[Dshield] Exchange Open Relay

Allen Mundt amundt at waukeshacounty.gov
Mon Mar 6 15:46:57 GMT 2006


We created a mysql database, essentially extracting address book information from our directory.  We refresh that once per hour.  On the way in, our SMTP server checks the RCPT TO against that list.  It is an extra step, but well worth it.

Al


******************************************************************************************
Allen Mundt,  Waukesha County Government, I.T. Division, 262.970.4757
  
"Waste your money and you're only out of money, but waste your time
     and you've lost part of your life."
         -- Michael Leboeuf
******************************************************************************************

>>> asrgchr at yahoo.com 3/6/2006 9:30:47 AM >>>

--- Abuse <abuse at what4now.com> wrote:

> > and that we need to stop bouncing undeliverables?
> 
> The best thing to do is reject the bad email while
> in the SMTP transaction. 
> Accepting an email then creating a bounce message to
> the FROM address is bad
> news especially with spam and viruses.

1) I can understand that. This raises some questions
however. The mailservers behind our domain's MX
records are pure relayservers. All they do is relay to
the correct internal mailserver. They know what
domains are internal to them but they have no clue of
what emailadresses reside on these domains. So there's
no way (currently) that they could terminate the SMTP
connection upon checking the RCPT TO input. 
Are there others in this situation? I guess I could do
a lookup in my directory to check if the emailaddress
really exists internally but wouldn't that open the
door to directory harvest attacks? I know you could
slow this down using a technique called 'tarpitting'
but what's next? Please share your experiences if
any...

2) I thank you all for the great and constructive
replies but this topic has gone too much in the
direction of whether OOO replies are a good or bad
thing. That is a different topic. Some admins must
live with the fact that OOO replies need to be enabled
for outside use. So please don't question that in the
replies. 

Kind regards,

Christophe.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1 

_______________________________________________
send all posts to list at lists.dshield.org 
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list