On May 17, 2005, at 2:17 AM, Alan Premselaar wrote:
Jef Poskanzer wrote: ..snip...
And finally, if you want to run a check on the HELO string, I find
that just rejecting outside connections that claim a HELO of your own
hostname gets rid of a very high proportion of crapmail. This
very simple check is successful enough that I'll probably publish
a "notme_milter" at some point after spfmilter gets out of beta status.
I already do this with MIMEDefang. it's proven quite effective.
I don't bother with any of the other checks because they either take too
many resources or have potentially too much collateral damage.
What I'd like is a system that takes incoming mail, strips rich text/html and reinterprets it into plain text, strips attachments and puts them into an ACL-controlled quarantine so users can get to them only if they really wanted them (within X days before it's wiped from the database and storage area) whether it's a networked fileshare or (probably better) a website. Stick headers in as to probability of message being spam so client filtering can work still.
Have DNS lookups on the helo string...not valid, don't take it. Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? Enough to be significant? Build in some tarpitting if the same site keeps hitting users on your site that are invalid more than X times when checking against your user database.
How much collateral damage would a system like this cause, I wonder?
After yet another day of putting up with all this crap from viruses, there's a part of me that wonders what would happen if someone wrote a virus that would pull a sober.p "infectinfectinfect...sleep...payload" trick where instead of turning the computer into a spambot would instead delete some system files so Windows wouldn't boot again, forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the problem systems. Isn't that the primary trick being used now to spread spam and viruses? People are clicking and running attachments from other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS? Although I already know people abhor the idea and it's definitely not the first time that idea's been entertained in some twisted form of vigilante online justice.
*sigh* too much of this stuff makes Johnny a dull boy. Need more sleep.
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html