OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: A few ideas to discuss about for struggling Spam

From: mouss (mlist.onlyfree.fr)
Date: Fri Jul 27 2007 - 03:35:37 CDT

ml wrote:
> John Evans a écrit :
>> On Mon, 16 Jul 2007, Darren Pilgrim wrote:
>>
>>>> Secondly, I wonder if I'm right when I say that an outbound SMTP must
>>>> also be a MX for the sender domain that come from. Of course I know
>>>> they
>>>> are not, in an absolute way, correlated.
>>>> But, in real life, how are they correlated ?
>>>
>>> In real life, by coincidence. The MX usually also handles outbound
>>> relay when the mail load doesn't warrant the expense of a separate
>>> outbound server. Corporate mail systems often relay through an
>>> ISP-provided server for speed, reliability, RBL dodging, etc. while
>>> the MX host is an in-house server on their static IP. Hobbyist home
>>> servers also tend to relay out through an ISP smarthost to dodge
>>> RBLs that include dynamic IP space, but publish a dynamic-DNS
>>> hostname in the MX. All of these are perfectly valid (though the
>>> last is not a good idea).
>>
>
>> Another thing to consider is that some companies use a third-party
>> outbound filter to prevent them from sending viruses out. It's a
>> legal liability thing that allows the company to be lax in their
>> virus protection, but still keep them from infecting their clients.
>> Go figger. In this case their email will be coming from a server that
>> does not reverse to their MX record. There are also hosted email
>> services where the hostname may be mail123.corporatemailhost.com (or
>> whatever), but the MAIL FROM, header From:, and MX reverse could all
>> be totally different things.
>>
> Ok, ok. Of course MX and outbound servers are totally different thiings!
> In conclusion the inbound and outbound servers seem so commonly
> different that my idea (even after my survey) is not a good idea.
>
>> Blocking email based on what looks like bad reverse data may stop
>> quite a bit of spam, but your false positive hit rate will go through
>> the roof. Guaranteed.
> I'm not totally agree about reverse data. We cannot continue
> struggling SPAM without considering that many SMTP outbound servers
> even big ones are misconfigured.
> I consider that somewhere such servers are criminal to be so
> misconfigured.

Just because you cannot resolve an IP does not mean it is misconfigured.
the query may timeout because of the "distance" between you and the
remote dns server. the query may be lost somewhere in the middle of the
trip. your own server or fowrader may have problems. ... etc.

so, again: measure at your site (use warn_if_reject) and take action
based on the measurements, not on philosphical concepts.

> In my opinion rather that trying to deploy a thing named SPF we should
> begin annoying these servers by refusing the mails coming from them.
> db
>
>
>