On Sun, 21 Dec 2003, Peter J. Holzer wrote:
> On 2003-12-21 10:34:17 -0500, Guillaume Filion wrote:
> > Le 03-12-21, � 08:43, John Peacock a �crit :
> > >Peter J. Holzer wrote:
> > >>Suppose a spammer registers a domain spammers-r.us, adds these DNS
> > >>records:
> > >>spammers-r.us MX 10 mail.spammers-r.us
> > >>mail.spammers-r.us A 127.0.0.1
> > >
> > >This is exactly what I have already seen at least once with a
> > >mainsleaze spammer. I can't find my notes, so I cannot confirm this,
> > >but I do remember that it caused my MTA issues (basically mailbombed
> > >itself trying to bounce a message).
I've seen this a lot. It shows up in my ipchains/ipfilters logs as
blocked outbound connections to port 25 on private addresses.
> > >It would be wise to try and program with this evil behavior in mind...
> >
> > I agree, but there would be a lot of subnets to include, because
> > spammers could use localhost (120.0.0.0/8), private addresses
> 127
> > (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
As mentioned, I'm already doing this with some
after-the-connection processing before delivery. All of the above are
currently handle fairly specifically. But this processing should be done
during the connection, not afterward. If I can make some time, and get a
handle on how qpsmtpd works, I'll try to put something together (but don't
hold your breath for me).
> Yes. Plus the link-local net (169.254.0.0/16) and multicast addresses
> (224.0.0.0/4). These are guaranteed not to be reachable over the public
> internet.
>
> > and any of the IANA reserved subnets (a lot!
> > http://www.iana.org/assignments/ipv4-address-space)
This might best be handled with a generic case (external list to
process), but it would definitely have to be tracked.
> Only if you are prepared to track any changes in the list.
I do that now for my gateway/firewall filtering, so making the
changes to an invalid MX list isn't any more trouble.
> > It might be simpler to make an SMTP connection to the MX RR of the
> > sender's domain, and maibe even do a MAIL FROM: <>, RCPT TO:
> > $senderAddress to do a simple address check.
If this is to suggest that you drop the connection unless the test
is accepted, I see a problem: Some MTAs will accept anything, and then
reject or bounce later. I don't see the extra traffic and delays as worth
it.
--
Roger Walker
"His Pain - Our Gain"
