Re: [SAtalk] Useful to compare sender domain with relay?

[J. S. Greenfield]

Scott Harris wrote: I get a lot of these: Jan 2 14:53:38 linux1 sm-mta[22500]: i02MrVWw022500: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=200-168-30-167.dsl.telesp.net.br [200.168.30.167] Would a useful check be to reject anything where the relay domain is not part of the sender domain? Or would this be to restrictive? My first thoughs are of those with virtual domains hosted. But you should be able to give the relay multiple names to allow things to pass. Or so I would think? Scott First, there is a related test already, already in spamassassin, though I haven't taken the time to figure out exactly how it works.  And it has some problems! When I send test mail to myself, at my hosted domain, from home (where I connect via cable modem), here are the received headers: Received: from greeny by contra.vosn.net with local-bsmtp (Exim 4.24)         id 1AcmSZ-0001xi-P9         for [EMAIL PROTECTED]; Sat, 03 Jan 2004 07:09:01 -0700 Received: from [68.194.205.75] (helo=gothics.xfields.net)         by contra.vosn.net with asmtp (Exim 4.24)         id 1AcmSY-0001xE-Jh         for [EMAIL PROTECTED]; Sat, 03 Jan 2004 07:08:58 -0700 and here's the spam report: X-Spam-Report:         * -0.9 BAYES_10 BODY: Bayesian spam probability is 10 to 20%         *      [score: 0.1935]         *  3.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP         *      [68.194.205.75 listed in dnsbl.njabl.org]         *  0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS         *      [68.194.205.75 listed in dnsbl.sorbs.net]         *  0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org         *      [68.194.205.75 listed in dnsbl.njabl.org]         *  2.6 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address         *      [68.194.205.75 listed in dnsbl.sorbs.net] Note the whopping 3.5 assigned for a "non-local" smtp from a dynamic IP address!  (And an additional 2.6 because I sent directly to receiving account!)  Of course, this is a perfectly innocent, and normal transaction. At first, I was concerned that the 3.5 was going to affect all recipients of mail from me -- but when the mail is autoforwarded to a machine I manage, for testing purposes, the RCVD_IN_NJABL hits, but the 3.5 weighted RECVD_IN_NJABL_DIALUP does not.  (Anybody know how this test works, and want to save me the trouble of digging into it? ;) I've not been sure how "non-local" was determined.  Perhaps it just does a reverse dns lookup on the sender IP, and compares domains with the smtp host/relay.  If so, this would be a problem, regardless of whether the host identified itself as my virtual domain, or not.  (i.e., because my home machine is always going to associated with the cable modem domain.) In my case, the virtual domain has a unique IP, so a proper reverse dns lookup wouldn't be a problem.  However, there is another problem that any effort along these lines will face -- mta configuration.  My hosting service uses CPanel -- which is used by many hosting services -- and they leave exim configured with the default received header configuration.  It would be a fairly straightforward change to get them to use the hosted domain in the received header (at least for accounts with unique IPs per domain), but you'd actually have to get CPanel to change it, and then wait for the change to propagate to the many host services that use CPanel. Then you'd have to do likewise with any other hosting packages (ensim, etc.) used by others, that may have similar issues.  And you'd still need to figure out a solution for hosted domains with shared IPs.  (With unique IPs, the mta can tell which virtual domain was targeted for the smtp, simply by looking at the interface through which the connection was received.  Not clear to me what you do for domains with shared IPs.)