Firewall Wizards mailing list archives
Re: regarding spam...
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 03 Apr 2002 16:18:28 +0200
Andrew Fremantle wrote:
Hmmm... This may be a stupid idea, and I expect it to get shot down, but.... DISCLAIMER : I have not done any research on this, I'm just shooting from the hip... [pretty nice scheme of connecting back to the originating MTA to see if it accepts anything in the RCPT TO field]
Pretty nifty. A couple of points though: - Some people will hate you for connecting back. Expect calls on odd hours from sysadmins that accuse you of being a vicious hacker. This is a matter of personal preference. I'd rather take a few angry phone calls than my current spame rate :) - You should not reuse the "MAIL FROM", since there are mail servers that allow relaying on sender domain basis. Although this is less than perfect, there are situations where filtering on sender IP is simply not practical. Do your testing from a bogus sender address. - This will not find multi-stage relays (e.g. mail goes in through IP 1, and comes out through IP 2), but those are (I think) less common, which still makes the scheme useful. - The TCP connect timeout can probably be lowered to 10 seconds or so, which decreases the lag time substantially. - Remember that some MTAs will accept anything in the SMTP conversation. You can't determine if a host is an open relay just from what it says in response to "RCPT TO". To fix this, you can send the test mail to a trigger address (the same way the RBLs do) and then queue the inbound e-mail for a couple of hours. If no trigger mail shows up, allow the inbound e-mail. Of course, as Andrew said, this can all be cached in a white-list. The life times in the black-list shouldn't be too long though, since admins do sometimes fix their servers. I like it. Unless someone screams bloody murder here in the next few days, I think I'll implement a nice little wrapper script for Qmail :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: regarding spam..., (continued)
- Re: regarding spam... Crispin Cowan (Apr 01)
- RE: regarding spam... Bill Royds (Apr 02)
- Re: regarding spam... Thorkild Stray (Apr 02)
- Re: regarding spam... R. DuFresne (Apr 02)
- Re: regarding spam... R. DuFresne (Apr 02)
- Re: regarding spam... Adam Shostack (Apr 03)
- Re: regarding spam... Ryan Russell (Apr 03)
- Re: regarding spam... Adam Shostack (Apr 03)
- Re: regarding spam... Crispin Cowan (Apr 01)
- Re: regarding spam... Rick Murphy (Apr 02)
- Re: Re: regarding spam... Andrew Fremantle (Apr 03)
- Re: regarding spam... Mikael Olsson (Apr 03)
- Re: regarding spam... Crispin Cowan (Apr 03)
- RE: regarding spam... Rama Kant (Apr 03)