Loading ...
Sorry, an error occurred while loading the content.

[long] Re: Greylisting and Postfix

Expand Messages
  • Alex Satrapa
    ... Walks like a duck, quacks like a duck, therefore it is a duck. ... versus ... How do I distinguish the spam from the ham? The spam is the first one, the
    Message 1 of 18 , Jun 1, 2006
    • 0 Attachment
      On 1 Jun 2006, at 16:13, Michael J Wise wrote:

      > On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
      >
      >> (90% of the spam I get comes from Microsoft Outlook, which is a
      >> "proper" mail sender).
      >
      > You've been misled.
      > It may LOOK like it came from Outlook, but it didn't.
      > It came from a piece of software trying desperately to look like it
      > is Outlook.

      Walks like a duck, quacks like a duck, therefore it is a duck.

      Compare these two sets of headers:

      > Received: from sjq ([203.160.26.197]) by localhost (8.13.4/8.13.4)
      > with SMTP id k4V8wIth066131; Wed, 31 May 2006 01:58:18 -0700
      > X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
      > 30 May 2006 18:56:51 EST
      > Message-Id: <001701c6848f$fc5a8c18$c51aa0cb@sjq>
      > Mime-Version: 1.0
      > Content-Type: multipart/related; type="multipart/alternative";
      > boundary="----=_NextPart_000_0013_01C684CA.A8B963B8"
      > X-Priority: 3
      > X-Msmail-Priority: Normal
      > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
      > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106

      versus

      > Received: from DNA05 (unknown [192.168.2.205]) by smtp.apf.edu.au
      > (Postfix) with ESMTP id AEBBC8A80A3 for <alex@apf>; Tue, 9 May
      > 2006 16:52:32 +1000 (EST)
      > Message-Id: <003701c67334$e5774390$cd02a8c0@DNA05>
      > Mime-Version: 1.0
      > Content-Type: text/plain; charset="us-ascii"
      > Content-Transfer-Encoding: 7bit
      > X-Mailer: Microsoft Office Outlook 11
      > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2869

      How do I distinguish the spam from the ham? The spam is the first
      one, the ham is the second. The machine sending the spam tried again
      5 minutes later. From the perspective of the MTA, the spam was sent
      by something claiming to be "Microsoft Outlook Express" and behaving
      very much like "Microsoft Outlook Express" would be expected to
      behave - does it really matter what software was actually responsible
      for sending the message? That is only a philosophical discussion at
      best.

      But back to the original topic - as you can see, the spam still gets
      through with greylisting, because the software sending the spam is
      intelligent enough to respond appropriately to my server faking a
      temporary failure.

      When I raise the greylist delay to half an hour (enough time for the
      ISP to start getting complaints of spam originating from their
      clients, and shut the client out), I start receiving complaints from
      people whose mail servers send them messages saying, "I couldn't
      deliver this message after half an hour, I'm still trying though."

      Alex
    • Michael J Wise
      ... You are completely missing the point. It isn t a case of Looks Like , it s a case of what is on the other end of the wire. ... External address. No
      Message 2 of 18 , Jun 1, 2006
      • 0 Attachment
        On May 31, 2006, at 9:19 PM, Alex Satrapa wrote:
        > On 1 Jun 2006, at 16:13, Michael J Wise wrote:
        >> On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
        >>
        >>> (90% of the spam I get comes from Microsoft Outlook, which is a
        >>> "proper" mail sender).
        >>
        >> You've been misled.
        >> It may LOOK like it came from Outlook, but it didn't.
        >> It came from a piece of software trying desperately to look like it
        >> is Outlook.
        >
        > Walks like a duck, quacks like a duck, therefore it is a duck.
        >
        > Compare these two sets of headers:

        You are completely missing the point.
        It isn't a case of "Looks Like", it's a case of what is on the other
        end of the wire.

        >> Received: from sjq ([203.160.26.197])

        External address.
        No reverse DNS.
        Currently no DNSBLs of any consequence.

        >> X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
        >> 30 May 2006 18:56:51 EST

        You might want to greylist it for a bit longer....
        Bottom line is, mail servers and local addresses shouldn't be
        greylisted.
        But *unknown* connects should be for quite some time.
        302 seconds doesn't cut it.
        86400 seconds might.
        This is, of course, only MHO.

        > versus
        >
        >> Received: from DNA05 (unknown [192.168.2.205])

        Local address.

        > How do I distinguish the spam from the ham?

        That's your problem, Sir.
        And this isn't the list for it.

        > does it really matter what software was actually responsible for
        > sending the message?

        Yes.

        > That is only a philosophical discussion at best.

        Oh no, it's quite practical.
        You see... sometimes, they make misteaks.
        And those misteaks become a sign.

        Aloha mai Nai`a!
        --
        "Please have your Internet License http://kapu.net/~mjwise/
        and Usenet Registration handy..."
      • Alex Satrapa
        ... This was from a phishing attempt (trying to get me to enter my paypal account details into their website). Note that they reconnected after a couple of
        Message 3 of 18 , Jun 1, 2006
        • 0 Attachment
          On 1 Jun 2006, at 17:19, Alex Satrapa wrote:

          > When I raise the greylist delay to half an hour (enough time for
          > the ISP to start getting complaints of spam originating from their
          > clients, and shut the client out), I start receiving complaints
          > from people whose mail servers send them messages saying, "I
          > couldn't deliver this message after half an hour, I'm still trying
          > though."

          And here's why greylisting doesn't work:

          > Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
          > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No
          > client certificate requested) by smtp.apf.edu.au (Postfix) with
          > ESMTP id 88F6D8A80A3 for <alex.satrapa@...>; Thu, 1 Jun
          > 2006 19:54:31 +1000 (EST)
          > Received: from optkmv.ru (localhost [127.0.0.1] (may be forged))
          > by optkmv.ru (8.13.5/8.13.5) with ESMTP id k517X9rF003136 for
          > <alex.satrapa@...>; Thu, 1 Jun 2006 11:33:09 +0400
          > Received: (from diana@localhost) by optkmv.ru (8.13.5/8.13.5/
          > Submit) id k517X7sY003130; Thu, 1 Jun 2006 11:33:07 +0400
          > X-Sieve: CMU Sieve 2.2
          > X-Greylist: delayed 8422 seconds by postgrey-1.21 at franklin;
          > Thu, 01 Jun 2006 19:54:32 EST
          > Message-Id: <200606010733.k517X7sY003130@...>
          > Content-Type: text/html

          This was from a phishing attempt (trying to get me to enter my paypal
          account details into their website).

          Note that they reconnected after a couple of hours, and used TLS
          encryption. Their hostname is valid, and doing a resolution on the
          name derived from a reverse lookup on the IP address results in the
          IP address.

          Is there anything else here that could have indicated to my mail
          server that this was not legitimate mail?
        • Michael J Wise
          ... % query-dnsbl 217.13.208.17 SPAMCOP opttorg.cust.kmv.ru Greylisting should never be one s only line of defense. Greylisting buys one time for a
          Message 4 of 18 , Jun 1, 2006
          • 0 Attachment
            On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:

            > And here's why greylisting doesn't work:
            >
            >> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])

            % query-dnsbl 217.13.208.17
            SPAMCOP opttorg.cust.kmv.ru

            Greylisting should never be one's only line of defense.
            Greylisting buys one time for a given IP address to make a fool of
            itself elsewhere before it gets to dump crap into your system.
            Or at least, that is my understanding of its purpose.

            > Note that they reconnected after a couple of hours, ...

            Not surprised at all.
            It's almost certainly a compromised machine ... in Mother Russia!
            Listening on port 22, btw.
            Probably user 'diana' had a trivial password ('password' or 'diana',
            for example), and ... poof, in they went.

            > Is there anything else here that could have indicated to my mail
            > server that this was not legitimate mail?

            Um, how about the fact that the server was in Russia?

            :)

            Aloha mai Nai`a!
            --
            "Please have your Internet License http://kapu.net/~mjwise/
            and Usenet Registration handy..."
          • mouss
            ... so what? spamcop isn t designed for smtp level rejection. it should ony be used in score based system. ... use a spam filter. There are many to choose
            Message 5 of 18 , Jun 4, 2006
            • 0 Attachment
              Michael J Wise wrote:
              > On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:
              >
              >> And here's why greylisting doesn't work:
              >>
              >>> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
              >
              > % query-dnsbl 217.13.208.17
              > SPAMCOP opttorg.cust.kmv.ru
              so what? spamcop isn't designed for smtp level rejection. it should ony
              be used in score based system.
              >
              > Greylisting should never be one's only line of defense.
              > Greylisting buys one time for a given IP address to make a fool of
              > itself elsewhere before it gets to dump crap into your system.
              > Or at least, that is my understanding of its purpose.
              >
              >> Note that they reconnected after a couple of hours, ...
              >
              > Not surprised at all.
              > It's almost certainly a compromised machine ... in Mother Russia!
              > Listening on port 22, btw.
              > Probably user 'diana' had a trivial password ('password' or 'diana',
              > for example), and ... poof, in they went.
              >
              >> Is there anything else here that could have indicated to my mail
              >> server that this was not legitimate mail?
              use a spam filter. There are many to choose from. if you don't like
              choosing, try spamassassin...
              >
              > Um, how about the fact that the server was in Russia?
              There may be more spam servers in the US than in Russia. Again, you can
              use such arguments in a score based filter, not in
              smtpd_recipient_restrictions...
            Your message has been successfully submitted and would be delivered to recipients shortly.