OK, I know that this is perhaps one of the most or the most talked about subject on this list as far as I've been able to tell at times, but I need some better clarification.
1. When someone sends a spam mail, their mail server inserts a time-date stamp (with source IP, etc) in the header and relays the message, yes?
(of course, that's obviously able to be forged, but theoretically speaking).
Yes, but your caveat is important. Also important is that fact that the message need not touch an actual mail server at this step. Most users use exactly the same SMTP protocol to get mail to their local server that servers use to pass the message on to another server.
It is also important to note that the timestamp added is in the Received header. The Date header is usually generated by the initiating client.
The router acts on what is usually called the SMTP 'envelope' : the MAIL FROM argument and the RCPT TO arguments. The former is what SIMS uses to create the Return-Path header.
2. If that's the case (question #1), and the message gets passed through several hosts before connecting to our SIMS box, can it be that our SIMS box is having trouble identifying what to route to error? (which I see as highly unlikely, since I assume that SIMS routes only what you tell it to).
I guess my reason for this question (#2) is I need to know EXACTLY what SIMS does when it receives mail via SMTP and checks the router.
Does it do string compares against the router entries to make sure that there's nothing in the header, in particular, the return-path, that is identical?
3. That said, and if the verify return-path is checked, if others can forge that return-path, then what is the benefit of routing this to error?Spammers are stupid.
Many spammers forge the return-path to use a bogus domain. That's what the verify return paths setting checks for, and it catches a fair amount of spam. You can also make a domain name 'bogus' to your SIMS server (routing to error) and reject all mail to or from that domain. for example, I reject all mail for microsoft.com with a couple of exceptions, because I have no need to talk to anyone there ever (really!) except for those exceptions and a LOT of spam claims to be from microsoft.com addresses. I also have multiple country TLD's routed to error, rejecting even more spam.
Keep in mind that for another class of spammer, forgery is NOT a common practice, and they can be easily dealt with by routing their domain names to error.
Source IP's are not part of the return-path and are not handled in the router. Source IP's are intrinsic to the connection and are blocked via the blacklist and DNSBL's (what SIMS calls RBL's)4. How do the spammers forge the source IPs/domains and the return-paths?
I hope that helps...5. Anything else anyone can tell me to shed some more light on this subject?
--
Bill Cole [EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
