It seems that much SPAM originates from hijacked open proxy servers. http://www.fr2.cyberabuse.org/?page=abuse-proxy http://spamcop.net/fom-serve/cache/278.html
It would be possible to make a plugin, that on the SMTP connect, takes the remote IP address and does a quick check for an open proxy on the remote IP address. If it finds an open proxy, it could block the connection, and add the IP to a local DB of IPs to block. It could also remember the IPs that passed if that made sense from a performance standpoint. Would a plug-in like this be a useful tool? Worth writing? More Background =============== An open proxy test appears to be fairly easy: From: http://cert.uni-stuttgart.de/archive/incidents/2002/12/msg00044.html There are programs to scan for open proxy servers, but you can also just try using nmap on well-known proxy ports (1080,8080,3128... sometimes 80 and 81). Then telnet to the port and try something like: "GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates they are at least open to HTTP proxying. This is a problem, but it's not as bad as some servers, which allow you to connect out on any port. For your spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the address of some mailserver you own. If you get the SMTP banner, your suspicions are confirmed. Info on the Analogx proxy server: From: http://groups.google.com/groups?q=analogx+spam&hl=en&lr=&ie=UTF-8&selm=c0-dnWpdCPkk5lajXTWcrg%40inte rnetpro.net&rnum=1 AnalogX Proxy, a free proxy-server program that has been downloaded by more than a million people, is automatically in the open state when it is first installed. Mark Thompson, the author of AnalogX, said he had rebuffed the requests of many antispam activists to distribute the software with the security features already activated because doing so would make it harder to set up. "The biggest plug for the proxy is it is really easy to get it running," he explained. Mr. Thompson said he did try to achieve a compromise by revising the program to give people a warning about security problems every time it starts. Even so, Wirehub, a Dutch Internet service provider, says that 45,000 of the 150,000 open proxy servers it has identified as sending spam appear to be using AnalogX. Jim James H. Thompson [EMAIL PROTECTED]