>>From [EMAIL PROTECTED] Tue Mar 1 22:15:46 2005
>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
>...
>To: List Mail User <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
>Subject: Re: another request for RECEIVED[x] array
>References: <[EMAIL PROTECTED]>
>In-Reply-To: <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 7bit
>X-Virus-Checked: Checked
>
>On 3/2/2005 12:33 AM, List Mail User wrote:
>
>> you can do whatever you like, I'd recommend at least doing more than just a
>> simple check for the names being identical
>
>I don't care if the names don't match (although somebody else might). My
>goal with this particular lookup is to weight identifiers that don't have
>any reverse DNS, that is all. Postfix supports this internally already but
>there are way too many FPs for these checks, there are too many possible
>errors (including delegation burps), and so forth. Given that SA is
>supposed to be about managing probabilities ... seems like a good place to
>do the checking is inside SA.
>
>Same thing goes for SMTP versus ESMTP. If they are using HELO they are
>probably malware, and I'd like to be able to test on this.
>
>I'd like to be able to poke at TLS data so that I can assigne a negative
>weight, since functional TLS is a good indicator of a well-managed network
>(not proof, but again, we are talking about probabilities)
>
>
>--
>Eric A. Hall http://www.ehsco.com/
>Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
>
Eric,
It all sounds good to me, especially if you go beyond the MTA's
checking of the last relay only and check the full `received' chain; I
find most of the spam that gets past my first level of filtering does so,
because it targets a high numbered/back-up MX not directly under my control;
Thus my servers, for those cases, see a perfectly acceptable client/EHLO
match (coming from a "trusted" host, though not in the SA sense - it is a
'MX' for my domain(s)), despite an obvious mismatch one level back. Still,
I personally will leave the Postfix checks in place (I have them skipped
for some accounts, but very few - same thing for the black lists; But my
"extremism" has been a topic on this list before).
Oddly, and probably out of habits over twenty years old, when I
connect to servers "by hand" (which I do quite often), I almost always
type "HELO", not "EHLO". I have noticed that SMTP scanners usually scan
using HELOs instead of EHLOs and about 1% of my connections get dropped
due to improper pipelining following a HELO (after a EHLO, pipelining is
generally allowed). I don't generate exactly the stats you might want,
but from my own reports I see ~3.5% of connections dropped voluntarily
(i.e. by the client, not by me) dropped immediately after a connect,
~0.65% after an EHLO and ~1.05% after a HELO; I would interpret this as
scanners (who do anything beyond checking for a connectable port) are using
HELO over EHLO at about a 3 to 2 ratio: I am sure that your supposition
about most HELOs being malware is likely correct, I doubt there still exist
many unpatched SunOS servers in production enviroments.
Bye,
Paul Shupak
[EMAIL PROTECTED]
