Autor: John W. Baxter Data: Dla: exim-users Temat: Re: [exim] Port Tests to Verify the Sending Hosts
On 3/9/2005 13:40, "Christian Schmidt" <christian@???> wrote:
> Hello Marc,
>
> Marc Perkel, 07.03.2005 (d.m.y):
>
>> I don't think anyone would disagree that a host that has port 465 open
>> is more likely not to be a spammer.
>
> IMO you can't derive that from a (non)open port 465.
> Each host may be configured in an individual way, serving this on port
> x and that on port y.
I agree with Marc on this one. It took me a while to realize that I agreed
(I initially missed the "not" in the 5th word from the end, which didn't
help at all).
He's not looking for "is a spammer" vs "is not a spammer". He's looking for
"is slightly less likely to be a spammer." (Where, presumably, Dr Bayes is
tuning up what "slightly" means.) I think he'll get that (I don't know what
"slightly" will mean).
Why?
First, Marc probably isn't planning to do this test with known white hat
mail servers from large organizations (that well describes the type of site
where inbound and outbound SMTP are separate IPs and the senders aren't
listening on the inbound ports)...he probably skips a bunch of his
server-related testing for those sites.
Second, spam engines these days are "somewhat likely" to be found on
infected Windows machines connected via DSL or Cable, and owned by Aunt Jane
or Uncle Albert who never heard of "update" or "service pack" or "security"
or "never open unknown attachments."
In that environment, it is highly unlikely that the compromised computer is
listening on port 465 (if it is, it's the spam engine doing it). And it's
also highly unlikely that even if the computer is listening, the world will
see that. Few such machines are set up such that the world-facing IP is the
machine's IP (our DSL users *can* set up that way...only one or two have,
and neither Jane or Albert is capable of doing so--a Cable user may well not
be able to, and many DSL users may not be able to either).
Instead the Cable or DSL box has the world-visible IP and is using NAT to
deal with the client machine(s). These boxes do not routinely port forward
465 (or anything else)...that's why the spam engines make connections to
their masters rather than vice versa. Albert and Jane will not have gone to
the trouble of port forwarding 465 to their Windows machine (after changing
the normal setup so the IP of the machine is fixed rather than obtained from
DHCP so they could know where to port forward to.
So...that leaves, as others have noted, the question of whether the gain
from the test will be enough to notice. This question is like performance
issues: all thought experiments give wrong answers--testing and measuring
give real answers [either real or well-simulated testing].
