There are two kind of clients that connect to a mail server:
- MTAs (Mail Transfer Agent) that relay messages from other clients/MTAs
- MUAs (Mail User Agents) that send messages on bahef of a user.
A server must
1- accept messages sent to one of its domains or one of the domains
it accepts to relay messages to.
2- accept connections from "its" users.
The smtp server may consider the connection coming from one of "its" users
if the user has been authenticated (either directly using AUTH, using a hack
such as "pop-before-smtp", or any other method, such as checking that the
connection cames using a secure and trusted channel that requires user
authentication) or if the connection originated from a "trusted" host (for
example,
when we are sure the connetion came from a private host, thanks to the FW
configuration!).
If not, the smtp server must consider the connection as possibly coming from
a relay. It should then only relay messages to domains that are explcitly
configured for that. For messages destined to the server domains (domains
that are handled by the server), then it should accept the messages, unless
there is a serious reason to reject them, such as a large data size, virus
infection, ...
In particular, no concern should be given to the name of the program that sent
the request. Otherwise, you can also refuse packets coming from specific OSes
as well (just run queso each time someone connects to you...).
<idea value=zero delimiter=smile>
Or why not refuse IP packets if their Id is not even. You know about half
of the packets
that come from attackers have odd Ids. So rejecting these will reduce your
vulnerability by a factor of 2! If someone could pass the idea to raptor
designers...
another idea? just configure many many MX addresses, where only one works. Then
most agents/relay will find it hardr to connect to your server, which will
brake attack
speed.
what about this one (I feel generous today): each time someone connects to
your smtp server,
and ust after the From address has been given, issue an illegitimate
response (one which
is not smtp), such as : "to send mail, please type: I am no hacker". Then
normal clients/relays
will fails here. so keep on replying with stupid sentences. If they close
the connection, then
you know that it is a good client (a hacker would have answered the request
and typed the
Im no hacker, if just for curiosity). Then send back an email to he sender
informing him that he can
try now, and store the client IP address so as to allow the mail if it
comes from this address.
you thendesign a huge LDAP based directory, with XML syntax and Java
administration of the whole
stuff. At the end, if you get sucked, sell the list to some stupid press...
</idea>
cheers
There are two kind of clients that connect to a mail server:
- MTAs (Mail Transfer Agent) that relay messages from other clients/MTAs
- MUAs (Mail User Agents) that send messages on bahef of a user.
A server must
1- accept messages sent to one of its domains or one of the domains
it accepts to relay messages to.
2- accept connections from "its" users.
The smtp server may consider the connection coming from one of "its" users
if the user has been authenticated (either directly using AUTH, using a hack
such as "pop-before-smtp", or any other method, such as checking that the
connection cames using a secure and trusted channel that requires user
authentication) or if the connection originated from a "trusted" host (for
example,
when we are sure the connetion came from a private host, thanks to the FW
configuration!).
If not, the smtp server must consider the connection as possibly coming from
a relay. It should then only relay messages to domains that are explcitly
configured for that. For messages destined to the server domains (domains
that are handled by the server), then it should accept the messages, unless
there is a serious reason to reject them, such as a large data size, virus
infection, ...
In particular, no concern should be given to the name of the program that sent
the request. Otherwise, you can also refuse packets coming from specific OSes
as well (just run queso each time someone connects to you...).
<idea value=zero delimiter=smile>
Or why not refuse IP packets if their Id is not even. You know about half
of the packets
that come from attackers have odd Ids. So rejecting these will reduce your
vulnerability by a factor of 2! If someone could pass the idea to raptor
designers...
another idea? just configure many many MX addresses, where only one works. Then
most agents/relay will find it hardr to connect to your server, which will
brake attack
speed.
what about this one (I feel generous today): each time someone connects to
your smtp server,
and ust after the From address has been given, issue an illegitimate
response (one which
is not smtp), such as : "to send mail, please type: I am no hacker". Then
normal clients/relays
will fails here. so keep on replying with stupid sentences. If they close
the connection, then
you know that it is a good client (a hacker would have answered the request
and typed the
Im no hacker, if just for curiosity). Then send back an email to he sender
informing him that he can
try now, and store the client IP address so as to allow the mail if it
comes from this address.
you thendesign a huge LDAP based directory, with XML syntax and Java
administration of the whole
stuff. At the end, if you get sucked, sell the list to some stupid press...
</idea>
cheers
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
