|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: reject_unverified_recipient 450 error message exposes VPN addreses
From: William Van Hefner (postmaster
thedigest.com)
Date: Fri Dec 02 2005 - 13:42:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -----Original Message-----
> From: owner-postfix-userspostfix.org
> [mailto:owner-postfix-userspostfix.org] On Behalf Of Sheldon T. Hall
> Sent: Friday, December 02, 2005 10:09 AM
> To: postfix-userspostfix.org
> Subject: RE: reject_unverified_recipient 450 error message
> exposes VPN addreses
>
> I've seen mention of this before, and I don't get it. In
> your case the machine's on a "VPN", in the other case I can
> remember, it was on an unroutable (private) IP address.
>
> In both cases, I don't see the problem. Why do you care? If
> your "VN" is actually "P", or the internal IP address is
> unroutable, no outside mailserver can send mail directly to
> it. I cannot see how some reject-notice-receiver's knowing
> that I'm sending from 192.168.0.103, whose name is
> mobilart3.artell.net, or that this same machine rejected
> something, does the least harm.
>
> On the other hand, the _lack_ of this information would make
> troubleshooting much more difficult, especially on large sites.
>
> Am I just insufficiently paranoid? It would be a first ....
>
> -Shel
I can give one good example of why this is "giving out too much
information". In my case, I have Postfix running as a gateway to a
Windows-based mail server that is on another IP address on the same network.
Postfix is really just doing scanning for spam and viruses. I have to have
my Windows mail server on a public IP address, otherwise none of my users
would be able to access Port 25 to send outbound or access their mail via
POP (not using the lame Windoze software I am stuck with at the moment, but
I digress).
I thought that I had effectively "hidden" the IP address of my Windows
machine by taking all mention of it out of my MX records. Only Postfix
itself knows the IP address that mail is supposed to be routed to. Although
I installed this Postfix gateway about six months ago, I am still getting
hammered with spam sent directly to the addresses on my Windows mail server,
which bypasses all of my Postfix gateway's antispam features. From what I
can tell, the ONLY way that spammers are able to get the IP address of my
Windows machine is by getting the information from Postfix responses. In
effect, a seemingly harmless one-address "dictionary attack" gives a spammer
all of the info they need in order to bypass my Postfix gateway entirely.
Of course, there are many solutions to this problem. Unfortunately, all of
them (that I can think of) include adding another computer to the mix as
some sort of firewall, or doing away with Windows altogether. Unfortunately
for Mr. Gates, I have decided on the latter. We will be moving all of our
servers over to Debian and Postfix by the end of the year. For the moment
though, I am still getting bombarded with "direct send" spam from spammers
who are taking advantage of a loophole in Postfix to bypass my antispam
scheme. You've got to give them credit for figuring out a way to exploit
this, I guess.
As an aside, it seems that spammers who send in Russian Cyrillic have been
the most proficient at exploiting this loophole. I'm guessing that some spam
gang in Eastern Europe is probably responsible for 100% of the spam that is
bypassing Postfix at the moment.
William Van Hefner
Network Administrator
Vantek Communications, Inc.
e-mail: postmasterthedigest.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]