Autor: Eli Data: A: 'Marc Perkel' CC: exim-users Assumpte: RE: [exim] Testing what ports are open on the sending host.
Marc wrote: > It is my theory that hosts who send spam have different ports
> open than hosts who send ham and I'm not suggesting doing a
> port spam on ever connevtion but if a few choice ports were
> tested and the results fed into bayes then I think it would
> work as a white rule that statistically if the sending host
> is running spam assassin that they probably aren't a spammer.
Any administrator who leaves their SpamAssassin daemon to arbitrary
connections would indicate to me a VERY poorly configured system - certainly
no serious thought went in to the deployment of that system. If that's the
case, I'd actually rate that system HIGHER in the probable spam area, as
there's probably other security issues to be found as well.
I simply do not see this technique yeilding ANY useful results at all. The
results will conflict with other tests and do nothing but waste CPU time and
annoy the hell out of admins who see logs of connections coming in and
dropping off to their SMTP daemon (if they actually have one open for you to
scan).
I check my system logs once in a while and if I saw your IP consistantly
connecting in to do user verification AND port scanning (on top of all the
other whacked out checks you do too), I'd write you some very nasty
hatemail.
Sounds to me, with all the schemes you come up with, you'd probably be
better off using snail mail, than e-mail :P