Re: my isp is being told *i* am broadcasting spam?
On Sat, Apr 20, 2002 at 07:30:06AM -0500, will trillich wrote:
| On Fri, Apr 19, 2002 at 09:28:17AM -0700, Sean 'Shaleh' Perry wrote:
| > HELO dontuthink.com
| > 250 server Hello 12-235-84-58.client.attbi.com [12.235.84.58]
| > MAIL FROM:<shaleh@dontuthink.com>
| > 250 <shaleh@dontuthink.com> is syntactically correct
| > RCPT TO:<shaleh@debian.org>
| > 550 relaying to <shaleh@debian.org> prohibited by administrator
| >
| > if you are relaying, I do not see how.
| >
| > If someone can relay through you they should be able to telnet to your smtp
| > port and send mail out like I just tried.
|
| thanks. i did similar tests at paladinCorp.com (specifically,
| http://www.paladincorp.com.au/unix/spam/spamlart/ ) and they
| found some instaces where my setup didn't retch at certain
| questionable email syntaxes:
|
| here are the ones marked 'potential vulnerability'... Output
| from Anti-Relay Tests:
|
| Spam-Lart v0.3.2
| 220 server ESMTP Exim 3.12 #1 Fri, 19 Apr 2002 08:58:34 -0500
|
| rcpt to: <"spamtest@paladincorp.com.au"@mail.dontUthink.com>
| 250 <"spamtest@paladincorp.com.au"@mail.dontUthink.com> is
| syntactically correct
| ** FAILURE / Potentital Vulnerability **
|
| but i bet that'll look for use 'spamtest@paladincorp.com.au' ON
| MY SERVER.
It depends on your site's entire configuration. An old version of my
exim-spamassassin config is vulnerable to this sort of spoofing. The
problem with that config was only the local part was passed back to
exim, and that local part looks like a complete address. I just
tested this particular potential vulnerability and received an "unkown
local-part" bounce. That's good. It's better if you reject it at
RCPT time, but ok as long as you don't deliver at all.
| right. my exim.conf includes
|
| rbl_domains = rbl.maps.vix.com
| rbl_reject_recipients = false
| rbl_warn_header = true
| host_accept_relay = localhost : 192.168.1.1/24 : 208.33.90.85/32
| # commented-out:
| # percent_hack_domains=*
|
| what sanity checks does that miss?
There are lots more sanity checks that exim can perform. I don't have
an up-to-date exim 3 config anymore (if I have one at all). I've been
using version 4.01 for a while now.
There is a site (ORBD?) that allows you to enter your IP address and
it will run a barage of relay tests against it and report the results
to the email address you specify. It actually tries to send a message
and then waits for your host to relay it to their spamtrap address.
(obviously, if you reject at RCPT time it won't need to wait at all
because you won't have accepted responsibility for the message)
There's some other site you can telnet to and it will test the ip you
connected from. I don't recall those hostnames right now, though, and
I don't think I wrote them down anywhere.
-D
--
The heart is deceitful above all things
and beyond cure.
Who can understand it?
I the Lord search the heart
and examine the mind,
to reward a man according to his conduct,
according to what his deeds deserve.
Jeremiah 17:9-10
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: