Autor: Edgar Lovecraft Data: A: Exim-users Assumpte: Re: [exim] Testing what ports are open on the sending host.
Marc Perkel wrote: > ..[snip]... >
> It is my theory that hosts who send spam have different ports open than
> hosts who send ham and I'm not suggesting doing a port spam on ever
> connevtion but if a few choice ports were tested and the results fed
> into bayes then I think it would work as a white rule that statistically
> if the sending host is running spam assassin that they probably aren't a
> spammer.
The only place I may possibly see any benifit to are for testing IP
addresses that do not have anything close to the EHLO hostname for
DNS PTR data. In otherwords, all those "legit" but faulty
implementations from mostly small to medium sized companies and
educational institutions who tend to use one server for both inbound and
outbound SMTP traffic and have no idea what in-addr.arpa space is.
To my thinking, save yourself a scan, and just lookup the MX record
for either or both the EHLO hostname and or the return-path domain from
the MAIL FROM: command. From the MX record, get the IP of the MX host(s)
and test it against the connecting IP address with a small fudge in the
network range to say a /28 network. My wager is that this would find
just as many of these semi-legit SMTP hosts as would Marc's port scan,
and it would be a lot easier to implement.
However, are you really sure that you want to accept email from a server
that has SA publicly exposed?