Main Area and Open Discussion > General Software Discussion
Dealing with spam
Stoic Joker:
Yes, I guess that if this was very widespread, spammers might implement more of the SMTP protocol and do proper re-send attempts. But it would probably stop the "dictionary" sends (ie, it tries a crapload of [email protected] and not just web-harvested addresses). Doing things "proper" would make it a lot slower for them to send out their mail, so they'd have to be hard pressed to do it.-f0dder (January 06, 2008, 07:46 PM)
--- End quote ---
You're only taking into account (the trojan infected client machine) half of the problem. Hackers don't send spam, marketing companies that want you to buy something do. Remember the TV ads "Make thousands with your home computer" ...really? Doing What? This is precisely how the theBat! (mass) Email client got blacklisted by many spam filters.
All Email servers must accept mail from any server that is destined for their domain to work (the fact that the destination address is internal is the authentication). The (Open Relay) problem stems from servers that will accept (and pass on) mail that is destined for a different domain, without requiring (user/pass) authentication. Those are the ones that are causing the other half of the problem.
The obvious fix is of course to ban all SMTP servers that don't require authentication to send, to be very careful about relaying (if I contact the SMTP server at your.domain and say I have a mail for [email protected] , your.domain should NOT accept the mail1). But it would require an internet-wide effort to do that, so it's not going to happen.
--- End quote ---
The fact that most small companies can't afford a properly trained Admin are the driving force behind blacklisting IPS's dynamic address ranges, and the many different other DNS based blacklists used by server side spam filters. Every IT newsletter I've seen has been hammering on the Don't let your Email server be (or get turned into) an open relay for the past few years.
In general, imho "client machines" shouldn't make SMTP connections to whatever.domain to deliver mail, they should go through a mailprovider with a trusted.recognized.domain and relay mail through there - all other hosts could then be denied for incoming mail. But this would mean a lot of administrative mess in keeping up with who's big and trusted and recognized, and would also require a helluvalot of servers to be reconfigured. Not going to happen.
--- End quote ---
Therein lying the problem ... It's not going to happen quickly. But it needs to happen. If just one guy at each one company would get up of their ass and check their one server it would help.
1: an exception is of course ISPs and other mail providers, but with authentication in place they won't work as open relays, which is what's dangerous.
--- End quote ---
Any client machine has to logon to the server to send mail, it's part of the basic client configuration. The exception is some of the companys that use (their) IP address ranges as a criteria for send authentication instead of u/p. Earthlink is one example, you can send mail through mail.earthlink.net without a u/p from anywhere inside their network. If you're outside their network (laptop at web café) the mail will be refused.
Even with everything in place and running full tilt, it still only takes one idiot using a blank, simple, or default password to send the whole thing down the drain.
Carol Haynes:
How would you stop people setting up their own SMTP server (it is easy enough on Windows and Linux to do that)?
The first time we see an IP address/sender/recipient tripple, and the sender/server meets one of the criteria for Greylisting
--- End quote ---
What about dynamic IPs which almost all ISPs use. If I send emails out I can pretty much guarantee my "IP address/sender/recipient tripple" will change on at least a daily basis (if not every time I reboot my system or my ISP decides to refresh my IP).
Stoic Joker:
How would you stop people setting up their own SMTP server (it is easy enough on Windows and Linux to do that)?
The first time we see an IP address/sender/recipient tripple, and the sender/server meets one of the criteria for Greylisting
--- End quote ---
What about dynamic IPs which almost all ISPs use. If I send emails out I can pretty much guarantee my "IP address/sender/recipient tripple" will change on at least a daily basis (if not every time I reboot my system or my ISP decides to refresh my IP).
-Carol Haynes (January 07, 2008, 02:45 AM)
--- End quote ---
I wouldn't stop people from setting up their own Email server. However I would set it up for them so it's done correctly...that's just part of what I do for a living.
If you're trying to run a mail server from a dynamic IP you're basically SOL because you'll be identified by most (if not all) spam software as part of the problem children. SPF, Reverse DNS, and MX record validation are just some of the many tests you will fail.
Options are: Get a static IP, it usually only $5 a month. and/or forward (relay...) your out bound mail through a SmartHost which is usually your ISP's mail server so it can validate you for you.
You'll also need to make sure your IP isn't blacklisted coming outa the gate. www.DNSStuff.com has been quite handy for me in the past for resolving mail flow issues.
It's not that it's impossible to setup a proper mail server for yourself, it's just that it's not as simple as click here and follow the prompts. There's a good bit of responsibility involved making sure you don't become part of the problem.
f0dder:
Imho if you set up your own SMTP server (unless you mean serious business), it should only be for incoming mails, not for sending outgoing - use your ISP or "something big & well-known" for sending.
Problem is even with a static IP, unless you pay for what some ISPs in Denmark call a "global IP", you won't always have control of the IP's reverse-DNS... people & software get suspicious when my.serious.biz resolves to 1.3.3.7, but 1.3.3.7 reverse-dns is something like 0x12345678.slnxx7.adsl-dhcp.tele.dk instead of my.serious.biz.
tinjaw:
my.serious.biz resolves to 1.3.3.7, but 1.3.3.7 reverse-dns is something like 0x12345678.slnxx7.adsl-dhcp.tele.dk instead of my.serious.biz.-f0dder (January 07, 2008, 06:30 PM)
--- End quote ---
At least with all of the ISP's that I have dealt with here in the US, if I have a static IP address, they will set the reverse lookup to what ever I ask them to.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version