RE: [MLUG] More spam

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "MLUG Members" <EMAIL:PROTECTED>
Subject: RE: [MLUG] More spam
From: "Brent Deterding" <EMAIL:PROTECTED>
Date: Fri, 11 Apr 2003 00:03:20 -0400
List-archive: <http://mlug.missouri.edu/pipermail/members>
List-help: <mailto:EMAIL:PROTECTED>
List-id: MLUG Members <members.mlug.missouri.edu>
List-post: <mailto:EMAIL:PROTECTED>
List-subscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
List-unsubscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
Thread-index: AcL/Yw8ZaKSG1nisTDqKTgXhmfHHlAAevcYQ
Thread-topic: [MLUG] More spam

Didn't mean to sound harsh :)

Not exactly - I am my own smtp server, and dns server. Lookup any
defenseindepth.net address and you're talking to me - no problem. Look
up my IP (24.199.249.76) and you'll get
"rrcs-midsouth-24-199-249-76.biz.rr.com" - which would fail the reverse
lookup test. I've asked other security people before and the general
consensus (obviously a small sample size) is that 40% of domains out
there (both legitimate and illegitimate) populate their PTR records in
DNS.

I've seen enforcing reverse DNS cause hell on client networks as well.
Example - the MX record for domain.com is 1.1.1.3, which is NATd over to
a Screened Subnet host (DMZ). That relay does anti-spam and anti-virus
stuff and passes it on to the internal mail server. The internal mail
server has done all of his scanning already, so he sends out directly.
The source IP is the SNAT address on the firewall (lets say 1.1.1.4 in
this case). Reverse dns checking says the mail came from 1.1.1.4, which
is not the MX record of domain.com - mail bounces = undelivered mail =
problems.

-- Brent

-----Original Message-----
From: Russell Horn [mailto:EMAIL:PROTECTED]
Sent: Thursday, April 10, 2003 9:09 AM
To: MLUG Members
Subject: RE: [MLUG] More spam


It was just a thought :) As for the reverse DNS, doesn't a reverse
lookup
(at least using dig) give you all the DNS entries? Or, how about the
following:
Because you're sending an email from "mail.defenseindepth.net" couldn't
you
do a lookup on that account, and if the originating IP address is the
same,
accept it? I realize people sometimes use sendmail from a dialup
connection,
but they could at that point just as easiliy use the standard smtp
servers
of the ISP. Essentially, the thought here is to prevent "spoofing" of a
from
field.
Anyway, just a few thoughts.
Jason


2 problems there - my dialup provider won't let me use their smtp server
if
I alter the domain I am sending from - i.e. I can't send from
albanach.com
via them. Secondly, what about organisations where the mailserver might
be
on an internal network with a non routing IP say 10.0.10.1 - you can't
do a
lookup on that.

Russell.

p.s. Interestingly, the first time I tried to send this I accidently
used my
@snp.org email address. The MLUG mail server responded as follows:

<EMAIL:PROTECTED>: host mlug.missouri.edu[128.206.61.230]
said:
553
    5.1.8 <EMAIL:PROTECTED>... Domain of sender address EMAIL:PROTECTED
does
    not exist

So something is doing domain checking (though not very well as snp.org
does
exist) on MLUG at the moment.


_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

Prev by Date: RE: [MLUG] Re: members Digest, Vol 3, Issue 6
Next by Date: [MLUG] Dual Boot
Previous by thread: RE: [MLUG] More spam
Next by thread: [MLUG] Access my account
Index(es):
- Date
- Thread