probably getting a bit off topic here.
On Tue, 2003-08-26 at 23:04, Dossy wrote:
> I've been thinking this might be a good way to stop mail header
> forgeries (which most spam falls into the category of) but would annoy a
> lot of people ...
>
> Upon receipt of mail at the end of the DATA portion of the SMTP
> transaction, look at the mail envelope (and possibly the From: header)
> and parse out the domain name that the mail is supposedly sent from.
I think you would break a LOT more than you would fix.
in postfix,
reject_unknown_sender_domain
almost exactly does that -- but hands back a 450 code (temporary)
> Now, spammers could circumvent this by registering a domain and
> configuring the forward DNS to point to their IP, which is easy to do,
> but then, they'd be sending out email with a domain that could be traced
> back to them (as opposed to forging some totally bogus domain in the
> mail headers). Then, there'd be an easy way to pursue and prosecute
> spammers ...
All mail has an originating IP -- by shutting down open proxy servers,
and preventing client machines from directly sending to recipient
machines, it would make a large dent. Most of the spam software
bypasses the ISP mailserver and sends direct. its fast, cheap, and
quick. sobig.f uses the mailhost configured on the machine, so it would
still go through the ISP, however, ISPs could have easily stopped the
spread by not permitting those. Sobig was a tad smarter this time as it
did send out .zip attachments -- which is difficult to filter because
you could drop legit attachments. I do know of one 'email virus
filtering' service that somehow decided that sobig.f files were benign
and was forwarding 1100/hour to a client where I had put a mailserver
which declined the sobig attachments. The other company saw 1100
rejected messages and hour, and throttled their email -- saying that the
mailserver was down -- because they weren't doing their job.
There are simple solutions -- decline any message with attachments that
are most likely to be viruses. I've not seen many valid reasons to ever
accept emails with attached .pif files and many other extensions. As
such, we've declined a ton of email attachments. If you can use regexps
to match mime content headers, you can get rid of a bunch of viruses.
We've switched from REJECT to DISCARD -- since the 'bounces' from sobig
were infecting innocent people.
> accept/reject of the mail they're trying to deliver to you. If they
> ever use that information to scrub their lists, eventually you'll get
> removed and cleaned off.
my postfix regexp's
/^begin\s+\d{3}\s+.+?\.([iI][dD][aA]|[lL][nN][kK]|[bB][aA][tT]|[cC][hH][mM]|[cC][mM][dD]|[cC][oO][mM]|[hH][tT][aA]|[jJ][sS][eE]?|[jJ][sS]|[pP][iI][fF]|[sS][cC][rR]|[sS][hH][bB]|[vV][bB][esxESX]|[wW][sS][fhFH]|[zZ][iI][pP])/
DISCARD
discard
/^Content-(Disposition|Type):\s+.+?([iI][dD][aA]|[fF][iI][lL][eE])?[nN][aA][mM][eE]="?.+?\.([lL][nN][kK]|[bB][aA][tT]|[cC][hH][mM]|[cC][mM][dD]|[cC][oO][mM]|[hH][tT][aA]|[jJ][sS][eE]?|[jJ][sS]|[pP][iI][fF]|[sS][cC][rR]|[sS][hH][bB]|[vV][bB][esxESX]|[wW][sS][fhFH]|[zZ][iI][pP])/
DISCARD discard
/^\s+([fF][iI][lL][eE])?[nN][aA][mM][eE]="?.+?\.([iI][dD][aA]|[lL][nN][kK]|[bB][aA][tT]|[cC][hH][mM]|[cC][mM][dD]|[cC][oO][mM]|[hH][tT][aA]|[jJ][sS][eE]?|[jJ][sS]|[pP][iI][fF]|[sS][cC][rR]|[sS][hH][bB]|[vV][bB][esxESX]|[wW][sS][fhFH]|[zZ][iI][pP])/
DISCARD discard
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
