From owner-freebsd-current Thu Jul 24 16:25:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA01227 for current-outgoing; Thu, 24 Jul 1997 16:25:35 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.50]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id QAA01218 for ; Thu, 24 Jul 1997 16:25:28 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id QAA18495; Thu, 24 Jul 1997 16:21:00 -0700 From: Terry Lambert Message-Id: <199707242321.QAA18495@phaeton.artisoft.com> Subject: Re: (over)zealous mail bouncing To: jas@flyingfox.com (Jim Shankland) Date: Thu, 24 Jul 1997 16:21:00 -0700 (MST) Cc: Anthony.Kimball@East.Sun.COM, terry@lambert.org, current@FreeBSD.ORG In-Reply-To: <199707242238.PAA14165@biggusdiskus.flyingfox.com> from "Jim Shankland" at Jul 24, 97 03:38:46 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I have to warn you that several mail server products of which I'm > > aware actualy verify via getpeername/gethostbyaddr (RARP), and > > will reject your host anyway. > > RARP? Or was that just a belch in mid-sentence :-)? Reverse Address Resoloution Protocol. When someone connects to me, I can always geet the IP address they are connecting from. Using RARP, I can turn the address into a machine name, and compare it with what you tell me on the "HELO" and "MAIL FROM:" lines. The newest spammer hack for this is "configure your DNS to lie, too". The good thing about this particular hack is that hacking your DNS this way is prosecutable under interstate wire fraud statues. You can also get the name, and look it up again to see if you get the same address. This screws up the ability to use DNS rotors on heavily loaded mail servers, though, so it's a pain. A partial fix is to ensure that the servers are in the same address group, and apply the appropriate subnet mask before comparing them. This has the unfortunate side effect of not letting you put the servers at different sites. To combat that, you need to designate very low priority mail exchangers in the net, and compare the machine net with the mail exchanger listings (after masking the address). Alternately, your machine must have an MX record in DNS per IP alias or address from which it might originate traffic (or prefer a particular IP alias or source address). Given all these contortions in combination, and you have an effective anti-SPAM net, where it's possible to block access by particular source hosts without interrupting normal, desirable communications. This assumes that the DNS for a machine originating a mail connection is reachable -- an easy thing to ensure if each originating ("smarter") host is itself a secondary. Ideally, SPAM would be covered under "Junk FAX" laws, and none of this would be necessary because it would be uneconomical to send it to anyone who didn't want it. > Seems like it would be nice for those implementing such a policy to > allow chopping of subdomain prefixes; e.g., if getpeername/gethostbyaddr > return foo.bar.acme.com, and the envelope sender is joebob@acme.com, > then it's OK. Or is that too loose? That's too loose, for a large number of reasons. The primary one is the program "mailbomber" sold by Cyber Promotions, Inc.. And actually, since Jordan brought up the idea of anti-SPAMming the lists, it's not very off topic at all. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.