From: Peter H. Coffin (no email)
Date: Sun Jan 04 2004 - 00:40:55 EST
On Sat, Jan 03, 2004 at 08:11:35PM -0800, Kurtis D. Rader wrote:
> On Fri, 2004-01-02 20:58:50, Peter H. Coffin wrote:
> > First off, the first thing a mail server needs to do during an SMTP
> > connection is IDENTIFY itself, and the realistic situation that we face
> > today is that that mail server had better identify itself how the smtpd
> > server sees it. Which, frankly, means that that NATted SMTP server needs
> > to identify itself DIFFERENTLY depending on where it's connecting. RFCs
> > may say otherwise, but I know *my* Postfix installation is going to
> > refuse service from anything claiming to be a host that I can't verify.
> > Which also means that all kinds of preset variables that make sense for
> > an internal net ($myhostname, etc) are wrong for the NATted connection,
> > and have to be custom-crafted.
>
> It would be trivial for me to reconfigure my Postfix installation
> to identify itself as 216-99-206-50.cust.aracnet.com in its HELO
> command.
So do that, and then you can send mail to Greg.
> But note that I'm still going to be advertising the sender
> as FROM a @skepticism.us or @sysperf.org address.
That's not a requirement. If it were, mail transit server routing would
be a lot more difficult.
> Which are both
> domains with valid whois information that resolve to the address
> 216.99.205.50. So what exactly does your restriction accomplish?
In my case, it blocks spam. Between 150 and 450 a day for my domain. I'm
sure Greg's got numbers in the same order of magnitude.
> Note that you can verify my hostname. Furthermore, you can verify that
> it evaluates to the same IP address that is connecting to you. What it
> does not do is evaluate to a hostname obtained from a rDNS lookup. But
> that's simply because I didn't want to impose on my ISP.
Why not? It's about a 1 minute update and never has to be touched again.
> I'm as frustrated by spam as anyone. I'm currently receiving more than
> 100 spam emails each and every a day. And that count doesn't include
> those that are blocked by the few RBLs and other restrictions I use.
So, you complain about the volume of spam you get with "few RBLs and
other restrictions". Maybe you should try a few more.
> But the rDNS checks I see people using don't help. Any spammer using a
> "bulletproof" hosting service should have no problem establishing the
> appropriate DNS PTR records to foil rDNS checks.
Since most of the "bulletproof" hosting services seem to be a hoard of
0wned machines already listed on DULs, I don't see the capacity for them
to manage the rDNS for comcast and roadrunner.
> Similarly, any spammer using hijacked PCs as open relays won't find
> it difficult to employ a trojan written by a competent programmer who
> uses the hostname that itself obtained from a rDNS lookup in its HELO
> command.
True, but *they haven't yet*. And as long as some don't, the checks will
still a diminished good.
> These rDNS restrictions will eliminate very little spam (over the
> long run) and cause needless grief to people with vanity domains or
> that are running small projects (e.g., my Linux system performance
> monitoring tool I'll be hosting at sysperf.org).
I've got my own domain. rDNS came with my connectivity. I set it up, and
haven't had any grief about it. It's your problem, and you can fix it,
if you'd bother your ISP for a one-minute task.
>
> > Heh. PIX Fixup, anyone?
>
> Exactly. All software has flaws. Including that from companies with
> competent engineers such as Cisco.
They have little need to keep current, because their "core competancy"
isn't making PIX work. For someone with a vanilla Sendmail installation,
it works fine, because a vanilla Sendmail installation that hasn't been
touched in four years is exactly what it's supposed to protect. A
well-maintained Postfix installation doesn't need it and the fixup
should be turned off. Postfix runs well *on* the firewall machine, along
with the packet forwarder/load balancer, ident proxy, etc.
--
71. If I decide to test a lieutenant's loyalty and see if he/she should be
made a trusted lieutenant, I will have a crack squad of marksmen standing
by in case the answer is no.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|