Jeff Chan wrote: > > On Tuesday, July 20, 2004, 12:19:47 PM, Scot Harris wrote: > > With such a setup would it become possible for a black hat to fake > > an particular MTA's address, send lots of spam to a target site, > > and have the target site block that MTA's address? Kind of a DOS > > attack using your own tools. > > Yes.
Er, well, sort of. It would be a DoS only if your local tools very carefully ignored the information provided by the MTA about the connecting IP on each message. For instance, I could set up my personal server to reject the connection if someone tries to HELO as my domain or my IP. I haven't felt inspired to do this, nor go any further, but it would be absolutely TRIVIAL for me to take note of that IP and firewall them- either immediately, or after some set number of tries. The same applies to any local header analysis I might do- I *KNOW* all the possible paths mail might take within my own systems, and I can't absolutely trust any headers not generated by outside systems. Presumably your MTA will be able to get the remote system's IP, and if that mail server has been spewing spam at you, you have good reason to block it. I've done this on occasion when a certain remote system was generating a significant volume of the unwanted mail entering my system. Most of the greylisting implementations could probably be modified to handle this for spam that *does* get tagged by SA; any untagged spam still MUST be handled manually at some stage (even if it's just moving the message to a shared IMAP spam folder). From there, most mail administrators would be able to hack up a Perl/shell/[scripting-language-of-choice] script to parse headers and block IPs. If the black hats can spoof someone else's IP coming in to your network, you have far bigger problems than too much incoming spam. -kgd -- Get your mouse off of there! You don't know where that email has been!
