--On 27 December 2006 10:33:41 +0000 Peter Bowyer <peter@???> wrote:
> On 27/12/06, David Saez Padros <david@???> wrote:
>> Hi !!
>>
>> >>> I would like to increase a spam defense of our server by checking if
>> >>> a sender really represents an MX server of his/her organization. So
>> >>> if a certain PC is trying to send me an e-mail from user@???
>> >>> then we will check if this person's IP address is within MX servers
>> >>> of domain.com, otherwise we'll refuse to accept the mail.
>> >> This is misguided. There's no useful correlation between outbound mail
>> >> relays and inbound MXs for a large proportion of the internet. Don't
>> >> do it.
>> >>
>> > OK, I see I was wrong. I just wanted to implement it because some
>> > prominent unix person had suggested this way of struggling with
>> > spammers.
>>
>> you just could use this check to score messages when no spf
>>
>> http://www.ols.es/exim/acl/ismx.acl
>
> Even if you only use that for scoring, I still believe it's unwise.
> What you're actually doing is scoring the sending domain's email
> infrastructure against what you believe it should look like.
Actually, I don't think this matters. The problem that you're highlighting
is that there's no information regarding email that fails the test. Fair
enough. However, email that passes the test probably is less likely to be
spam [if only because spammers don't usually use their own resources to
send email, or because one can potentially punish them later if they do],
so the test might be useful for whitelisting.
As a trite analogy: I know my mother's voice on the phone, so when she
calls I trust that it's her on the phone. However, I can't authenticate the
identity of strangers when they call, so my "mother's voice" test isn't
useful when it fails. That doesn't mean that the test isn't useful, just
that it's not comprehensive.
> A few
> tens of millions (beermat estimate - AOL, Hotmail, Gmail, Wanadoo for
> starters) of ISP users across the world would score badly for the sole
> reason that their provider chose a particular way of engineering their
> email system.
Actually, you need to take Hotmail off that list, since they do publish SPF
records, so their servers would pass this test.
> It might be instructive to collect statistics on incoming email that
> passes or fails this check, and see how much of a spam sign it is
> compared with a false positive, however. Then see how much of the real
> spam would have been caught by other tests, and decide whether the FP
> rate, perhaps augmented with whitelisting, makes it worthwhile. I'll
> bet a large portion of Christmas Pudding that it will turn out to be
> of no use.
>
> Peter
>
> --
> Peter Bowyer
> Email: peter@???
--
Ian Eiloart
IT Services, University of Sussex