On Wed, 26 Jun 2002, Olivier Nicole wrote: > SA could do a reverse DNS check and mark this as very suspicious, but > on another hand, if expansionpack.xtdnet.nl is an internal mail > gateway only, why did it accept incoming message from 216.139.180.4,
expansionpack.xtdnet.nl is another ip number for the same machine as smtp.xtdnetnl. It's our main mail server. It's job is to accept email :) > or if it accepted message from smtp.xtdnet.nl only, why did > smtp.xtdnet.nl claimed to be 216.139.180.4? no smtp.xtdnet.nl is 193.110.157.5. The machine 216.139.180.4 had an email for [EMAIL PROTECTED], and that machine claimed to be 216.139.180.4 at the time. Ofcourse, that machine's dns changes every few seconds, since for the next victim it will be something else. > And if expansionpack.xtdnet.nl can accept email from outside, why did > it let in such a suspicious connection? I would think that such DNS > check must be done at MTA level and never even consider letting in > such email. I believe the only check that for instance sendmail could do, is to check if a lookup of the ip gives the hostname, and if the hostname lookup doesnt give the IP, then it can block the message. But in real life, there are so many situations where this is not the case, that blocking that scenario would block way too much legitimate email. Paul > Olivier > -- "Movie scripts no longer write, George Lucas shall" ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
