On Wed, 7 May 2008, Aaron Wolfe wrote:
On Wed, May 7, 2008 at 5:44 PM, John Hardin <[EMAIL PROTECTED]> wrote:
(1) Mark is trying to collect data on how the remote MTA behaves when
presented with a 451 tmpfail result. A firewall rule can't do that.
From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam bots.
That's all I want to do."
Yeah, I worded that a little poorly. He determines whether that IP is a
spambot (and thus of interest) by how it responds to the 451. Just
collecting the IP addresses of all MTAs that contact the high MX is
not useful as that, by itself, is legitimate behavior.
(2) If someone doesn't trust him when he says "I won't accept or read your
mail", why will they trust him if he says "I have it firewalled off"?
Because you can very easily check for yourself to see that this is true.
You can verify the 451-before-DATA behavior as well. All that tells you is
whether or not he's blatantly dishonest.
Mark, perhaps a better approach would be to write a small daemon that
listens on port 25 and does the minimal SMTP-451 chat and TCP analysis,
and then reports the IPs of spambots to you via some auditable channel,
parhaps a simple cleartext HTTP request to a CGI script at your website.
That way anyone who wants to participate can set up a collection point
under their control, and all you get is the results of the TCP analysis.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
Tomorrow: the 63rd anniversary of VE day
