Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)

To: debian-isp@lists.debian.org
Subject: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
From: Ralph Paßgang <ralph@debianbase.de>
Date: Sat, 10 Apr 2004 10:47:39 +0200
Message-id: <[🔎] 200404101047.39745.ralph@debianbase.de>
In-reply-to: <[🔎] 40772F3E.2040005@net-lab.net>
References: <[🔎] 1081550738.40772792c49d1@cafe.afe.to> <[🔎] 40772C1C.7030301@snorks.dyndns.org> <[🔎] 40772F3E.2040005@net-lab.net>

Hi,

you shouldn't try to block everything that comes from a host which has no open 
smtp port, this is in generel a bad idea...

reason: there are a lot (and I mean a lot) of servers out there, which only 
sends mail out to the world, but should never recieve any mail directly, so 
that it is okay to bind the smtpd only to localhost or to a internal lan 
interface. Often there are other servers which recieves the mail for these 
kind of setups...

The better way is to check against a real blacklist which has entries for 
dial-up networks and maybe for dns-names without any MX or A entry...

for example spamassassin asks a lot of real blacklists and so it also checks 
these things:

example  for checks against RBLs (sorry, it's a german system, but I will 
translate):

- NO_DNS_FOR_FROM:
Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) / 
Domain of the sendingaddress has no dns entry (no mx/a record)

- RCVD_IN_NJABL_DIALUP RBL: NJABL: 
Senderechner nur temporär mit Internet verbunden [XXX.XXX.XXX.XXX listed in 
dnsbl.njabl.org] / Sending host is only connected to the internet temporary 
(dial up)

and so on.... So in my opinion it's better to check against such lists than 
simply block all mail that comes from a system without open smtp...

--Ralph

Am Samstag 10 April 2004 01:18 schrieb Andreas John:
> Hi!
>
> Dave Watkins wrote:
> > If I remember right (and someone correct me if I'm wrong) a mail server
> > doesn't have to have an MX record. If no MX record exists then the
> > sending server drops back to normal host records and this is perfectly
> > legitimate. So the MX record checking may not work so well
>
> Dave, your theory is right, you don't have to have an MX record in your
> DNS zone in order to receive mail, but Pulu wants to "tcpping", so his
> idea is to check if there is an open port 25, i.e. check if the sending
> server is an mailserver. This would not be the case with infected
> outlooks ;) but also not for hosts behind NAT FW.
> @Pulu: Is that your idea?
>
> The problem is more that a sending host has not neccessarily to be an
> receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp
> (submission et al?)
>
> In Germany several large scale ISPs began to block all mail comming
> directly from an dialup ip, so I think it would be an accepted way to
> try what Pulu wants to do.
>
> Rgds,
> j.
>
>
>
>
> --
> Andreas John
> net-lab GmbH
> Luisenstrasse 30b
> 63067 Offenbach
> Tel: +49 69 85700331
>
> http://www.net-lab.net

Reply to:

References:
- OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Pulu 'Anau <pulu@afe.to>
- Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Dave Watkins <debianisp@snorks.dyndns.org>
- Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Andreas John <aj@net-lab.net>

Prev by Date: Re: which scsi raid adapter?
Next by Date: Re: Jesus Help Me !
Previous by thread: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Next by thread: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Index(es):
- Date
- Thread