RE: [Declude.Virus] Virus bypassing newer MX records

[Andy Schmidt]

Title: Message

Hi Matt:   >> if it will still reject E-mail addressed locally (IMail does not for instance).  I think that this might be appropriate as long as the server doesn't have roaming users that connect with SMTP AUTH <<   If it's IIS then it will NOT care what (forged) email addresses may appear in the headers. It will simply drop after the EHLO if the connection came from outside the permitted IP range.   IIS does have a setting that WILL permit SMTP AUTH users to send email no matter WHICH IP they are sending from (that's why it waits for the EHLO).   SMTP AUTH is your friend (however, there are known cases, where hackers have tried a few common standard password combinations in order to use SMTP AUTH - so common sense password standards still apply!)   >> the customer's server has become standard practice as a result <<   Of course! It is the only prudent configuration if you are gatewaying for someone. There are plenty port 25 scanners running all the time to find open relays, or to find non-MXed mail servers.   Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206 http://www.HM-Software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 15, 2004 02:01 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Virus bypassing newer MX records It does have this configuration, however I'm not sure about how secure that might be, or if it will still reject E-mail addressed locally (IMail does not for instance).  I think that this might be appropriate as long as the server doesn't have roaming users that connect with SMTP AUTH, or at least we had to work around that in one situation.  The good thing is that most small businesses that I have experienced only allow remote access through OWA and they don't do SMTP AUTH.  Maybe I'll learn more in this thread though. FYI, we've been monitoring this stuff from a collection of domains and have found that about 0.5% of the spam is using cached lookups to deliver their E-mail, and over 5 months or so, there is no sign of any drop off in that activity.  There are three main culprits, the enlargement spammer, some static porn house, and a Chinese language spammer, but there is a smattering of other stuff, some of it is less long-lived though.  Firewalling the customer's server has become standard practice as a result, especially since this stuff can be targeted at just a few individuals and that ruins their experience with us, especially the enlargement guy that sends many messages. Matt Andy Schmidt wrote: Other than the firewall/router - doesn't their SMTP server application (e.g., like IIS) have the ability to restrict inbound connections to certain IP ranges.   We had a similar issue with one of my relay customers - and we just defined IIS SMTP to only accept mail from my network. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206 http://www.HM-Software.com/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================