Firewall Wizards mailing list archives

Re: regarding spam...

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 03 Apr 2002 16:18:28 +0200


Andrew Fremantle wrote:


Hmmm... This may be a stupid idea, and I expect it to get shot down, but....
DISCLAIMER : I have not done any research on this, I'm just shooting from the hip...

[pretty nice scheme of connecting back to the originating MTA to
 see if it accepts anything in the RCPT TO field]


Pretty nifty. A couple of points though:

- Some people will hate you for connecting back. Expect calls
  on odd hours from sysadmins that accuse you of being a 
  vicious hacker. 
  This is a matter of personal preference. I'd rather take
  a few angry phone calls than my current spame rate :)

- You should not reuse the "MAIL FROM", since there are mail servers 
  that allow relaying on sender domain basis. Although this is
  less than perfect, there are situations where filtering on sender
  IP is simply not practical. 
  Do your testing from a bogus sender address.

- This will not find multi-stage relays (e.g. mail goes in through 
  IP 1, and comes out through IP 2), but those are (I think) less
  common, which still makes the scheme useful.

- The TCP connect timeout can probably be lowered to 10 seconds or 
  so, which decreases the lag time substantially.

- Remember that some MTAs will accept anything in the SMTP 
  conversation. You can't determine if a host is an open
  relay just from what it says in response to "RCPT TO".

  To fix this, you can send the test mail to a trigger address
  (the same way the RBLs do) and then queue the inbound 
  e-mail for a couple of hours.
  If no trigger mail shows up, allow the inbound e-mail.

  Of course, as Andrew said, this can all be cached 
  in a white-list. The life times in the black-list shouldn't
  be too long though, since admins do sometimes fix their servers.

I like it. Unless someone screams bloody murder here in the next 
few days, I think I'll implement a nice little wrapper script 
for Qmail :)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: regarding spam..., (continued)
- - Re: regarding spam... Crispin Cowan (Apr 01)
    - RE: regarding spam... Bill Royds (Apr 02)
    - Re: regarding spam... Thorkild Stray (Apr 02)
    - Re: regarding spam... R. DuFresne (Apr 02)
    - Re: regarding spam... R. DuFresne (Apr 02)
    - Re: regarding spam... Adam Shostack (Apr 03)
    - Re: regarding spam... Ryan Russell (Apr 03)
    - Re: regarding spam... Adam Shostack (Apr 03)
    - Re: regarding spam... Rick Murphy (Apr 02)
    - Re: Re: regarding spam... Andrew Fremantle (Apr 03)
    - Re: regarding spam... Mikael Olsson (Apr 03)
  - RE: regarding spam... Jeff Brown (Apr 02)
- RE: regarding spam... Kalat, Andrew (ISS Atlanta) (Apr 02)
  - Re: regarding spam... Crispin Cowan (Apr 03)
  - RE: regarding spam... Rama Kant (Apr 03)
- Re: regarding spam... fwwiz (Apr 03)
- Re: regarding spam... Echo OnLine Administration (K.H) (Apr 03)