At 06:24 PM 3/3/00 +0100, Erwin Hoffmann wrote:
>I wrote in the README.spamcontrol:
>
>>"Since QMAIL by contruction is an OPEN RELAY, some vulnerability may be
>>experienced not in particular to the QMAIL system itself (which can
>>stand a heavy load), but for other MTAs which are flooded by
>>SPAM E-Mail. "
At <URL:http://ourworld.compuserve.com/homepages/Erwin_Hoffmann/spam.htm>,
you write:
Even if you use (e.g. QMAIL as) a restricted SMTP relay SPAMMERS may
manipulate either the SENDER (MAIL FROM:) or the RECIPIENT (RCPT TO:)
address of E-Mails, making your MTA believe
1) that this E-Mail is originated by itself,
2) accepting it and send the SPAM E-Mail to a third party (target) MTA,
which in turn sees this E-Mail to originate from your MTA/Domain,
3) turning your MTA effectively into a host for SPAM E-Mails.
Now, I haven't read (all of) the source to qmail - but for my (pretty
straightforward) qmail/rblsmtpd installation, this is simply *not* true.
AFAIK, qmail doesn't *care* about SENDER when deciding wether or not to
relay:
[vinces@xs3 vinces]$ telnet my.example.com 25
Trying 192.168.1.1...
Connected to my.example.com.
Escape character is '^]'.
220 my.example.com qmail-1.03 NO UCE NO UNSOLICITED EMAIL ESMTP
ehlo xs3.xs4all.nl
250-my.example.com qmail-1.03 NO UCE NO UNSOLICITED EMAIL
250-PIPELINING
250 8BITMIME
MAIL FROM: <[EMAIL PROTECTED]>
250 ok
RCPT TO: <[EMAIL PROTECTED]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
quit
221 amstel.schonau.net qmail-1.03 NO UCE NO UNSOLICITED EMAIL
Connection closed by foreign host.
[vinces@xs3 vinces]$
xs3 is xs3.xs4all.nl, a shell account with my ISP. my.example.com is my
mailserver, and yes, example.com is in rcpthosts (obscured to protect the
innocent - me; otherwise this is a verbatim copy of the session).
./control/badmailfrom doesn't exist on my system.
Spammers only comply with ./control/smtpgreeting when forced to do so by
rblsmtpd, by the way.
>For the next version of QMAIL it would be a preferred solution to include
>the canonical SPAM filters nativeley into QMAIL-SMTPD. The information
can
>be grepped via the TCPSERVER environment at run-time.
Ugh. I'm sure many people disagree (see also: 'Unix as it should be' ;-)
BTW, some of the suggestions in RFC 2505 are just plain worthless; items
like 7a and 7b for example will only work for as long as Rule #3 (Spammers
are stupid) applies. I'm seeing more and more spam with legitimate from
addresses; some spammers are less stupid than others, apparently. Also, RFC
2505 doesn't *require* a 4xx response; it just sais it's more appropriate
for many situations.
The #5.7.1 code is defined by RFC 1893, by the way, which says "it's only
useful as a permanent error". Go figure.
I still can't figure out how you can administer email for 5000 users and
claim that email is an open relay by construction.
Can we get back to the T-shirt thread now?
Vince.
