Loading ...
Sorry, an error occurred while loading the content.

Re: SMTP client host name spoofing

Expand Messages
  • Vincent Lefevre
    ... Perhaps in your case, but when sending mail directly (i.e. without using SASL), I get a reject only once every few weeks. So, yes, there is a reason for a
    Message 1 of 30 , Apr 1, 2011
    • 0 Attachment
      On 2011-04-01 11:31:43 +0200, Reindl Harald wrote:
      >
      > Am 01.04.2011 11:15, schrieb Vincent Lefevre:
      >
      > > I could now use SASL (this wasn't possible in the past because I didn't
      > > have my own server), but there would still be problems to solve: how
      > > can I use a fallback (on the client side) to the direct method when for
      > > some reason, the server is not reachable?
      >
      > if your MTA is not reachable you can not send mail at this moment
      > so simple it goes in days of SPF/DKIM no MUA there is really no
      > reason for any workaround

      Perhaps in your case, but when sending mail directly (i.e. without
      using SASL), I get a reject only once every few weeks. So, yes,
      there is a reason for a fallback to direct SMTP to the destination.

      > if your internet-connection is broken the MUA holds back the mail

      That's not the MUA, but the local server that holds back the mail.

      > and if your server down you should get him up and will not die
      > if you can not send a message now .

      If my server is down, I may need to send mail (e.g. messages with
      logs) to solve the problem and bring it up again.

      > how often this happens really?

      Not very often, but this happens. And after having one problem
      (relay server down), I don't want to solve another problem
      (trying to send mail).

      --
      Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
      100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
      Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
    • Reindl Harald
      ... if you send mail directly you have to make sure a static-ip, ptr, matching HELO if this is not possible simply send not mails directly ok you can, but do
      Message 2 of 30 , Apr 1, 2011
      • 0 Attachment
        Am 01.04.2011 17:07, schrieb Vincent Lefevre:

        > Perhaps in your case, but when sending mail directly (i.e. without
        > using SASL), I get a reject only once every few weeks. So, yes,
        > there is a reason for a fallback to direct SMTP to the destination.

        if you send mail directly you have to make
        sure a static-ip, ptr, matching HELO

        if this is not possible simply send not mails directly

        ok you can, but do not wonder if mails are dropped

        > That's not the MUA, but the local server that holds back the mail

        if the local server doe not have static-ip, ptr etc. it has to
        use a relay-server and can send messages authenticated to the relay

        > If my server is down, I may need to send mail

        use a relay server
      • Vincent Lefevre
        ... This is not (always) possible, and I have no choice to send mail directly when the relay server is down. ... Experience shows that most mail won t be
        Message 3 of 30 , Apr 1, 2011
        • 0 Attachment
          On 2011-04-01 17:15:41 +0200, Reindl Harald wrote:
          > Am 01.04.2011 17:07, schrieb Vincent Lefevre:
          > > Perhaps in your case, but when sending mail directly (i.e. without
          > > using SASL), I get a reject only once every few weeks. So, yes,
          > > there is a reason for a fallback to direct SMTP to the destination.
          >
          > if you send mail directly you have to make
          > sure a static-ip, ptr, matching HELO
          >
          > if this is not possible simply send not mails directly

          This is not (always) possible, and I have no choice to send mail
          directly when the relay server is down.

          > ok you can, but do not wonder if mails are dropped

          Experience shows that most mail won't be dropped.

          Still, the question holds: how do I use SASL, with direct SMTP
          as a fallback?

          > > If my server is down, I may need to send mail
          >
          > use a relay server

          I can't use it because it is down!!!

          --
          Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
          100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
          Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
        • Reindl Harald
          ... when the server is down you can not send mails and you really will not die, if it would be so imortant you need redundancy on the relay-server (failover,
          Message 4 of 30 , Apr 1, 2011
          • 0 Attachment
            Am 01.04.2011 17:32, schrieb Vincent Lefevre:
            > On 2011-04-01 17:15:41 +0200, Reindl Harald wrote:
            >> Am 01.04.2011 17:07, schrieb Vincent Lefevre:
            >>> Perhaps in your case, but when sending mail directly (i.e. without
            >>> using SASL), I get a reject only once every few weeks. So, yes,
            >>> there is a reason for a fallback to direct SMTP to the destination.
            >>
            >> if you send mail directly you have to make
            >> sure a static-ip, ptr, matching HELO
            >>
            >> if this is not possible simply send not mails directly
            >
            > This is not (always) possible, and I have no choice to send mail
            > directly when the relay server is down.

            when the server is down you can not send mails
            and you really will not die, if it would be so imortant
            you need redundancy on the relay-server

            (failover, clustering...) all the things are available and
            costs some money, but again - is it important you will bring
            back the money over the infrastructure or it's not important

            > Experience shows that most mail won't be dropped.

            and that is why so many spam is flying around
            would no host accept mails where PTR, A-Record, HELO not
            match, respect SPF and drop mails from dial-up ranges
            spam would dramatically go back

            > Still, the question holds: how do I use SASL, with direct SMTP
            > as a fallback?

            you can't

            >> use a relay server
            > I can't use it because it is down!!!

            so you must wait until is up, bring it up by your self
            or use any freemail-account if you need to send amil
            to solbe the problem
          • mouss
            ... yep. but in a public list, you is others ;-p as usual, thanks for reporting offenders...
            Message 5 of 30 , Apr 1, 2011
            • 0 Attachment
              Le 01/04/2011 01:25, Stan Hoeppner a écrit :
              > mouss put forth on 3/31/2011 4:38 PM:
              >> Le 31/03/2011 17:52, Stan Hoeppner a écrit :
              >>>
              >>> Received: from mail-iw0-f176.google.com (biz88.inmotionhosting.com
              >>> [66.117.14.32])
              >>> by greer.hardwarefreak.com (Postfix) with ESMTP id F297D6C12E
              >>> for <stan@...>; Thu, 31 Mar 2011 06:29:19 -0500
              >>>
              >>>
              >>> biz88.inmotionhosting.com is the reverse name and
              >>> mail-iw0-f176.google.com is the forward name, correct? How is this VPS
              >>> hosted snowshoe spammer spoofing a forward host name of google.com?
              >>>
              >>
              >> they are spoofing HELO.
              >
              > Which is the answer to my question.
              >
              >> if you feel motivated, contact InMotion.
              >> otherwise [snip]
              >
              > You should know me well enough by now mouss to realize that I'd already
              > blocked the parent /20, and Corporate-Colocation's other 19 netblocks,
              > after some investigation, before I sent my question to the list. ;)
              >

              yep. but in a public list, "you" is "others" ;-p

              as usual, thanks for reporting offenders...
            • mouss
              ... we re not asking them to resolve their hostname. we re only asking them to use a real name. it s as easy as myhostname = joe.example.com with a
              Message 6 of 30 , Apr 1, 2011
              • 0 Attachment
                Le 01/04/2011 09:47, Vincent Lefevre a écrit :
                > On 2011-03-31 21:16:16 +0200, Jeroen Geilman wrote:
                >> HELO checks are the primary defense against backscatter of this sort; I use
                >> a simple subset of the available options:
                >>
                >> smtpd_helo_restrictions = reject_invalid_helo_hostname,
                >> reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname,
                >> check_helo_access hash:/etc/postfix/helo_access, permit
                >>
                >> Where helo_access contains my own IPs and hostnames.
                >>
                >> This setup will reject an AMAZING amount of spam.
                >> Fair warning: it may also yield the occasional false positive due to a
                >> misconfigured client mail system!
                >> The usual warn_if_reject will help out with that.
                >
                > I really think it is a bad idea to use reject_unknown_helo_hostname.
                > Some machines sending mail are on a local network, so that resolving
                > their hostname doesn't make sense outside this network.

                we're not asking them to resolve their hostname. we're only asking them
                to use a "real" name. it's as easy as
                myhostname = joe.example.com

                with a "joe.example.com" that exists in DNS.

                I don't use reject_unknown_helo_hostname. however, I watch my dog^W log,
                and I blocklist an IP that uses a "dumb" helo if it ever gets under my
                attention (mostly in the case of a rejection such as "user unknown", but
                also if spam filter says it is probably spam...).

                let me state this differently:

                - there are people who are cooperative. they do everything to look good.
                they work "with us". these people are welcome, and if we ever block
                them, we'll apologize and whitelist them on demand

                - there are the "uncooperative" people. most of these don't know how
                smtp works. we will happily accept their mail as long as it goes to
                valid recipients and is not caught by filters. as soon as they trigger a
                filter (including "user unknown"), there is no merci.


                > The main
                > goal of the EHLO hostname being for logging purpose (to identify
                > the machine),

                I don't care for the helo name. the "machine" is identified by its IP.
                helo only shows "some" stupid systems. I'm only using it to reject
                zombies.

                > the easiest solution may be to give the hostname (the
                > alternate solution of giving the local IP address isn't a good idea
                > if the address is dynamical).

                if you have a dynamic IP, it is still a good idea to use a "static"
                helo. even if it doesn't resolve to your IP. I know some other people
                may say the opposite (require helo to resolve to IP), but I won't go
                that far (I accept mail from dynamic IPs if the "owner" does some
                efforts...).
              • Vincent Lefevre
                ... I repeat: When the server is down, I may *NEED* to send mail (for various reasons, e.g. to send logs so that things can be fixed, to warn some people that
                Message 7 of 30 , Apr 3, 2011
                • 0 Attachment
                  On 2011-04-01 17:45:01 +0200, Reindl Harald wrote:
                  > when the server is down you can not send mails
                  > and you really will not die,

                  I repeat: When the server is down, I may *NEED* to send mail
                  (for various reasons, e.g. to send logs so that things can be
                  fixed, to warn some people that I can no longer receive mail,
                  and so on). It is certainly not you to decide whether I wish
                  to send mail or not.

                  > if it would be so imortant you need redundancy on the relay-server
                  > (failover, clustering...) all the things are available and
                  > costs some money, but again - is it important you will bring
                  > back the money over the infrastructure or it's not important

                  As you say, it costs money (but also more time for maintenance),
                  so this is out of the question.

                  > > Experience shows that most mail won't be dropped.
                  >
                  > and that is why so many spam is flying around
                  > would no host accept mails where PTR, A-Record, HELO not
                  > match, respect SPF and drop mails from dial-up ranges
                  > spam would dramatically go back

                  It would be better to close the account of spammers, but I don't
                  think that's the right place to discuss these things.

                  > > Still, the question holds: how do I use SASL, with direct SMTP
                  > > as a fallback?
                  >
                  > you can't

                  OK, so I'll continue to use direct SMTP, as long as it works quite
                  reliably (for me).

                  --
                  Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
                  100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
                  Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
                • Vincent Lefevre
                  ... But the purpose of having a host in DNS is to be able to resolve it. I mean: you can t have a real hostname in the DNS if it is on a private network
                  Message 8 of 30 , Apr 3, 2011
                  • 0 Attachment
                    On 2011-04-01 23:51:39 +0200, mouss wrote:
                    > we're not asking them to resolve their hostname. we're only asking them
                    > to use a "real" name. it's as easy as
                    > myhostname = joe.example.com
                    >
                    > with a "joe.example.com" that exists in DNS.

                    But the purpose of having a host in DNS is to be able to resolve it.
                    I mean: you can't have a real hostname in the DNS if it is on a private
                    network (unreachable because of NAT), can you? Well... I'm not sure.
                    See below.

                    > I don't use reject_unknown_helo_hostname. however, I watch my dog^W log,
                    > and I blocklist an IP that uses a "dumb" helo if it ever gets under my
                    > attention (mostly in the case of a rejection such as "user unknown", but
                    > also if spam filter says it is probably spam...).

                    Using a private IP (which doesn't even break a SHOULD in the RFC's)
                    is IMHO as dumb as a hostname that isn't in DNS.

                    > let me state this differently:
                    >
                    > - there are people who are cooperative. they do everything to look good.
                    > they work "with us". these people are welcome, and if we ever block
                    > them, we'll apologize and whitelist them on demand
                    >
                    > - there are the "uncooperative" people. most of these don't know how
                    > smtp works. we will happily accept their mail as long as it goes to
                    > valid recipients and is not caught by filters. as soon as they trigger a
                    > filter (including "user unknown"), there is no merci.

                    IMHO, that's fine.

                    > if you have a dynamic IP, it is still a good idea to use a "static"
                    > helo. even if it doesn't resolve to your IP. I know some other people
                    > may say the opposite (require helo to resolve to IP),

                    Well, this doesn't make sense since a machine can have several
                    IP addresses (e.g. because it has several physical or virtual
                    interfaces and one doesn't necessarily know which one will be
                    used). Now, the question is more: if the hostname is resolved,
                    should it neccessarily correspond to the machine? More precisely,
                    if I use host-for-smtp-only.mydomain.tld, which resolves to
                    127.0.0.1 (the IP address should not be used to contact the
                    machine anyway), is it OK?

                    Note: this hostname would be used *only* for EHLO. So, there's
                    no risk for other protocols.

                    > but I won't go that far (I accept mail from dynamic IPs if the
                    > "owner" does some efforts...).

                    --
                    Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
                    100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
                    Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
                  • Reindl Harald
                    ... why not? * you have a public ip * make a a-record in some domain to this ip * your isp have a ptr for this ip * myhostname = your a-record EHLO/HELO, A,
                    Message 9 of 30 , Apr 3, 2011
                    • 0 Attachment
                      Am 04.04.2011 01:27, schrieb Vincent Lefevre:
                      > On 2011-04-01 23:51:39 +0200, mouss wrote:
                      >> we're not asking them to resolve their hostname. we're only asking them
                      >> to use a "real" name. it's as easy as
                      >> myhostname = joe.example.com
                      >>
                      >> with a "joe.example.com" that exists in DNS.
                      >
                      > But the purpose of having a host in DNS is to be able to resolve it.
                      > I mean: you can't have a real hostname in the DNS if it is on a private
                      > network (unreachable because of NAT), can you? Well... I'm not sure.
                      > See below

                      why not?

                      * you have a public ip
                      * make a a-record in some domain to this ip
                      * your isp have a ptr for this ip
                      * myhostname = your a-record

                      EHLO/HELO, A, PTR are matching
                      where is the problem?
                    • Vincent Lefevre
                      ... Because strictly speaking, due to NAT, the DNS would lie. I mean that the address would not be the address of the machine sending the mail, but the address
                      Message 10 of 30 , Apr 3, 2011
                      • 0 Attachment
                        On 2011-04-04 01:53:15 +0200, Reindl Harald wrote:
                        > > But the purpose of having a host in DNS is to be able to resolve it.
                        > > I mean: you can't have a real hostname in the DNS if it is on a private
                        > > network (unreachable because of NAT), can you? Well... I'm not sure.
                        > > See below
                        >
                        > why not?

                        Because strictly speaking, due to NAT, the DNS would lie. I mean that
                        the address would not be the address of the machine sending the mail,
                        but the address of the router.

                        > * you have a public ip
                        > * make a a-record in some domain to this ip
                        > * your isp have a ptr for this ip
                        > * myhostname = your a-record
                        >
                        > EHLO/HELO, A, PTR are matching
                        > where is the problem?

                        They won't even necessarily match for some machines. For instance,
                        one of them is a laptop, which is not always on the same network.
                        I suppose that should not be a problem, but who knows...

                        Even an address literal in square brackets isn't reliable: I had been
                        testing this for a couple of weeks and I got a reject a few minutes
                        ago:

                        Helo command rejected: IP literal in HELO hostname (in
                        reply to RCPT TO command)

                        --
                        Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
                        100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
                        Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
                      • Reindl Harald
                        ... nobody out there is interested on your NAT the server on the other side is seeing only your public address and your public adress have a hostname / ptr and
                        Message 11 of 30 , Apr 3, 2011
                        • 0 Attachment
                          Am 04.04.2011 02:22, schrieb Vincent Lefevre:
                          >> why not?
                          >
                          > Because strictly speaking, due to NAT, the DNS would lie. I mean that
                          > the address would not be the address of the machine sending the mail,
                          > but the address of the router.

                          nobody out there is interested on your NAT

                          the server on the other side is seeing only your public address
                          and your public adress have a hostname / ptr and your postfix should
                          match this hostname

                          the dns do not lie, you never connect outside with anything of your
                          NAT because the nature of NAt is to be transparent

                          >> EHLO/HELO, A, PTR are matching
                          >> where is the problem?
                          >
                          > They won't even necessarily match for some machines. For instance,
                          > one of them is a laptop, which is not always on the same network.
                          > I suppose that should not be a problem, but who knows...

                          that is why you should NOT direct mail from every single machine
                          and setup ONE LAN-Relay which normally use a clean relay-host and
                          does NOT direct send mails as long it is not needed

                          so you can comment out realy-host temorary, restart postfix
                          and all other machines in your LAN are working as expected

                          now you come even with "direct send from a notebook"
                          jesus christ this is really ignorant!

                          > Even an address literal in square brackets isn't reliable: I had been
                          > testing this for a couple of weeks and I got a reject a few minutes
                          > ago:
                          >
                          > Helo command rejected: IP literal in HELO hostname (in
                          > reply to RCPT TO command)

                          that is why i said "do not send directly" unless your whole
                          configuration is clean (dns, HELO,...) and as long you want
                          that your messages are received and not rejected or even
                          silently dropped
                        • Sahil Tandon
                          On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote: [ .. ] ... Please, this is a technical mailing list; let s all try to minimize the editorializing
                          Message 12 of 30 , Apr 3, 2011
                          • 0 Attachment
                            On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote:

                            [ .. ]

                            > now you come even with "direct send from a notebook"
                            > jesus christ this is really ignorant!

                            Please, this is a technical mailing list; let's all try to minimize the
                            editorializing and insults.

                            --
                            Sahil Tandon <sahil@...>
                          • Reindl Harald
                            ... i know, but somewhere sgould be a point where peopole try to understand things they are told tem over and over or do what they want and stop questions if
                            Message 13 of 30 , Apr 3, 2011
                            • 0 Attachment
                              Am 04.04.2011 03:08, schrieb Sahil Tandon:
                              > On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote:
                              >
                              > [ .. ]
                              >
                              >> now you come even with "direct send from a notebook"
                              >> jesus christ this is really ignorant!
                              >
                              > Please, this is a technical mailing list; let's all try to minimize the
                              > editorializing and insults

                              i know, but somewhere sgould be a point where peopole try to understand
                              things they are told tem over and over or do what they want and stop
                              questions if the answers do not interest them
                            Your message has been successfully submitted and would be delivered to recipients shortly.