RBL checks

Julian Field mailscanner at ecs.soton.ac.uk
Tue Nov 26 19:20:31 GMT 2002

At 19:13 26/11/2002, you wrote:
>Julian, you do realize this is about blacklists right?

Yes thankyou.

>Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding
>the originating IP if the blacklist contains a DUL) is not a risk. All the
>spammer can gain by forging an IP is getting themselves blacklisted... and
>as far as I'm concerned, they can help themselves to all the blacklisting
>they want.

Headers say
         Received: From your-first-server at you.com by your-second-server at you.com
         Received: Nice-safe-domain at other.com by your-first-server at you.com
         Received: Another-nice-safe at other2.com by nice-safe-domain at other.com

The 2nd and 3rd lines are fake. And so you receive the message not marking
it as spam (as it came from nice safe domains). You report the spam to the
blacklists and other.com and other2.com get blacklisted. That's going to
make them real happy. And the spammer changes to another couple of
"other.com" and "other2.com" domains that aren't in the blacklists. And
they get blacklisted too, and so on.

The spammers don't get blacklisted, "other.com" and "other2.com" do.

>Now whitelist checking, ie: bondedsender, etc, needs to only be done on
>trusted headers.. because there the spammer can do what you suggest.
>At 06:37 PM 11/26/2002 +0000, Julian Field wrote:
>>No. The only way to do that is to try and parse it out of the headers, and
>>it is trivial for spammers to fake (I'm surprised how few do at the
>>moment). All they need do is directly attack your mail server making the
>>mail appear to come from somewhere safe and you will let it all in.

Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list