Re: Spam and NULL

[Bill Cole]

At 6:17 AM -0800 4/3/03, Dene Stringfellow  imposed structure on a 
stream of electrons, yielding:
I would be grateful if somebody could clarify the following for me.

I originally had the following router blocks in place in an effort to
block spam:
[EMAIL PROTECTED] = null
<[EMAIL PROTECTED]> = null
These are not right, and I'm not sure what exactly the combo will do. 
Angle brackets belong around complete addresses, so the second would 
at least make sense, but the first is meaningless as it says that any 
domain part matching '[EMAIL PROTECTED]' should route to null, and that is an 
impossible pattern for a domain part. You probably really want just 
this:

ucc.ie = null

IF in fact routing to null is what you really want. I think it is not.

The resulting log displayed the following:

06:18:04 4 SMTP-003([192.168.4.220]) Sending 220-ridgedale.co.uk Stalker
Internet Mail Server V.1.8b9d14 is ready.\r\n220 ESMTP is spoken here.
You are very welcome\r\n
06:18:04 5 SMTP-003([192.168.4.220]) OT 119 of 119 bytes sent, Flags=0
06:18:04 5 SMTP-003([192.168.4.220]) *Status=22
06:18:04 5 SMTP-003([192.168.4.220]) Received 20 bytes
06:18:04 4 SMTP-003([192.168.4.220]) Input Line: HELO 192.168.4.220\r
06:18:04 5 SMTP-003([192.168.4.220]) *Status=21
06:18:04 4 SMTP-003(192.168.4.220) Looking for 192.168.4.220
06:18:04 4 SMTP-003(192.168.4.220) Sending 250 ridgedale.co.uk is
pleased to meet you\r\n
06:18:04 5 SMTP-003(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
06:18:04 5 SMTP-003(192.168.4.220) *Status=22
06:18:04 5 SMTP-003(192.168.4.220) Received 6 bytes
06:18:04 4 SMTP-003(192.168.4.220) Input Line: RSET\r
06:18:04 4 SMTP-003(192.168.4.220) Sending 250 SMTP state reset\r\n
06:18:04 5 SMTP-003(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
06:18:04 5 SMTP-003(192.168.4.220) *Status=22
06:18:05 5 SMTP-003(192.168.4.220) Received 34 bytes
06:18:05 4 SMTP-003(192.168.4.220) Input Line: MAIL
FROM:<[EMAIL PROTECTED]>\r
06:18:05 5 SMTP-003(192.168.4.220) *Status=25
06:18:05 1 SMTP-003(192.168.4.220) Return-Path '<[EMAIL PROTECTED]>'
rejected: routed to ERROR
06:18:05 4 SMTP-003(192.168.4.220) Sending 572 <[EMAIL PROTECTED]>
address is blacklisted.\r\n
06:18:05 5 SMTP-003(192.168.4.220) OT 52 of 52 bytes sent, Flags=0
06:18:05 5 SMTP-003(192.168.4.220) *Status=24
06:18:06 5 SMTP-003(192.168.4.220) Received 6 bytes
06:18:06 4 SMTP-003(192.168.4.220) Input Line: RSET\r
06:18:06 5 SMTP-003(192.168.4.220) *Status=22
06:18:06 4 SMTP-003(192.168.4.220) Sending 250 SMTP state reset\r\n
06:18:06 5 SMTP-003(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
06:18:06 5 SMTP-003(192.168.4.220) *Status=22
- the mail server appearing to respond to the spam mail and routing to
ERROR!
Respond? SIMS never saw any spam because it sent back the 572 code 
instead of a 250 response. The sender properly gave up at that point 
and did not send the actual message.

I'm not clear on WHY SIMS saw that address as if it were routed to 
ERROR, but it did. Boosting the logging level for system actions 
might reveal something.  When a sender address is routed to ERROR 
SIMS sends back a 572 after MAIL  and will not accept any RCPT or 
DATA command for that transaction.

Having read through some of the threads in the mail list, I
changed the router setting to the following:
[EMAIL PROTECTED] = null
<[EMAIL PROTECTED]> = null
<[EMAIL PROTECTED]> = null
The resulting log then displayed the following:

10:42:24 2 SYSTEM [S.0000013112]
<[EMAIL PROTECTED]> 0+1 From:[EMAIL PROTECTED]
10:42:24 2 SYSTEM(POP) [S.0000013112] delivered to (spacemonkey)
10:42:24 5 SMTP-009(192.168.4.220) Received 34 bytes
10:42:24 4 SMTP-009(192.168.4.220) Input Line: MAIL
FROM:<[EMAIL PROTECTED]>\r
10:42:24 5 SMTP-009(192.168.4.220) *Status=25
10:42:24 4 SMTP-009(192.168.4.220) Sending 250 <[EMAIL PROTECTED]>
sender accepted\r\n
10:42:24 5 SMTP-009(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
10:42:24 5 SMTP-009(192.168.4.220) *Status=23
10:42:25 5 SMTP-009(192.168.4.220) Received 36 bytes
10:42:25 4 SMTP-009(192.168.4.220) Input Line: RCPT
TO:<[EMAIL PROTECTED]>\r
10:42:25 5 SMTP-009(192.168.4.220) *Status=33
10:42:25 2 SYSTEM [S.0000013112] deleted
10:42:25 4 SMTP-009(192.168.4.220) Sending 250
<[EMAIL PROTECTED]> recipient accepted\r\n
10:42:25 5 SMTP-009(192.168.4.220) OT 51 of 51 bytes sent, Flags=0
10:42:25 5 SMTP-009(192.168.4.220) *Status=23
10:42:25 5 SMTP-009(192.168.4.220) Received 6 bytes
10:42:25 4 SMTP-009(192.168.4.220) Input Line: DATA\r
10:42:25 4 SMTP-009(192.168.4.220) Sending 354 Enter mail, end with "."
on a line by itself\r\n
10:42:25 5 SMTP-009(192.168.4.220) OT 50 of 50 bytes sent, Flags=0
10:42:25 5 SMTP-009(192.168.4.220) *Status=27
10:42:25 5 SMTP-009(192.168.4.220) Received 606 bytes
10:42:25 5 SMTP-009(192.168.4.220) Received 449 bytes
10:42:25 5 SMTP-009(192.168.4.220) Writing 1327 byte at 0
10:42:25 5 SMTP-009(192.168.4.220) *Status=28
10:42:25 2 SMTP-009(192.168.4.220) {S.0000013113} received, 1327 bytes
10:42:25 4 SMTP-009(192.168.4.220) Sending 250 S.0000013113 message
accepted for delivery\r\n
10:42:25 5 SMTP-009(192.168.4.220) OT 48 of 48 bytes sent, Flags=0
10:42:25 5 SMTP-009(192.168.4.220) *Status=22
10:42:26 5 SMTP-009(192.168.4.220) Received 6 bytes
10:42:26 4 SMTP-009(192.168.4.220) Input Line: RSET\r
10:42:26 4 SMTP-009(192.168.4.220) Sending 250 SMTP state reset\r\n
10:42:26 5 SMTP-009(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
10:42:26 5 SMTP-009(192.168.4.220) *Status=22
10:42:26 5 SMTP-009(192.168.4.220) Received 34 bytes
10:42:26 4 SMTP-009(192.168.4.220) Input Line: MAIL
FROM:<[EMAIL PROTECTED]>\r
10:42:26 5 SMTP-009(192.168.4.220) *Status=25
10:42:26 4 SMTP-009(192.168.4.220) Sending 250 <[EMAIL PROTECTED]>
sender accepted\r\n
10:42:26 5 SMTP-009(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
10:42:26 5 SMTP-009(192.168.4.220) *Status=23
10:42:27 2 SYSTEM [S.0000013113]
<[EMAIL PROTECTED]> 0+1 From:[EMAIL PROTECTED]
10:42:27 2 SYSTEM(POP) [S.0000013113] delivered to (spacemonkey)
10:42:27 5 SMTP-009(192.168.4.220) Received 36 bytes
10:42:27 4 SMTP-009(192.168.4.220) Input Line: RCPT
TO:<[EMAIL PROTECTED]>\r
10:42:27 5 SMTP-009(192.168.4.220) *Status=33
10:42:27 2 SYSTEM [S.0000013113] deleted
The emails from [EMAIL PROTECTED] were then found to have arrived in
the user mailbox! The SIMS server still apears to be responding to this
spam!
I understood that when routing to null the mail would be automatically
deleted, and not delivered to the user! Or am I misinterpreting these
logs?
No, but you are misinterpreting the way null routing is used.

When you route an address to null, mail aimed at that address will be 
accepted and dropped. There is no point in routing sender addresses 
to null because they are not aimed at the null address, they are from 
the null address, which is (necessarily) always a valid sender.

If you want to reject all mail from sender addresses in the ucc.ie 
domain, then all you need is this:

ucc.ie = ERROR

Routing to null serves no purpose in stopping unwanted inbound mail.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
 the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>