[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rfe: automagic open relay message refusal?

Hi Benjamin,

Date sent:      	Thu, 14 Jun 2001 12:19:14 -0400 (EDT)
From:           	"Benjamin C.R. LaHaise" <blah@kvack.org>
To:             	Rik van Riel <riel@conectiva.com.br>
Copies to:      	zmailer@nic.funet.fi
Subject:        	Re: rfe: automagic open relay message refusal?

> Where connect and check involves opening an SMTP session to the remote
> server and verifying that it does not relay mail for anyone.
> Yes, this is exactly what ORBS like databases do,

Not exactly. Yes, 550 We Do Not Relay during test session is a 
sufficient negative (not-a-relay) criteria. But 250 OK is not a 
sufficient positive criteria. Both MAPS and ORBS wait for actual 
message arrival to the test recipient! For instant testing, it 
is definitely not possible. So, the proposed test is  more 
cruel... and seems, will have false positive traps. I _really_ 
know not-opened mailhosts with the described behavior ("late 
refusal"). See also "freezenet" word in Zmailer configs.

> however they are not
> trusted, nor do they catch new open mail relays. 

Yes. All this anti-spam system is a compromise. And seems, any 
radical solution will be "the medicine being worse than the 

BTW. Some other useful anti-spam filters that can be easily 
established in Postfix and hardly in Zmailer:

1. Client reverse DNS record must exist. We assume that the 
absence of reverse DNS means clear "improper network 
maintenance" aka "lazy admin" diagnosis for remote host. Seems, 
refusal should be 4xx: DNS may timeout, etc.

2. HELO greeting form must be FQDN. Typical spammer MS-Windows 
workstation says: "HELO Default", or "HELO PC". Very good 
criteria. Refusal must be 5xx without explanations.

3. HELO name must exist in DNS. NB: many legal WinNT-based 
mailservers create HELO name from real Internet domain and 
NETBIOS hostname containing underscore "_" or 8-bit chars. So, 
dangerous criteria. Refusal should be either 5xx (for formally 
improper names like nt_server.realdomain.com) or 4xx (for any 
negative DNS answer).

4. "X-Mailer:" header filtering during data receiving, then "550 
Content rejected, further input skipped". Many spam software 
authors really do not forget to advertize themself in "X-Mailer: 
Advanced Direct Remailer", etc. strings.

Any more?


Alexey Lobanov
CPR, St.Petersburg
Head, IT Department
Phone +7-812-3468247
Fax +7-501-3468248, +7-812-3271408
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi