Loading ...
Sorry, an error occurred while loading the content.

Re: [long] Re: Greylisting and Postfix

Expand Messages
  • Michael J Wise
    ... You are completely missing the point. It isn t a case of Looks Like , it s a case of what is on the other end of the wire. ... External address. No
    Message 1 of 18 , Jun 1, 2006
    • 0 Attachment
      On May 31, 2006, at 9:19 PM, Alex Satrapa wrote:
      > On 1 Jun 2006, at 16:13, Michael J Wise wrote:
      >> On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
      >>
      >>> (90% of the spam I get comes from Microsoft Outlook, which is a
      >>> "proper" mail sender).
      >>
      >> You've been misled.
      >> It may LOOK like it came from Outlook, but it didn't.
      >> It came from a piece of software trying desperately to look like it
      >> is Outlook.
      >
      > Walks like a duck, quacks like a duck, therefore it is a duck.
      >
      > Compare these two sets of headers:

      You are completely missing the point.
      It isn't a case of "Looks Like", it's a case of what is on the other
      end of the wire.

      >> Received: from sjq ([203.160.26.197])

      External address.
      No reverse DNS.
      Currently no DNSBLs of any consequence.

      >> X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
      >> 30 May 2006 18:56:51 EST

      You might want to greylist it for a bit longer....
      Bottom line is, mail servers and local addresses shouldn't be
      greylisted.
      But *unknown* connects should be for quite some time.
      302 seconds doesn't cut it.
      86400 seconds might.
      This is, of course, only MHO.

      > versus
      >
      >> Received: from DNA05 (unknown [192.168.2.205])

      Local address.

      > How do I distinguish the spam from the ham?

      That's your problem, Sir.
      And this isn't the list for it.

      > does it really matter what software was actually responsible for
      > sending the message?

      Yes.

      > That is only a philosophical discussion at best.

      Oh no, it's quite practical.
      You see... sometimes, they make misteaks.
      And those misteaks become a sign.

      Aloha mai Nai`a!
      --
      "Please have your Internet License http://kapu.net/~mjwise/
      and Usenet Registration handy..."
    • Alex Satrapa
      ... This was from a phishing attempt (trying to get me to enter my paypal account details into their website). Note that they reconnected after a couple of
      Message 2 of 18 , Jun 1, 2006
      • 0 Attachment
        On 1 Jun 2006, at 17:19, Alex Satrapa wrote:

        > When I raise the greylist delay to half an hour (enough time for
        > the ISP to start getting complaints of spam originating from their
        > clients, and shut the client out), I start receiving complaints
        > from people whose mail servers send them messages saying, "I
        > couldn't deliver this message after half an hour, I'm still trying
        > though."

        And here's why greylisting doesn't work:

        > Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
        > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No
        > client certificate requested) by smtp.apf.edu.au (Postfix) with
        > ESMTP id 88F6D8A80A3 for <alex.satrapa@...>; Thu, 1 Jun
        > 2006 19:54:31 +1000 (EST)
        > Received: from optkmv.ru (localhost [127.0.0.1] (may be forged))
        > by optkmv.ru (8.13.5/8.13.5) with ESMTP id k517X9rF003136 for
        > <alex.satrapa@...>; Thu, 1 Jun 2006 11:33:09 +0400
        > Received: (from diana@localhost) by optkmv.ru (8.13.5/8.13.5/
        > Submit) id k517X7sY003130; Thu, 1 Jun 2006 11:33:07 +0400
        > X-Sieve: CMU Sieve 2.2
        > X-Greylist: delayed 8422 seconds by postgrey-1.21 at franklin;
        > Thu, 01 Jun 2006 19:54:32 EST
        > Message-Id: <200606010733.k517X7sY003130@...>
        > Content-Type: text/html

        This was from a phishing attempt (trying to get me to enter my paypal
        account details into their website).

        Note that they reconnected after a couple of hours, and used TLS
        encryption. Their hostname is valid, and doing a resolution on the
        name derived from a reverse lookup on the IP address results in the
        IP address.

        Is there anything else here that could have indicated to my mail
        server that this was not legitimate mail?
      • Michael J Wise
        ... % query-dnsbl 217.13.208.17 SPAMCOP opttorg.cust.kmv.ru Greylisting should never be one s only line of defense. Greylisting buys one time for a
        Message 3 of 18 , Jun 1, 2006
        • 0 Attachment
          On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:

          > And here's why greylisting doesn't work:
          >
          >> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])

          % query-dnsbl 217.13.208.17
          SPAMCOP opttorg.cust.kmv.ru

          Greylisting should never be one's only line of defense.
          Greylisting buys one time for a given IP address to make a fool of
          itself elsewhere before it gets to dump crap into your system.
          Or at least, that is my understanding of its purpose.

          > Note that they reconnected after a couple of hours, ...

          Not surprised at all.
          It's almost certainly a compromised machine ... in Mother Russia!
          Listening on port 22, btw.
          Probably user 'diana' had a trivial password ('password' or 'diana',
          for example), and ... poof, in they went.

          > Is there anything else here that could have indicated to my mail
          > server that this was not legitimate mail?

          Um, how about the fact that the server was in Russia?

          :)

          Aloha mai Nai`a!
          --
          "Please have your Internet License http://kapu.net/~mjwise/
          and Usenet Registration handy..."
        • mouss
          ... so what? spamcop isn t designed for smtp level rejection. it should ony be used in score based system. ... use a spam filter. There are many to choose
          Message 4 of 18 , Jun 4, 2006
          • 0 Attachment
            Michael J Wise wrote:
            > On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:
            >
            >> And here's why greylisting doesn't work:
            >>
            >>> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
            >
            > % query-dnsbl 217.13.208.17
            > SPAMCOP opttorg.cust.kmv.ru
            so what? spamcop isn't designed for smtp level rejection. it should ony
            be used in score based system.
            >
            > Greylisting should never be one's only line of defense.
            > Greylisting buys one time for a given IP address to make a fool of
            > itself elsewhere before it gets to dump crap into your system.
            > Or at least, that is my understanding of its purpose.
            >
            >> Note that they reconnected after a couple of hours, ...
            >
            > Not surprised at all.
            > It's almost certainly a compromised machine ... in Mother Russia!
            > Listening on port 22, btw.
            > Probably user 'diana' had a trivial password ('password' or 'diana',
            > for example), and ... poof, in they went.
            >
            >> Is there anything else here that could have indicated to my mail
            >> server that this was not legitimate mail?
            use a spam filter. There are many to choose from. if you don't like
            choosing, try spamassassin...
            >
            > Um, how about the fact that the server was in Russia?
            There may be more spam servers in the US than in Russia. Again, you can
            use such arguments in a score based filter, not in
            smtpd_recipient_restrictions...
          Your message has been successfully submitted and would be delivered to recipients shortly.