Thanks. I think I've igured it out, but here's an explanation:
While I was writing a pre-data filter to ban the folks who were populating
client domain with "friend", I noticed the ones claiming to be from
mail.networkoftheapes.net, my own server. This led me to wonder whether the
client domain was generated by XMail or the sender. After more Googling,
testing and looking at logs, I realized the sender was giving client domain
it's value.
I now have a little code that will look for my server as the client domain
and check it against valid domains that could be sending from my server.
Here's a filtered event from my SMTP log:
"networkoftheapes.net" "networkoftheapes.net" "210.213.227.124"
"2006-04-23 00:06:18" "mail.networkoftheapes.net"
"networkoftheapes.net" "[EMAIL PROTECTED]"
"[EMAIL PROTECTED]" "S1A663" "DATA=EFILTER" "" "0"
""
Some user ([EMAIL PROTECTED]) is trying to claim
mail.networkoftheapes.net as it's client domain. Since I know they can't
be, I exit with a 19 failing the message and stopping filter processing. I
also give them a "550" invalid user formatted message with the .rej file.
So far, it's blocked a bunch of these and all seem to be from junk hotmail
addresses. One of my spam honeypot accounts dropped it's mail load per hour
by about half with this and 'friend' filtered out.
I suspect that some widely used spam software out there just mimics the mail
server's domain and supplies an randomly generated hotmail address for the
from field. I sent some mail from a valid hotmail account and it reported
"hotmail.com" as the client domain, so I think the false-positive count
will be nil.
The filter code blocks this and the previously mentioned 'friend' entries and
writes a log file of it's actions. I wrote it in PHP of all things. If
anyone is interested, I can post the code and a quick readme.
Bryn
----- Original Message -----
From: Sönke_Ruempler <[EMAIL PROTECTED]>
To: [email protected]
Date: Sun, 23 Apr 2006 11:56:08 +0200
Subject: [xmail] Re: "friend" client domain
>
> On 23.04.2006 03:31, postmaster - networkoftheapes.net wrote:
>
> > Now that I've made my filter, I have a question: How is the client domain
> > generated? Is it something reported by the sending client software? For
> > example, most entries in my SMTP logs from "@hotmail.com" report my
> server
> > (mail.networkoftheapes.net) in the client domain field. Should it be
> doing
> > this?
>
> All SMTP envelope headers are fakable - and so the only information you
> can trust is the sender IP address.
>
> Maybe you want to send us sample headers and messages so we can discuss
> specific questions. :)
> -
> To unsubscribe from this list: send the line "unsubscribe xmail" in
> the body of a message to [EMAIL PROTECTED]
> For general help: send the line "help" in the body of a message to
> [EMAIL PROTECTED]
>
>
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
