On Tue, 16 Oct 2001, Thomas wrote: > Hi all, > > I know, this question might be halfway offtopic here, it involves smtp > servers in general, > but since I been on this list for quite a while, I know theres guys here > quite knowledged > on smtp server<>client comm, so I feel this might be a good place for maybe > getting some advice. > > I am in the final stages of developing a PERL script working in conjunction > with Apache that > kicks off on attempted http-spreading of worms like Codered and Nimda + any > future alike by trying to notify the administrator/coordinator of the > affected ip segment by email. > . > This is done by picking up the closest MX records assigned to the PTR record > of the remote > IP. From this list of SMTP server(s) it then tries connecting to one at a > time > until there's one is established. so far alles is ok. > > now, from here actually getting the virus notification to the right person > on the remote domain > it's going to require some qualified guessing of usernames and evaluating > the response for each, > the script issues (as of now) RCPT TOs of uname@domain combos until 2 or 3 > are accepted > and then shoves on the DATA and QUITs. Recipients are iterated like: > > PTR of attacking IP : foo.bar.domain.tld > LIST of likely rcpts ending up in the right place: [abuse, administrator, > postmaster] > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > Here's where my knowledge ends, since it appears SMTP servers handles RCPT > TO > differently. Sendmail tends to accept any local address put in, while Xmail > denies a rcpt > not known locally ( unless the * alias is applied). It would be nice to be
I don't know too much about sendmail but if you cannot change the behaviour of accepting all local messages, it sucks. It sucks because it has to generate a notification message for each failing rcpt. > able to use the > VRFY command at this state, but I don't have a clue if this command is > supported or > enabled by SMTP servers in general. Thought VRFY was explicitly required by > the > E/SMTP specs, until I realized it was disabled by default in Xmail. > > Anyone out there that can give some advice here ? > should one try for VRFY and fallback on RCPT TO if not available (50x) > or should I pass my hopes about VRFY to oblivion due to lack of support > and stick with a 250 response from RCPT TO as the best deal I can get > about whether an address resolves to an end user. VRFY is disabled by default coz most Co. does not want to give out info. I'd say that 98% of mail servers does not have VRFY enabled. > >From looking at the xmail smtp-logs there are two entries for > each remote session of an relayed email "RCPT=OK" and "RECV=OK". > The rcpt=ok part is straightforward, but how does xmail determine whether > the recv is ok ?? ...from the DATA END response code ? RECV=OK does not mean that the message has reached the remote destination but that XMail has successfully received it. - Davide
