more clear, I consider it spam due to my leaning
towards not being open to relay.
The vast majority of the spam appears to be returned email because the
destination domain doesn't have a recipient for the email.
The (spoofed) originator of the returned email is giberish or random
names @myhomedomain.com

> -->PS: You are most likely NOT an open relay, otherwise you would be on
> -->RBL's,
> -->and you'd have a problem trying to deliver emails anywhere.
> -->
> -->
> -->> Then I learn that via telnet I can send email from mydomain.com to
> -->> mydomain.com and have it
> -->> delivered even when the telnet session is from a public IP.
> -->
> -->
> -->That's how it all works. If you couldn't do that, you wouldn't get
> -->any
> -->emails. They arrive from public IP's (mailservers, etc) to your mail
> -->server,
> -->with the destination address ending with this 'mydomain.com'.

I guess knowing the little I do about email mechanisms I don't
understand why the IP of the connecting client can craft an email FROM a
domain the IP does not resolve to?

> -->
> -->
> -->> So, I am a little fuzzy on what it is I am trying to learn here,
> -->but:
> -->> 1. Would you think 5000 emails a month with maybe 200 valid emails
> -->is
> -->> normal in a
> -->> home/family type setup?
> -->
> -->Yes. This depends on many things, such as you and your wife giving
> -->out your
> -->addresses on websites, having contacts that are infected with
> -->spy/spamware,
> -->predictability or the username part, number of aliases that point to
> -->the
> -->same mailbox, what filtering mechanisms you have to reject emails
> -->before
> -->they are even sent (RBL, rdns verification, etc).
> -->

Makes sense, I have three domain names pointing home. The one behind 95%
or so of the spam is one I have yet to really do anything with.
Maybe it used to belong to someone else? But that would make the emails
more specific to past owner I would think....

> -->
> -->> 2. Is mail always accepted and relayed when the sender and
> -->recipient
> -->> domain is the same?
> -->> (This is without sender authentication configured or capability).
> -->
> -->
> -->To put it simple, mail is accepted if 1) you send from a trusted
> -->source
> -->(like your home internal ip's, localhost, whatever else you
> -->configured), 2)
> -->the destination domain is handled on your server (mydomain.com).
> -->
> -->
> -->> a. If yes, what is to stop an angry neighbor on his vacation to
> -->China from
> -->> sending a nasty email
> -->> from me to my wife? (In this unsecure setup).
> -->
> -->
> -->Anybody can spoof any source address. There's nothing you can do
> -->about it.
> -->From the headers you would see the originating chinese IP.
> -->
> -->
> -->> b. My gateway at home (Smoothwall using DSPAM/SEMF? mod) only
> -->accepts the
> -->> initial
> -->> HELO if followed by connecting domain name (HELO domain.com) So
how
> -->come I
> -->> can
> -->> connect from domainx.com and send email from domainy.com to
> -->domainy.com?
> -->
> -->HELO is irrelevant. MAIL FROM and RCPT TO are the source/destination
> -->addresses, and the From: and To: headers are taken into account in
> -->your
> -->email client. Google SMTP RFC? ;)
> -->
> -->> c. What can I do to remove this risk?
> -->
> -->
> -->What risk.

Depends, my thought was that my wife will trust anything sent to her as
long as it appears to come from me.
But after your post I am guessing that the email is subject to the same
spam/AV etc. mechanisms as everything else. (duh right)...

> -->
> -->
> -->> 3. Any recommendations on a free mail gateway solution?
> -->SpamAssassin?
> -->> ClamAV? My goal
> -->> is to migrate away from Exchange 2003. I have been wanting to try
> -->Zimbra
> -->> for mail server but
> -->> would like a good mail gateway in the DMZ instead of hosted by the
> -->> firewall.
> -->
> -->
> -->Whatever you have, if you properly configure it you should be ok. I
> -->vote for
> -->postfix. But it's a matter of taste.
> -->
> -->0x90
> -->http://hax.tor.hu/
> -->


Thank you for the information

Nick

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.