On Tue, Jul 22, 2008 at 08:38:09PM +0200, mouss wrote: > Bob McClure Jr wrote: > >On Tue, Jul 22, 2008 at 11:37:39AM -0400, Kevin Parris wrote: > >><snippage> > >> > >>The spammers are spending other people's money, since much of their > >>"work" is done by hijacked machines, thus they do not care how > >>'expensive' their project might be, and any responses they do get > >>are practically pure profit. So to probe a million targets and find > >>even one vulnerable is "worth the trouble" since it is not their own > >>trouble. > >> > >>The flaw in your logic is that you are thinking logically, working > >>from the premise that any intelligent administrator (such as > >>yourself) would never create a machine that is susceptible to this > >>particular attack. Maybe YOUR server is not a viable avenue for the > >>spammer, but there are SO many servers out there - finding a few > >>that ARE viable is almost a certainty, since some people who connect > >>systems to the internet are not so well-informed as we here. > >> > >>I believe that until a technique is discovered to eliminate > >>ignorance and gullibility from the human population, there will be > >>no solution to the spam problem. > > > >If I may extend this OT thread, I'd like to know how draconian admins > >get with their mail servers. Without considering RBLs, how much do > >you limit client connections: > > > >Allow only those with (PTR and/or A) DNS records? > > unfortunately, this would > - block silly networks with misconfigured DNS, but from which you still > want to get mail.
Yeah, I know that, and, in fact, one of my clients' DNS was misconfigured (not in my power to fix) until recently. Be nice if there were some suitable mechanism to feed such info back to owner besides the distant end calling/emailing to say, "Hey, did you know your DNS is fubar?" I'm still not all that far from imposing such a restriction on my own server. > - delay (or block, depending on your implementation) good networks in > case of DNS problems. (the dspam domain was once under DDoS. delaying > their _sollicted_ mail is not really nice). Yeah, bummer. Maybe make an exception if DNS is unavailable, or soft fail. > >Allow only those with MX records? > > if the envelope sender domain has no MX nor A record (or has an invalid > or borked MX), you can block. but this doesn't catch much junk. It does > however catch legitimate mail in case of misconfiguration. No, I don't mean that of the envelope sender - that means nothing. I mean that the client machine must be listed as an MX. That said, yes, I know, many installations (e.g. two of my clients) have separate IPs for sending and receiving mail, so the sender is not listed as an MX. And if it were so listed as a (secondary) MX and did not accept mail, then it's busted for being a bogus MX. <sigh> Never mind. > > > >I figure only the latter will be the Final Solution to spam. > > final what? fussp? > > > since spammers forge the sender, sender checks don't buy you much. > > > But > >there are probably only two chances of that - slim and none. Where is the Lone Ranger when you need him? (Silver bullet reference.) Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Jesus turned and saw her. "Take heart, daughter," he said, "your faith has healed you." And the woman was healed from that moment. Matthew 9:22 (NIV)
