Re: posfix SAV tarpitted

• Previous message: Daniel L. Miller: "Re: reject_non_fqdn_hostname"
• Maybe in reply to: Len Conrad: "posfix SAV tarpitted"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Len Conrad a écrit :

>
>> So the best idea would be to not use SAV at all or *only* after some
>> RBL checks and maybe greylisting have been passed.
>
>
> SAV runs last, so it's not a huge contributor,

It is. you apparently run it for all non whitelisted clients for which
you accept mail. This may be a huge percentage.

> but it does make a significant, welcome contribution, stopping forged
> senders that got past everything else.

- It is real easy for spammers to get valid addresses (just harvest
public mailing lists such as this one. they can subscribe if addresses
don't get archived)
for now, many spammers are stupid enough to use their own lists (which
may contain invalid addresses) or just random addresses.
but if we get enough of probes, we may contribute open source software
just for that.

- you can get into a mutual greylisting fiesta. Not a big issue, but...
This is why if SAV is ever to be used, I recommend the use of "<>" as
sender. if the remote site rejects empty sender, then just block him.
you just got your own dsn.rfci-ignorant.org for free:)

- This thread shows how SAV can become a self DOS attack.

- these probes can be used to DoS a site (k clients, each connecting to
m among N servers (m<N to avoid throttling and the like), using
addresses in a victi mdomain). That makes k*m probes at the victim
domain. [while they can connect directly to the victim, m>1 but not too
large allows avoiding some flow control defenses, and in this scheme,
the victim doesn't know which clients attack him).

- Probes may get you listed. using my resources just because some
spammer sends you an email with an address in my domain is a sort of
collateral damage that not everybody accepts nowadays. some sites don't
like getting too many calls but not many mails (or too few calls in the
last $period) from any given network/client. They sometimes do this to
detect newly compromized hosts.

PS. Note that your system matches {FORGED_RCVD_HELO, RCVD_IN_SORBS} in
SA because of:

Received: from tx2.Go2France.com (66-90-156-205.dyn.grandenetworks.net [66.90.156.205])

• Previous message: Daniel L. Miller: "Re: reject_non_fqdn_hostname"
• Maybe in reply to: Len Conrad: "posfix SAV tarpitted"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]