dar...@chaosreigns.com wrote:
On 02/09, Kris Deugau wrote:
Spammer mail originates from 10.0.0.2 (static IP assigned by ISP).
PTR record is 2.0.0.10.in-addr.arpa -> exchange.smallbusiness.com
2.0.0.10.mtx.exchange.smallbusiness.com -> 127.0.0.1 because this is the
recognized designated outbound relay for Small Business's legitimate
mail, and they've followed your proposal.
How is the spam to be *not* considered a legitimate sender in this case?
Even if the Exchange server isn't actually processing the email, its
public IP will still be the originating IP of the message.
Blacklist the validating domain smallbusiness.com. Reject all email that
has a *.mtx.*.smallbusiness.com record. Just as you would blacklist
the sending IP for spamming. As with SPF, I expect this to be quite a lot
easier than maintaining a blacklist of spamming IPs. If I'm wrong on that
one point, this is useless.
I'm still not seeing the whole picture; maybe you can explain the
difference between these two cases:
1) Legitimate sender, uses the NAT machine as the legitimate, designated
relayhost.
So far as a remote system is concerned, the mail originates from an IP
(10.0.0.2) with a certain rDNS (exchange.smallbusiness.com).
Remote system takes the IP, gets the PTR, and looks up
2.0.0.10.mtx.exchange.smallbusiness.com, and gets 127.0.0.1. Yay! Good
mail, let's let it through!
2) Spam, from an infected machine on the same LAN, either via relay
through the NAT box, or using its own SMTP engine to do direct-to-MX
So far as a remote system is concerned, the mail originates from an IP
(10.0.0.2) with a certain rDNS (exchange.smallbusiness.com).
Remote system takes the IP, gets the PTR, and looks up
2.0.0.10.mtx.exchange.smallbusiness.com, and gets 127.0.0.1. Yay! Good
mail, let's let it through!
Would you still like more detail on what pieces of information I'm looking
at, and where I'm getting them from?
Obviously I've missed *something* about what you've been trying to
describe, but I haven't seen any indication that you're working with
**ANYTHING** other than the PTR record for the (apparent) originating IP
(which, for a small business on a single static-IP connection, may or
may not even have anything to do with the business's own domain(s) at
all), and some arbitrary (sub^n)domain A record based on the PTR.
About all your scheme seems to do is identify IPs which may emit
legitimate email, generally; it's certainly nothing I'd score at
anything more than an advisory -0.001 in SA.
Consider the case of a legitimate ISP's outbound relay - most of the
mail is perfectly legitimate, but sooner or later *someone* on an IP
controlled by that ISP (and therefore allowed to relay through that
outbound relay host) will have their machine infected or someone with an
account with that ISP will have their password stolen, and then that
infected machine will spew out junk via the relay, or a machine
somewhere else will use that stolen password to send SMTP AUTH mail
through that relay....
We regularly see both of those cases here (medium-sided ISP).
The more I think about it and the more I read of what you're describing,
the more most of it seems like a reasonable component of any blacklist
operation, not a whole FUSSP[1] in its own right.
[1] http://www.claws-and-paws.com/fussp.html, among other references
-kgd
