Hi Paul,
On Thu, 18 Nov 2010, Always Learning wrote:
> Bill Hacker wrote .........
>
> > "Real folks" MTA have DNS creds. Botnet WinZombies do not. QED.
>
> The facts of everyday email receiving is some very large organisations
> give out false HELO / EHLO and/or have non-resolving hosts.
I don't think that's what Bill meant.
Any kiddie can write a spam mailer that does a reverse lookup on its IP
address to send a *valid* and *accurate* DNS HELO.
"Credentials" for me is "reputation": known good emails and very few spams
originating from this server's IP address. I only care about its hostname
if I have to guess whether it's dynamic or belongs to someone too big to
block, like Google or Yahoo. I wish that I didn't have to make that guess.
> (1) HELO / EHLO must resolve to the IP address of the sending server;
Which makes this test pretty useless. It's also difficult for hosts that
send mail to destinations both inside and outside of NAT, without running
split horizon DNS, which is also evil, and two wrongs does not make a
right, and internal hostname + split horizon DNS != zero problems.
> (2) The sending server (MTA) must have a resolving host name.
This one is out of the control of the botnet owner, but most ISPs have it.
For this to reduce spam significantly, ISPs would also have to remove
reverse DNS from their zombie range. I'd rather that the ISP registered
their dynamic IP space with the Spamhaus PBL instead.
> Exim provides excellent tools for rejecting spam but when large
> organisations, some operating internationally, can not care less the
> dilemma for others is whether to adhere to one's own standards or
> succumb to accepting spam, virus and Trojans into the system.
I wish that ISPs would block port 25 outbound except for registered
outbound SMTP servers, and force all outbound mail through a spam filter.
I wish that spam filtering services didn't send out spam from their
customers.
> I reject virtually everything not 100% correct. It produces a (so far)
> 100% spam free operation. A selection of other people's standards can
> be seen on sys.u226.com/t21/t21.php
It's very easy to be 100% spam free: block port 25 inbound. You don't
mention your false positive rate.
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\ _/_/_/_//_/___/ | Stop nuclear war http://www.nuclearrisk.org |
