On Wed, 2004-12-01 at 09:05, Jason Philbrook wrote: > On Wed, Dec 01, 2004 at 08:54:00AM -0800, John Hardin wrote: > > However, this sounds like it might be useful in Spamassassin: attempt to > > contact the sender on port 25, and add a little to the spamminess score > > if the connection is refused or times out.
> There's no rule saying the sending computer has to be the one that > receives replies for the mail sent too. You can have mx records setup to > receive things sent from various machines. Think of the common virtual > domain where the hosting company may receive mail on it and mail is sent > from some other machine. Yeah, I'm aware of that. That's why I only suggested a small additional score for that test. > Verizon does some port 25 call-back stuff like this and it's horrid. > Their support doesn't even understand it. > > Paul's original idea has more merit, but home firewalls and firewall > software may prevent that from being effective. Well, balance four or five TCP connection attempts per message (25, and the popular worm backdoor ports) against several dozen plus the overhead of interpreting the results to identify the sender OS... Perhaps if those tests were only performed if the IP address matched a (configurable list of) DNSBL(s), so that you'd only try fingerprinting if (for instance) the client was in a Comcast netblock? -- John Hardin Internal Systems Administrator (Seattle) CRS Retail Systems, Inc. 3400 188th Street SW, Suite 185 Lynnwood, WA 98037 voice: (425) 672-1304 fax: (425) 672-0192 email: [EMAIL PROTECTED] web: http://www.crsretail.com ----------------------------------------------------------------------- If you smash a computer to bits with a mallet, that appears to count as encryption in the state of Nevada. - CRYPTO-GRAM 12/2001 -----------------------------------------------------------------------
