Martin wrote:
Can (or does) spamd look at the From:, do a MX/A record dns lookup and
compare. it to the sender IP to see if it's valid during the SMTP
transaction ?
Assuming you're talking about spamd in greylisting mode, here's your
answer from spamd (8): spamd will use the db file in /var/db/spamd to
track these non-blacklisted connections to spamd by connecting IP
address, envelope-from, and envelope-to, or "tuple" for short.
spamdb does nothing more than take the tuple it's given, and then
compare it to a subsequent connection. If a connection is made using
the same tuple, after a specified period of time, then the IP address is
added to the spamd-white table. There are no lookups of any kind, which
is part of the reason spamd remains lightweight and efficient.
But there are other reasons why your suggestion is not a good one.
(I note if you put in a spamtrap email address it will do a straight IP block)
Yes, your answer is once more in the man page: When a host that is
currently greylisted attempts to send mail to a spamtrap address, it is
blacklisted for 24 hours by adding the host to the spamd blacklist
spamd-greytrap. This is straightforward, since the To: address is part
of the tuple that spamd is already assembling.
e.g.
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 -0000
Received: from host194.skytechinc.com (HELO mail.skytechinc.com)
(63.111.223.194)
by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 -0000
Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft
SMTPSVC(6.0.3790.1830);
Tue, 16 Jan 2007 17:51:43 -0500
Reply-To: <[EMAIL PROTECTED]>
From: "Town North Bank"<[EMAIL PROTECTED]>
Subject: Notification from North Town BANK !
Date: Wed, 17 Jan 2007 00:51:46 +0200
dig mx tnnb.com
<SNIP>
;; ADDITIONAL SECTION:
mx1.tnnb.com. 3600 IN A 208.217.213.106
So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server
and can be blacklisted/tarpitted.
Is it that obvious? Let's check a large company:
$ host -t mx hormel.com
hormel.com mail is handled by 200 hormel.com.mail6.psmtp.com.
hormel.com mail is handled by 300 hormel.com.mail7.psmtp.com.
hormel.com mail is handled by 400 hormel.com.mail8.psmtp.com.
hormel.com mail is handled by 100 hormel.com.mail5.psmtp.com.
Hormel uses Postini for all their incoming email, for spam/virus
protection, and so an MX lookup does not tell you where their email
originates. How much code would you add to spamd, and still not have a
workable solution? Hormel is just an example I pulled from Postini's
customer page. There are many, many companies out there that outsource
their incoming email for virus/spam/compliance reasons. It is one of
the headaches I deal with regularly, when their outgoing mail servers
ignore the 451 message, and instead try 5-6 times in quick succession,
then report failure (Symantec AV Gateway for Exchange, I'm looking in
your general direction).
Of course, you may want certain IP ranges whitelisted if they are important to
you.
You might want to allow/whitelist a specific, or a number of email addresses
from an IP but greylist/blacklist the rest depending on your requirements.
No. I don't want spamd to greylist each unique address that comes from
a host. Once a mail server has been whitelisted, I accept all mail from
that server. Part of the confusion here seems to be that you think
spamd cares about DNS. It doesn't.
Can some of the above be discussed/implemented in spamd?
Sorry, I don't program, just do some light scripting, but if I can see obvious
SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could
be extended with options to catch and tarpit these people/servers/viruses
etc.
It's not obvious, and that's not what spamd does. You could certainly
configure your mail server to do strict checking, and only accept mail
from IPs with valid MX records (I would never do such a thing myself,
but I'm sure it can be done).
Steve
