RBL checks

[Jim Levie]

On Tue, 2002-11-26 at 13:20, Julian Field wrote:
> At 19:13 26/11/2002, you wrote:
> >Julian, you do realize this is about blacklists right?
>
> Yes thankyou.
>
> >Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding
> >the originating IP if the blacklist contains a DUL) is not a risk. All the
> >spammer can gain by forging an IP is getting themselves blacklisted... and
> >as far as I'm concerned, they can help themselves to all the blacklisting
> >they want.
>
> Headers say
>          Received: From your-first-server at you.com by your-second-server at you.com
>          Received: Nice-safe-domain at other.com by your-first-server at you.com
>          Received: Another-nice-safe at other2.com by nice-safe-domain at other.com
>
> The 2nd and 3rd lines are fake. And so you receive the message not marking
> it as spam (as it came from nice safe domains). You report the spam to the
> blacklists and other.com and other2.com get blacklisted. That's going to
> make them real happy. And the spammer changes to another couple of
> "other.com" and "other2.com" domains that aren't in the blacklists. And
> they get blacklisted too, and so on.
>
Maybe I'm missing something, but if you were running a DNS BL on
"your-first-server" it would see "Nice-safe-domain at other.com" as the
sending MTA. You don't use the professed name for a BL check, instead it
need to be done against the IP the MTA connected to. So I don't see why
it is a problem to skip "your-first-server" and do a BL check against
the MTA for line two (above)

The same logic applies to white listed MTA's. If you ran the white list
on the relay server that is the same as skipping the relay server on an
interior MailScanner using a white list.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
The instructions said to use Windows 98 or better, so I installed RedHat
   Jim Levie                                 email:
jim at entrophy-free.net