John Hardin wrote:
On Wed, 7 May 2008, Aaron Wolfe wrote:
On Wed, May 7, 2008 at 5:44 PM, John Hardin <[EMAIL PROTECTED]> wrote:
(1) Mark is trying to collect data on how the remote MTA behaves when
presented with a 451 tmpfail result. A firewall rule can't do that.
From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam
bots.
That's all I want to do."
Yeah, I worded that a little poorly. He determines whether that IP is a
spambot (and thus of interest) by how it responds to the 451. Just
collecting the IP addresses of all MTAs that contact the high MX is not
useful as that, by itself, is legitimate behavior.
(2) If someone doesn't trust him when he says "I won't accept or read
your
mail", why will they trust him if he says "I have it firewalled off"?
Because you can very easily check for yourself to see that this is true.
You can verify the 451-before-DATA behavior as well. All that tells you
is whether or not he's blatantly dishonest.
Mark, perhaps a better approach would be to write a small daemon that
listens on port 25 and does the minimal SMTP-451 chat and TCP analysis,
and then reports the IPs of spambots to you via some auditable channel,
parhaps a simple cleartext HTTP request to a CGI script at your website.
That way anyone who wants to participate can set up a collection point
under their control, and all you get is the results of the TCP analysis.
That would be absolutely possible even in my corporate environment. I
may even be able to dig up a server to do so with in the next month.
DAve
--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.
