[unisog] sendmail spam filtering

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jun 7 20:00:19 GMT 2002

On Fri, 07 Jun 2002 11:35:10 PDT, John Callahan <jcallaha at willamette.edu>  said:
> I have been toying with a sendmail milter that checks that an envelope sender address (SMTP
> MAIL FROM) actually exists and will receive e-mail before accepting e-mail for delivery.

Note that recent Sendmail (which it would have to be, since milter is a fairly
new addition) *by default* will insist on a domain actually being resolvable
(unless you have FEATURE(accept_unresolvable_domains) in your .mc file).  That
will keep people from handing you a 'MAIL FROM:' with a totally bogus domain.
(See the SBasic_Check_Mail ruleset for the gory details)

So - we know the right hand side exists, and we want to check the LHS...

> It does this by connecting to an MX for the foreign addresses domain and initiating a SMTP
> transaction with the address as the recipient address.  It then aborts the message with a
> RSET before any message body is transferred.
> What do you folks think of this as a concept?

At least you didn't propose ignoring 'MAIL FROM:<>' as a spam prevention
tool - if you did, I'd have to track you down and smack you upside the head ;)

The *first* problem you have is that this doesn't even interoperate with itself.

Let's say we're both running your code. I send you mail.. you open a connection
back to me to see if my address is valid.  I see a connection, I open a
connection back to you to see if your address is valid.  You see a

(Remember - you have to use a RCPT TO: to test, not EXPN or VRFY, because
many sites disable the latter two for good reasons)

Assuming you find a way to fix THAT problem (see the safe_finger code from
the tcp_wrappers package for an example), you have a second problem:

There are a lot of cases where the MX you contact will '250 OK' almost
anything syntactically valid.  For starters:

1) It may be a corporate firewall that does a store-and-forward to the
real mailserver - and since it's a firewall, it doesn't know what addresses
are in fact valid.

2) It may be a server at a hosting company - bigpipe.com may MX for mysmall.com
and then just forward everything to my server.

3) The primary MX may be down/unreachable at the instant you check, and the
backup MX's only do store-and-forward Just In Case (I know of one famous
network person who had MX's on 4 different continents).

And that's just the problems with *correctly* behaving software. The Cisco
PIX happened once, and it can happen again... ;)

(The above analysis of course assumes that I actually have a clue about how
Sendmail and SMTP work - a dubious assumption at 4PM on a Friday ;)

				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020607/61a5a7ee/attachment-0007.bin

More information about the unisog mailing list