[Dshield] Users don't pay attention

Tom dshield at oitc.com
Sat Aug 20 23:36:44 GMT 2005


At 4:25 PM -0700 8/20/05, Abuse wrote:
>** Reply to message from Craig Webster <craig at xeriom.net> on Sat, 20 Aug 2005
>13:56:14 +0100
>  > If I receive an email like this I'm unlikely to trust it no matter 
>>  who the claimed sender is; it looks like it's been forged.
>
>I do not think it likely that anyone checks that the email server domain name
>is the same as the senders domain.  My guess is that if they did that 25% to
>30% (if not more) of the email would be blocked.

Actually, lots check to see if server domain name exists.  Matching 
sender would be a violation of RFCs as it would break forwarding 
(which is what multihoming of mail reduces to)

>
>>  >> These ISPs will block the useful ports and lock you into their
>>  >> services no problem under the guise of being the superhero of the
>>  >> story but as you say, it's unlikely that they'll ever monitor or
>>  >> block the vast majority of their traffic. It's simply easier to say
>>  >> "It's the bad guys fault. Now buy our services."
>>  > I DISAGREE loudly.
>>  >
>>  > I think blocking port 25 is a very good strategy as this blocks 
>>  > most of the
>>  > compromised computers (which is the main source of spam).  If you 
>>  > want to run
>>  > your own email server then set it up to relay all of your out bound 
>>  > email
>>  > through your ISPs email server.  You can still receive email 
>>  > directly into your
>>  > email server without any problems.
>>  >
>>  > Please explain to me why this does not work?
>>
>>  You're talking about using a personal local mail server within the 
>>  ISPs network; I'm talking about using a mail server that is outside 
>>  your ISPs network (as is common with a lot of hosting packages and 
>>  commercial email packages). Your traffic is blocked before it gets to 
>>  the desired server so there's no chance of relaying it back to the 
>>  funnel server. You're stuck setting the From: and Reply-To: headers 
>>  and as I pointed out above, some spam filters don't like that.
>
>Yes, here I was talking about a personal email server.  But up above 
>that I was
>talking about using my email client to send email, through my ISPs email
>server, and having the FROM: being for a different domain.  Most people do not
>look at the headers and will never know that the email was  not sent from the
>domain referred to in the FROM:.

Actually most mailservers who host multiple domains do this rather 
than waste IPs

Tom


More information about the list mailing list