[unisog] sendmail spam filtering
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Jun 7 20:00:19 GMT 2002
On Fri, 07 Jun 2002 11:35:10 PDT, John Callahan <jcallaha at willamette.edu> said:
> I have been toying with a sendmail milter that checks that an envelope sender address (SMTP
> MAIL FROM) actually exists and will receive e-mail before accepting e-mail for delivery.
Note that recent Sendmail (which it would have to be, since milter is a fairly
new addition) *by default* will insist on a domain actually being resolvable
(unless you have FEATURE(accept_unresolvable_domains) in your .mc file). That
will keep people from handing you a 'MAIL FROM:' with a totally bogus domain.
(See the SBasic_Check_Mail ruleset for the gory details)
So - we know the right hand side exists, and we want to check the LHS...
> It does this by connecting to an MX for the foreign addresses domain and initiating a SMTP
> transaction with the address as the recipient address. It then aborts the message with a
> RSET before any message body is transferred.
> What do you folks think of this as a concept?
At least you didn't propose ignoring 'MAIL FROM:<>' as a spam prevention
tool - if you did, I'd have to track you down and smack you upside the head ;)
The *first* problem you have is that this doesn't even interoperate with itself.
Let's say we're both running your code. I send you mail.. you open a connection
back to me to see if my address is valid. I see a connection, I open a
connection back to you to see if your address is valid. You see a
(Remember - you have to use a RCPT TO: to test, not EXPN or VRFY, because
many sites disable the latter two for good reasons)
Assuming you find a way to fix THAT problem (see the safe_finger code from
the tcp_wrappers package for an example), you have a second problem:
There are a lot of cases where the MX you contact will '250 OK' almost
anything syntactically valid. For starters:
1) It may be a corporate firewall that does a store-and-forward to the
real mailserver - and since it's a firewall, it doesn't know what addresses
are in fact valid.
2) It may be a server at a hosting company - bigpipe.com may MX for mysmall.com
and then just forward everything to my server.
3) The primary MX may be down/unreachable at the instant you check, and the
backup MX's only do store-and-forward Just In Case (I know of one famous
network person who had MX's on 4 different continents).
And that's just the problems with *correctly* behaving software. The Cisco
PIX happened once, and it can happen again... ;)
(The above analysis of course assumes that I actually have a clue about how
Sendmail and SMTP work - a dubious assumption at 4PM on a Friday ;)
Computer Systems Senior Engineer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020607/61a5a7ee/attachment-0007.bin
More information about the unisog