Jonas Eckerman wrote:
Michelle Konzack wrote:
in short, if someone declares you as their MX (without your
authorization), you should not start listing clients that try to send
mail to such domains.
Are there ANY leagal reasons to declare someons MX as there MX?
You miss mouss' point.
If someone (maliciously or by mistake) declare your system as their MX,
innocent third party mail servers may through no fault of their own
connect to your system in order to send mail to addresses for wich your
system is not a MX.
If you allow the connecting system to get as far as RCPT TO: you could
check if someone has set the MX for the recipient address(es) to point
at your system before listing the client (and that would also give the
opportunity to contact whoever is responsible for the bad MX record).
For a well known connection trap, this might well be a very important
precaution as spammers might otherwise try to poison the list.
exactly.
More generally all the approches that are based on "this pattern means
this is an attacker" must be seriously analyzed. this includes
- "nobody should try to connect to this port". if you don't allow for a
tcp session to be established, an attacker can spoof an IP and you would
list an innocent IP.
- "spammers close the connection without a quit". probably, but a
connection may be broken for other reasons (system reboot, lost
connectivity, ...).
- "only spammers go to my second MX when my first is up". sure, but just
because you see it p doesn't mean other people can connect to.
- "this address only gets spam" (spamtrap). probably. but can you prove it?
- ... etc
what I mean is that you need to analyze your "rule" before implementing
it. and you need to analyze your implementation as well.
people often take care against many sorts of attacks. but when blocking,
they don't realize that they are vulnerable to similar attacks. remember
that fail2ban "injection" attack (you put the victim IP in the login, so
that fail2ban blocks the victim IP)? and how many people try to block
IPs because of port scans just to block victims of IP spoofing? ... etc.
