RBL checks

Julian Field mailscanner at ecs.soton.ac.uk
Tue Nov 26 20:35:24 GMT 2002

At 20:09 26/11/2002, you wrote:
>On Tue, 2002-11-26 at 13:20, Julian Field wrote:
> > At 19:13 26/11/2002, you wrote:
> > >Julian, you do realize this is about blacklists right?
> >
> > Yes thankyou.
> >
> > >Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth
> (excluding
> > >the originating IP if the blacklist contains a DUL) is not a risk. All the
> > >spammer can gain by forging an IP is getting themselves blacklisted... and
> > >as far as I'm concerned, they can help themselves to all the blacklisting
> > >they want.
> >
> > Headers say
> >          Received: From your-first-server at you.com by
> your-second-server at you.com
> >          Received: Nice-safe-domain at other.com by your-first-server at you.com
> >          Received: Another-nice-safe at other2.com by
> nice-safe-domain at other.com
> >
> > The 2nd and 3rd lines are fake. And so you receive the message not marking
> > it as spam (as it came from nice safe domains). You report the spam to the
> > blacklists and other.com and other2.com get blacklisted. That's going to
> > make them real happy. And the spammer changes to another couple of
> > "other.com" and "other2.com" domains that aren't in the blacklists. And
> > they get blacklisted too, and so on.
> >
>Maybe I'm missing something, but if you were running a DNS BL on
>"your-first-server" it would see "Nice-safe-domain at other.com" as the
>sending MTA.

The difference is that the first connection to the MTA can be extracted
(fairly reliably) from the envelope, without using the headers. All further
ones have to be read from the headers, and are hence liable to be faked.
There's a big difference between using the first one and using any of the
others. Which is why I only consider the first. I don't intend changing that.

>  You don't use the professed name for a BL check, instead it
>need to be done against the IP the MTA connected to. So I don't see why
>it is a problem to skip "your-first-server" and do a BL check against
>the MTA for line two (above)
>The same logic applies to white listed MTA's. If you ran the white list
>on the relay server that is the same as skipping the relay server on an
>interior MailScanner using a white list.
>The instructions said to use Windows 98 or better, so I installed RedHat
>    Jim Levie                                 email:
>jim at entrophy-free.net

Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list