[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: smtpserver router subdaemon

On Tue, Apr 13, 2004 at 06:13:56PM +0300, Andrey Blochintsev wrote:
> Hi!
> On Tue, Apr 13, 2004 at 17:55 +0400, Eugene Crosser wrote:
> > > The story here is somewhat more complicated.
> > > For the "ratelimitmsgs" to work, the "always_accept" flag testing
> > > must be moved onwards - a lot.
> > > 
> > > Reading the code again, the "always_accept" has been demoted into
> > > "accept if various tests don't reject" state, while "full_trust" is
> > > literally that.
> > 
> > Then probably SMTP AUTH and WHOSON sould be changed to raise full_trust
> > rather than always_accept, right?
> It depends... As for me "helo QRJATYDI" should be rejected from
> anybody ;).

Oh yes. Except that...

My sample dataset from a work system shows yesterday there having been
27 000 HELO/EHLO lines, of those 7700 are unique, and 7000 are unique
and without dots.  Vanishing minority uses even nearly correct (per RFC
821) value for the greeting.

Lots and lots of those are whatever character strings are stored
into PC Windows system as system hostname.  Including cases where
it has 8-bit characters!  Although..  possibly something like
70-80% of them are random junk by viruses, though, but you just
can't separate the dross from genuine things without full AI..

A group of viruses does claim server's identity, when talking to
the server, e.g. for a server at IP address  they would
greet:  "HELO []".   Another appears to use two top-levels
of the server's IP reversal name:  "EHLO funet.fi"

My take in virus evolution is, that if today morning the whole world
would suddently use and demand correct EHLO-greeting per RFC 2821,
when tonight (if not afternoon of today) viruses would do them.

/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi