Re: Technical mail setup question

[Craig Sanders <cas@taz.net.au>]

On Thu, Jun 03, 1999 at 06:07:49PM -0400, Brian Cox wrote:

> There's the rub.  What about those people who don't have a static IP
> or a static hostname?  They can't use their firewall box as a relay.
> More than likely, the box can't be configured with a suitable real
> Internet-wide hostname to use when talking to the ISP's relay.

they can use their ISP's mail relay or beg/buy a uucp-over-tcp service,
or run a ssh tunnel to a friendly mail host somewhere, or one of many
other cheap or free options. internet technology is extremely flexible
if you know how to use it.

> Unless the relay doesn't check the connecting machine's HELO
> signature, people in this situation are screwed.

there's a right way and a wrong way to do HELO/EHLO checks.

checking that the HELO/EHLO line is a valid hostname/domain name is
reasonable (but not really necessary). checking that it exactly matches
the .in-addr.arpa domain name is unreasonable because it limits what
their users can do *without* serving any useful purpose.


> Also, I'm not sure how one goes about authenticating with a relay
> server.  If there is some provision in SMTP to authenticate with
> username/password (of which I do not know), then this might work.
> Otherwise, an ISP relay is simply going to relay messages that come
> from the "right" IP or the "right" email address.

no, there is no authentication for SMTP.

smart ISPs allow their own IP addresses to relay through them and deny
relaying for anyone else.

some ISPs even allow relaying for their customers with some sort of
POP-before-SMTP "authentication"...the user makes a POP connection with
username and password, and the server adds the user's IP address to the
list of relay-allowed IP addresses for the next 5 or 10 or 30 minutes.
it's easy enough to hack in support for this to most POP daemons.


dumb ISPs do nothing, or try some brain-damaged scheme of allowing
relaying for messages with the "right" domain name(s). this is just
stupid, and it allows spammers to relay simply by faking their From
address.


> Even if there is authentication involved, this won't stop spammers
> from using throw-away ISP accounts.  If they're able to hop from one
> account to the next on an ISP to send spam directly from their box to
> a recipient (presumably because the ISP is nuking the previous account
> each time people complain),

this is why DUL RBLs are necessary.

> And if authentication happens on "From" address, what about people who

"authentication" (i.e. allowing relay based on) From address is just
plain stupid.  From addresses can be faked with trivial effort...in
fact, no effort at all is required.

the only use for checking domains in From_ or From: checks
is to make sure that the mail has a valid reply address. if
it doesn't have one then it is almost certainly spam (e.g.
teensluts36@2383736xxjjz.com)....for the tiny percentage of these which
aren't spam then it is better to bounce it to let the hapless author
know that they have misconfigured their mail client rather than leave
them wondering why they never get any replies to their mail.


craig

--
craig sanders